The HIPAA 2026 Security Rule update, translated for a 6-person practice.

In December 2024, HHS published a proposed update to the HIPAA Security Rule, the first major rewrite since 2003. It is expected to finalize in 2026. The text runs hundreds of pages and reads like it was written for a hospital system with a compliance department. It was not written only for them. It applies to a six-person dental office the same way it applies to a regional health network. Here is what it actually says, translated.

The one-sentence version

The word “addressable” (the loophole that let small practices treat most safeguards as optional-with-an-explanation) goes away, and in its place come hard requirements with numbers attached: restore critical systems in 72 hours, test backups on a documented schedule, encrypt everything, turn on MFA, and verify your vendors in writing every year.

Change 1: the 72-hour restore requirement

The proposed rule requires written procedures and a tested capability to restore critical systems within 72 hours. Read that carefully. It does not say “have a recovery plan.” It says restore. Demonstrated, not promised. If your backups have never been timed, you do not currently know whether you can meet this requirement, and “we think so” is exactly the answer the rule is designed to eliminate. We keep a full breakdown of the requirement, with the current-versus-proposed comparison table, at /hipaa-2026.

The practical implication: this is an infrastructure requirement wearing a paperwork costume. You cannot write your way to a 72-hour restore. You build it, then you time it.

Change 2: backup testing becomes documented and recurring

Today, backup testing is addressable. Under the proposal it becomes a documented, recurring obligation with recorded results. A test from 2023 will not answer a 2027 audit question. The fix is a calendar, not a binder: scheduled restore drills with dated results, filed where you can find them.

Change 3: MFA and encryption stop being optional

Multi-factor authentication and encryption (at rest and in transit) move from addressable to mandatory. For most small practices this is the cheapest item on the list. Microsoft 365 and Google Workspace include MFA at no extra cost, and most modern EHRs encrypt by default. The work is turning it on everywhere, including the front-desk machine and the billing laptop, and documenting that you did.

Change 4: annual written vendor verification

A signed BAA stops being enough. The proposed rule requires annual written verification that each business associate actually has its safeguards in place. Two consequences follow. If you run a practice, you will need to collect these verifications from your EHR vendor, your billing service, and your IT company. If you are one of those vendors, your clients will start asking you for the letter. The vendor who can attach drill evidence to it wins the renewal.

What’s final and what isn’t

None of this is final yet. The Notice of Proposed Rulemaking published in December 2024; finalization is widely expected in 2026, with a compliance window of roughly 180 to 240 days after the final rule publishes. Details may change. This article is information, not legal advice.

Here is why waiting for the final text is still the wrong move. First, every requirement in the proposal is already what cyber insurers and OCR enforcement actions reward today. The rule is catching up to existing expectations, not inventing new ones. Second, the 72-hour restore is the long-lead item. Practices that start after publication will be buying emergency infrastructure inside a compliance window, at deadline prices. We track the rule’s status at /hipaa-2026 and update that page as it moves.

“Our EHR is in the cloud, so we’re covered”

Your EHR vendor backs up their system. Your scheduling data, billing exports, scanned documents, email, and the local machines your staff work on every day are yours. The recovery obligation is yours too. In the practice audits we run, the EHR is usually the best-protected system in the building, and everything around it is the exposure.

The 90-day head start plan

• Days 1–14: Map. List every system, rank it by criticality, and set a target restore time for each tier. One working session with whoever leads the practice.
• Days 15–45: Harden. Move backups to immutable, object-locked storage with an offsite copy. Turn on MFA everywhere. Confirm encryption at rest and in transit, and write down what you confirmed.
• Days 46–75: Rehearse. Write the incident response plan: who calls whom, in what order, with what authority. Run one tabletop exercise against a realistic scenario.
• Days 76–90: Prove. Run a timed restore of your top-tier systems into an isolated environment. Record the number. File the evidence.

Ninety days from now you can have either a stack of intentions or a dated drill result showing 72 hours is a number you have already beaten. The full readiness program, mapped section by section to the proposed rule, is at /hipaa-2026.