HIPAA's New Response-Time Requirements for Texas Healthcare

The HIPAA Security Rule overhaul eliminates every “addressable” safeguard and replaces it with a hard requirement. We’ve covered the full technical requirements, the budgeting checklist, and a 180-day action plan for small practices. This post focuses on a different problem: the three strict response-time mandates that most Texas healthcare SMBs cannot meet today.

The updated rule doesn’t just require new technology controls like MFA and encryption. It imposes specific operational clocks: one hour to revoke a terminated employee’s access to ePHI, 24 hours for a business associate to notify you of a breach, and 72 hours to restore ePHI after an incident. You can purchase encryption software and deploy it in a weekend. Meeting these time-based requirements means building operational capacity that most small practices simply don’t have yet.

One-Hour Access Revocation

When an employee leaves your practice, the updated rule requires that their access to all systems containing ePHI be terminated within one hour. That means within one hour, not by the end of the business day or the end of the employee’s shift.

For most small practices, this is a significant operational gap. Termination procedures typically involve HR scheduling an exit meeting, IT getting notified sometime afterward, and an administrator manually disabling accounts across the EHR, email, cloud storage, billing platform, and physical access systems. That process often takes days. In practices without dedicated IT staff, it can take a week or more.

Meeting the one-hour standard requires three things.

Centralized identity management. If your staff authenticates to five different systems with five different credentials, revoking access means logging into five separate admin consoles. A centralized identity platform like Microsoft Entra ID lets you disable a single account and immediately cut off access to every connected application. Most practices running Microsoft 365 already have the licensing for this but haven’t configured single sign-on across their clinical and administrative systems.

A documented offboarding procedure. The person who terminates an employee needs a clear process for triggering access revocation within that same hour, including outside of normal business hours. That means a written procedure with a defined contact (whether internal IT staff or your managed IT provider), a communication channel that works any time of day, and confirmation steps to verify that every account has been disabled.

After-hours coverage. Employees get terminated on Friday afternoons and resign by text on weekends. If your practice has no IT support outside business hours, you have no mechanism to revoke access during those windows. This is one of the clearest reasons small practices need a managed IT partner with 24/7 coverage rather than a part-time IT contractor who checks email on Monday morning.

24-Hour Business Associate Breach Notification

Under the updated rule, business associates must notify covered entities within 24 hours of activating their incident response plan due to a security event. The current HIPAA framework requires notification “without unreasonable delay,” which in practice has meant weeks or months. The Conduent breach that exposed data on roughly 4 million Texas residents through Blue Cross Blue Shield of Texas demonstrated exactly why this gap matters. By the time the covered entity learned about the breach, the exposure window had already widened significantly.

This requirement means your Business Associate Agreements need specific contractual language, and your BAs need the actual operational capability to detect, respond to, and report incidents within that window.

Rewrite your BAAs now. Pull every Business Associate Agreement on file. If the agreement uses vague notification language like “promptly” or “within a reasonable timeframe,” it needs to be updated with an explicit 24-hour notification clause, specific contact methods, and defined escalation paths. We detailed the full BAA review process in our compliance checklist earlier this year.

Verify your BAs can actually detect incidents that fast. A contractual obligation is only as strong as the operational capability behind it. If your billing company doesn’t run endpoint detection, doesn’t monitor access logs, and doesn’t have an incident response plan, they will not know they’ve been breached in time to notify you. The updated rule requires annual written verification that your business associates maintain the security controls outlined in their agreements. Request that verification now, before the final rule forces you to.

Build your own BA incident response workflow. When a BA notifies you of a breach, you need a defined process for assessing the impact on your patients, determining whether ePHI was exposed, and triggering your own notification obligations to HHS and affected individuals. Receiving a 24-hour notification doesn’t help if you don’t have a plan for what to do with the information once it arrives.

72-Hour ePHI Restoration

The updated rule requires covered entities to restore access to ePHI within 72 hours of a loss event. A ransomware attack encrypts your EHR server. A fire destroys your on-premises equipment. A cloud provider suffers an extended outage. Whatever the cause, you need patient data accessible again within three days.

Having backups is not the same as being able to restore within 72 hours. Many practices have backup solutions that technically run every night but have never been tested under realistic conditions. A backup that takes five days to restore from doesn’t meet the requirement, even if every byte of data is intact.

Define your recovery time objective for every ePHI system. Your EHR, imaging system, billing platform, email, and document management system each have different restoration priorities and different recovery complexities. Map each system to a recovery timeline and verify that your backup and disaster recovery infrastructure can actually meet those timelines under real conditions.

Test recovery quarterly, not annually. The only way to know your 72-hour target is achievable is to practice hitting it. A real restoration test means recovering your data to a functioning environment and verifying that it’s complete and usable. Run at least one full recovery test per quarter and document the results: restoration time, any failures encountered, and the fixes you implemented afterward. Those records become audit evidence if OCR comes knocking.

Account for your infrastructure dependencies. A cloud-based restoration requires bandwidth. If your practice has a single internet connection and a multi-terabyte EHR database, calculate how long a full download would actually take at your current speeds. Many small practices discover during testing that their restoration time is bottlenecked by network capacity, not backup reliability. Having a secondary connection or a local recovery appliance can make the difference between meeting and missing the 72-hour window.

OCR Is Not Waiting for the Final Rule

The final rule missed its spring 2026 target and could be published any day. But OCR’s enforcement actions under the current rule are already aggressive. The Risk Analysis Initiative launched in 2024 has produced 11 enforcement actions, with settlements ranging from $40,000 to over $500,000 against organizations as small as solo physician practices. Risk analysis failures remain the number one cited deficiency in OCR investigations.

The practical implication: even if the final rule takes another month or two to publish, OCR can and does penalize practices for missing controls that are already required under the existing rule. If your practice lacks a current risk analysis, documented access controls, or audit logging, you have compliance exposure today, not just when the new rule takes effect.

What to Build Now

You don’t need to wait for the final rule to start building the operational capacity these requirements demand.

• Centralize identity management. Configure single sign-on and automated provisioning across your ePHI-touching systems. This is the foundation for meeting the one-hour access revocation requirement and also simplifies MFA deployment.
• Document your offboarding procedure. Write it down, assign an owner, and test it with a simulated termination to verify the entire process completes within one hour, including after hours.
• Rewrite your BAAs with 24-hour notification clauses. Start with your highest-risk business associates: EHR vendor, billing company, cloud backup provider, and IT provider.
• Request written security verification from every BA. Don’t wait for the mandate. Ask now and document who responds, who pushes back, and who goes silent.
• Test your disaster recovery plan against a 72-hour target. Run a full restoration from backup and time it. If it takes longer than 72 hours, adjust your backup strategy before the compliance deadline arrives.
• Complete a gap assessment against the full updated requirements, including these operational mandates.

A HIPAA-focused managed IT provider handles identity management, offboarding workflows, backup monitoring, DR testing, and incident response coordination as part of ongoing service delivery. These are operational capabilities that require consistent execution, not one-time project implementations that gather dust in a binder.