Login Try Demo
Compliance

HIPAA Incident Response Testing: What Auditors Actually Want

Breachdeck Team · March 14, 2026 · 8 min read
HIPAA Incident Response Testing: What Auditors Actually Want

HIPAA has required an incident response plan since 2005. It has never explicitly required you to test one — not in a way anyone actually enforced. That’s changing. The 2026 Security Rule update eliminates the “addressable” classification for IR plan testing. Annual testing becomes mandatory. No exceptions, no “we documented why we didn’t” workaround.

Most healthcare orgs have an IR plan somewhere in a shared drive. Few have exercised it. That gap is about to become a finding.

What the rule actually requires

The current HIPAA Security Rule has two relevant sections:

164.308(a)(6)(ii) — Response and Reporting. Implement policies and procedures for responding to suspected or known security incidents, mitigating harmful effects, and documenting outcomes. This is “required” under the current rule. No ambiguity.

164.308(a)(7)(ii)(D) — Testing and Revision Procedures. Implement procedures for periodic testing and revision of contingency plans. This one has been classified as “addressable” since the rule was written. That classification is why most organizations never test their IR plans — or at least never face consequences for skipping it.

The 2026 proposed rule changes this in three ways:

  1. All safeguards become mandatory. The addressable/required distinction is gone. Testing your IR plan is no longer something you can document your way out of.
  2. Annual testing is explicit. Written procedures for testing and revising the IR plan, with effectiveness reviews at least every 12 months.
  3. 72-hour restoration. Covered entities must demonstrate the ability to restore critical systems within 72 hours of an incident. Not plan to — demonstrate.

The final rule is expected in mid-2026, with a 240-day compliance window after publication. If you haven’t tested your IR plan before, the clock starts soon.

What “addressable” meant and why it’s gone

“Addressable” never meant optional. Under the current rule, it meant: implement the safeguard, or document why it’s not reasonable and appropriate for your environment and implement an equivalent alternative.

In practice, most organizations treated “addressable” as “skip it and hope nobody asks.” OCR noticed. Enforcement actions repeatedly cite missing or inadequate IR plan testing, even under the current rule. The 2026 update removes the ambiguity entirely. If it’s in the rule, you implement it. Full stop.

For organizations that have been testing their IR plans all along, nothing changes. For the rest — which is most of them — this is the part of the rule that requires the most net-new work.

What OCR auditors look for in HIPAA incident response testing

There’s a gap between what the rule says and what auditors actually scrutinize. Here’s the real list:

Evidence that you tested the plan, not just that the plan exists. An IR plan in a SharePoint site that nobody’s opened since onboarding is not evidence of testing. Auditors want to see artifacts from a specific exercise — dated, documented, with findings.

The documentation. This looks similar to what SOC 2 auditors expect:

  • Who participated. Names and roles, not “the IT team.” Auditors want cross-functional presence — IT security, privacy officer, legal, clinical leadership. If your exercise was just the security team, that’s a gap.
  • What you simulated. The scenario — and it needs to involve ePHI. A generic “server went down” disaster recovery walkthrough doesn’t test your incident response plan. It tests your DR plan. Those are different documents.
  • What your team decided. Specific choices at each decision point, not a summary. “We decided to isolate the affected EHR module before notifying the privacy officer because we believed active exfiltration was ongoing” is evidence. “We discussed containment” is a meeting note.
  • What you found. After-action findings — gaps, confusion about roles, procedures that didn’t match reality, notification timelines that nobody knew.
  • What you fixed. Remediation evidence. Updated procedures, corrected contact lists, new monitoring rules. The closed loop.

ePHI-specific scenarios. The exercise must test your response to incidents involving electronic protected health information. Ransomware targeting your EHR. A business associate data exfiltration. Insider access to patient records. Phishing that leads to PHI exposure. If the scenario doesn’t involve ePHI, it doesn’t test your HIPAA incident response plan.

Breach notification procedures. Your exercise should walk through the notification requirements: the 60-day window for notifying HHS, individual notification to affected patients, media notification when 500+ individuals are affected in a state. Auditors check whether your team knows these timelines and can execute on them — not just that the timelines exist in a policy document.

Common findings that fail assessment

Same patterns, across healthcare orgs of every size:

No testing at all. The plan exists. It’s never been exercised. This is the most common finding and the easiest to avoid. Under the 2026 rule, this moves from “likely finding” to “guaranteed finding.”

Exercises that are really just meetings. The team gathered, someone described a scenario in two sentences, everyone agreed they’d “follow the plan,” and someone checked their phone while the facilitator wrapped up early. No decision points. No pressure. No findings. If the exercise didn’t surface at least one gap, it wasn’t rigorous enough — or nobody was willing to say the uncomfortable thing out loud.

IT-only participation. An exercise run entirely by the security or IT team, without the privacy officer, legal, clinical leadership, or communications. Real incidents involve all of these people. An exercise that doesn’t is testing a subset of the plan and hoping the rest works.

Generic disaster recovery scenarios. The exercise simulated a power outage or server failure — not an incident involving ePHI. This tests your continuity plan, not your incident response plan. For PCI DSS the same principle applies — the scenario must match the regulatory scope.

No remediation follow-through. The exercise found that the privacy officer’s emergency contact was wrong, that nobody knew the HHS breach reporting portal URL, and that the BA notification clause in your largest vendor contract was ambiguous. Six months later, nothing changed. Auditors see an exercise that found problems and an organization that ignored them.

Running an exercise that satisfies HIPAA

Pick a scenario involving ePHI

Your exercise needs to simulate an incident that triggers your HIPAA incident response plan — not your general IT runbook. Good scenarios for healthcare orgs:

  • Ransomware targeting the EHR system with potential ePHI encryption and exfiltration
  • Business associate reports unauthorized access to a shared patient dataset
  • Insider accesses patient records outside their treatment scope — and has been doing it for months
  • Phishing campaign compromises credentials with access to the patient portal

Make it relevant to your actual environment. An exercise scenario built around systems you don’t use doesn’t test anything meaningful.

Get the right people in the room

At minimum: IT security, privacy officer, legal/compliance, clinical leadership, and communications. For scenarios involving business associates, include your vendor management lead. For scenarios affecting clinical operations, include department heads who’d feel the operational impact.

Run at least one exercise where the privacy officer is “unavailable.” What happens when the person who knows the breach notification rules is on a cruise with no cell service and the IR lead has to make the notification call? That’s not a hypothetical — it’s a Tuesday.

Test the 72-hour restoration requirement

The 2026 rule requires demonstrating the ability to restore critical systems within 72 hours. Your exercise should include a point where the team assesses: if this were real, could we actually restore EHR access in 72 hours? What dependencies would block us? What’s our manual fallback for clinical operations in the meantime?

This is the requirement that will catch the most organizations off guard. Saying “we have backups” is not the same as demonstrating you can restore from them under pressure within a specific window.

Test breach notification procedures

Walk through the notification decision tree during the exercise. When does the 60-day clock for HHS notification start? Who submits the report? What triggers individual patient notification? At what threshold do you notify media? Who drafts the patient notification letter?

Most teams know these requirements exist in policy. Few can execute them without pulling up the document mid-exercise and scanning for the answer. That’s fine — that’s what exercises are for. But if your team discovers during the exercise that nobody has actually bookmarked the HHS breach portal, or that the patient notification letter template references a VP of Communications who left eight months ago, that’s the kind of finding that justifies the entire exercise.

Document decisions, not attendance

At each decision point: What did the team know? What were the options? What did they choose? Why? What happened next? This is what separates an exercise artifact from a calendar invite.

The documentation checklist

Here’s what a clean exercise artifact looks like — the kind an auditor reviews without follow-up questions:

ElementWhy it matters for HIPAA
Exercise date and durationProves testing happened within the compliance period
Participant names and rolesProves cross-functional involvement (privacy, legal, clinical)
Scenario involving ePHIProves you tested HIPAA-specific response, not generic DR
Decision log with timestampsProves meaningful participation, not just attendance
Breach notification walkthroughProves your team can execute 60-day HHS notification, patient notification, media notification
72-hour restoration assessmentProves you’ve evaluated your ability to meet the new restoration requirement
After-action findingsProves the exercise surfaced actionable gaps
Remediation statusProves findings were addressed — the closed loop

Producing this manually — transcribing facilitator notes, formatting a report, following up with participants for their observations — takes hours. That overhead is a big reason healthcare orgs only test once a year, right at the compliance minimum.

Breachdeck generates this entire evidence package automatically — the timestamped decision log, the breach notification walkthrough, the 72-hour restoration assessment, the after-action findings with remediation tracking. One exercise, one PDF, every row in the table above covered. Run the demo — five minutes, and you’ll see the report OCR is asking for.

Related Articles

NIST 800-53 IR-3: What Federal Auditors Actually Want
Compliance

NIST 800-53 IR-3: What Federal Auditors Actually Want

What FISMA and FedRAMP assessors evaluate for IR-3 compliance. The control requirements, SP 800-84 methodology, and how to pass.

Mar 24, 2026 · 10 min read Read article
Does Your Cyber Insurance Require a Tabletop Exercise?
Compliance

Does Your Cyber Insurance Require a Tabletop Exercise?

What cyber insurance carriers want from IR testing in 2026. Which scenarios to run, what to document, and how to time it for renewal.

Mar 21, 2026 · 7 min read Read article
ISO 27001 IR Testing: A.5.24 & A.5.26 Requirements
Compliance

ISO 27001 IR Testing: A.5.24 & A.5.26 Requirements

What ISO 27001 auditors want from IR plan testing. A.5.24, A.5.26, the 2013→2022 mapping, and how to produce evidence that passes.

Mar 18, 2026 · 8 min read Read article

Ready to practice incident response?

Run your team through a realistic scenario — no account required.

Try the Demo