Every time HIPAA has updated something over the past decade, most dental offices have handled it the same way. Maybe a quick policy printout gets added to the binder in the back office. A staff training checkbox gets ticked. The compliance folder gets dusted off and put back on the shelf.
And honestly? That approach sort of worked before. Because most past updates were clarifications. Tweaks. Incremental.
This one is not.
The 2026 HIPAA Security Rule overhaul, formally proposed by the HHS Office for Civil Rights (OCR) in January 2025, is the most significant rewrite of the Security Rule since it was first written in 2003.1
Despite sharp criticisms and significant industry pushback, OCR has kept the rule's finalization on its official regulatory agenda for May 2026.2 It's moving forward.
And if your practice is still treating this like every other HIPAA update... we need to talk. We’re not trying to be harsh; we’re just trying to keep you protected!
What is the HIPAA Security Rule?
If you've ever wondered which part of HIPAA actually governs your technology, this is it.
The HIPAA Security Rule covers electronic Protected Health Information (ePHI)... anything digital that touches patient data. Your practice management software. Your digital X-rays. Your cloud backup. Your front-desk computers. The email your front office sends to an insurance company.
Every single one of those systems has been operating under rules that haven't had a substantive update since 2003.1 Think about what didn't exist then: smartphones. Cloud storage. Ransomware as a business model. The evolution of today's cyberattacks against healthcare.
OCR has finally caught up. And the changes they're proposing don't just add items to your to-do list. They fundamentally change the standard of care you're expected to meet for your patients' data.
What’s Changing with the HIPAA Security Rule?
The proposed HIPAA update is about 393 pages and includes extensive changes. Here are some of the key proposed HIPAA regulations and what they mean for your practice day-to-day.
1. Encryption is No Longer “Recommended”, It’s Required
Under the old rule, encryption was an "addressable" implementation specification. That word (addressable) was the loophole. It meant you could decide not to encrypt if you documented a reasonable alternative.
Under the new rule, that flexibility disappears.
The proposed overhaul would eliminate the long-standing distinction between “required” and “addressable” implementation specifications, making nearly all of them mandatory.2
That includes the encryption of ePHI at rest and in transit. The data sitting on your server, laptops, backups, and traveling between your practice management software and the cloud... all of it.
If you're not sure whether your systems are currently encrypted, that question needs an answer now.
2. Comprehensive Asset Inventory and Network Documentation
Can you answer this question right now: Where does all of your patient data live?
The proposed rule would require practices to maintain documented inventories of the technology assets (device, system, and application) that create, receive, maintain, or transmit ePHI along with a clear understanding of how data flows through your environment.
This is one of the most underestimated requirements in the proposal. It sounds administrative, but for practices running multiple locations, using legacy equipment, or relying on a patchwork of vendors, it's a significant undertaking and one that reveals gaps nobody knew were there.
3. 72-Hour Data Restoration Capability
Ransomware has become the most destructive cyber threat facing the healthcare sector. In response, the proposed rule will require practices to demonstrate the ability to restore critical systems within 72 hours of an incident.
That's not just about having a backup. It’s about having a tested, working, documented backup and disaster recovery plan. One that can be executed under pressure.
A dusty external hard drive stored in a desk drawer or a backup system that's never been verified will not meet this standard.
4. Multi-Factor Authentication (MFA) Everywhere
MFA is the technology that requires more than just a password to log in (like a code sent to your phone). You've probably seen it on your personal bank account or email.
Under the updated Security Rule, the proposed changes would require MFA to be enforced on all systems accessing ePHI. Your practice management software. Your imaging system. Your email. Your remote access tools.
Credential theft remains one of the leading causes of healthcare data breaches, and a password alone, without a second layer of verification, is a known vulnerability. The proposed rule closed that gap.
Check out our Enabling (MFA) Multifactor Authentication Cheat Sheet for more details.
5. Annual Security Risk Analysis
Security Risk Analyses (SRAs) have technically been required under HIPAA for years. But enforcement has been inconsistent, and many practices have treated them as a one-time exercise.
Under the proposed rule, the SRA expectation shifts significantly. Written documentation of all security policies, procedures, plans, and analyses will be required.2 It's not enough to check a box or say you’ve assessed your risks. You'll need to demonstrate that you identified gaps, created a remediation plan, and followed through.
The once-every-decade SRA filed in a drawer? That’s not going to hold up.
Why This Isn’t Like Past HIPAA Updates
It's a fair question: HIPAA has been updated before. Why is this different?
Past HIPAA changes told practices what to say and document. This overhaul tells practices what they must technically implement and removes the flexibility that allowed smaller providers to defer or substitute certain safeguards.
As described in the Alston & Bird health law advisory, the proposed rule introduces “prescriptive, strict security requirements” that would represent a transformational change to HIPAA security programs.2
And the enforcement environment has changed too. OCR has made clear that it's shifting its focus from "do you have a policy?" to "prove this policy is actually working." Recent enforcement actions have hit private dental practices with fines for violations that may have seemed minor, like failing to provide patients with timely access to their records.
One More Deadline You May Have Already Missed
Before we even get to the Security Rule finalization, there's a compliance deadline worth acknowledging directly.
By February 16, 2026, all HIPAA-covered dental practices were required to update their Notice of Privacy Practices to include new language around the confidentiality of Substance Use Disorder (SUD) records.3 This requirement stems from federal rule changes aligning HIPAA protections with stricter confidentiality standards for SUD patient information.
The Texas Dental Association, citing ADA guidance, made clear that this applies to all HIPAA-covered dental practices, even those that don't specifically treat SUD patients. If your Notice of Privacy Practices hasn't been updated to reflect this language, it's something to address immediately.3
It's also a signal of where things are heading more broadly. Regulators are no longer satisfied with static compliance documents. They want evidence that your practice is actively managing its obligations in real time.
When do the HIPAA Updates Take Effect?
Here's the timeline as clearly as it can be stated at this time:
- May 2026: OCR has the Security Rule overhaul on its official regulatory agenda for finalization.2 The direction of the proposed changes is clear, even as the final form continues to take shape.
- 180 days to 1 year after finalization: This is the likely implementation window practices will be given to achieve full compliance, placing a hard deadline in late 2026 or early 2027.
The compliance window sounds generous until you realize how many moving pieces need to be in place. Encrypting systems, implementing MFA across all platforms, completing a legitimate SRA, auditing your vendors, updating your BAAs, and assessing your technology inventory and documenting your network.
Need assistance with HIPAA compliance? Our HIPAA compliance partners can help. Learn more here.
The Binder to Save You This Time
The practices that struggle with the 2026 HIPAA Security Rule overhaul are the ones that approach it the same way they've approached every HIPAA update before... as paperwork. As a compliance checkbox. As something the office manager handles between patients.
This is a technology and operations overhaul. It requires an honest look at your systems, vendors, staff training, backup infrastructure, and incident response capabilities.
But you don't have to figure this out alone.
This is exactly what a reliable managed IT partner does... helps you understand where you stand, builds a realistic roadmap, and helps put the controls in place that keep your practice protected and compliant. At Pact-One, we’re dental-born, people-first, and ready to help you tackle this head on.
Ready to Find Out Where Your Practice Stands?
The best first step is an assessment of your current security posture before the final rule lands and the compliance clock starts running.
Book your Free Practice IT Analysis today!
FAQ: HIPAA Compliance 2026
Have questions about the proposed HIPAA updates? Here are some common questions we get asked! Click the question to see the answer below.
Disclaimer: This article is for informational and educational purposes only and does not constitute legal advice. For guidance specific to your practice's compliance obligations, consult a qualified HIPAA compliance professional or legal counsel.
Sources
- HIPAA Journal Editorial Staff. “New HIPAA Regulations in 2026.” HIPAA Journal, 2026, https://www.hipaajournal.com/new-hipaa-regulations/. Accessed 14 May 2026.
- Everett, Jennifer C., Burnette, Angela T., and Pike, Jennifer. “HIPAA Security Rule: Still on Track for Finalization.” Alston & Bird, 4 Nov. 2025, https://www.alston.com/en/insights/publications/2025/11/hipaa-security-rule-overhaul. Accessed 14 May 2026.
- Texas Dental Association. “Important Update: New Federal HIPAA Privacy Rules Affect Dental Practices.” Texas Dental Association, 9 Jan. 2026, https://www.tda.org/home/2026/01/09/important-update--new-federal-hipaa-privacy-rules-affect-dental-practices. Accessed 14 May 2026.
Dental IT. Remove the Burden. Embrace the Use.
Quality patient care – it's ultimately why you became a dental professional. But, some business operations can get in the way (such as pesky computer issues or lack of IT support). That’s where Pact-One Solutions can help! Our passion lies in supplying reliable, responsive dental IT support and security that practices can count on.
Whether you’re looking for dental IT services for your startup or searching for more responsive dental IT support – our team of dental IT specialists have you covered. With team members throughout the United States, we offer nationwide support to dental practices of all sizes, specialties, and stages of growth. Our wide range of dental IT services ensure your data is secure, accessible, and protected.
Don't let technology challenges hinder your ability to deliver exceptional dental care. Contact us at info@pact-one.com or 866-722-8663 to join over 3,000 dental professionals thriving with the support of a dedicated dental IT team.
