Compliance
What the HIPAA Security Rule actually requires of dental practices in 2026 — risk analysis, administrative safeguards, MFA, encryption, breach response, and where most practices get it wrong.
Most dental practice owners we meet have a HIPAA binder. A few have refreshed it. Almost none have a current, written risk analysis that an Office for Civil Rights (OCR) investigator would accept as evidence that the Security Rule is being followed.
That is not a moral failure on the part of dentists. It is a structural one. The HIPAA Security Rule was written in 2003, amended through the HITECH Act and the 2013 Omnibus Rule, and is now proposed for substantial modernization through the 2025 Notice of Proposed Rulemaking. Almost none of that conversation reaches a four-chair practice through normal channels.
This guide walks through what the Security Rule actually requires, what the 2025 NPRM proposes to add, where dental practices most commonly fall short, and what a defensible 90-day path looks like for a small office.
A note up front: we operate the technical safeguards side of this work. We are not your HIPAA Privacy Officer, and we are not lawyers. The dentist or practice owner remains the Privacy Officer, and substantive legal questions should go to qualified HIPAA counsel.
The Security Rule lives at 45 CFR Part 164, Subpart C. It is short by federal standards and surprisingly readable. There are three groups of standards, and every covered dental practice has to address all three.
Administrative safeguards sit at 45 CFR § 164.308. These are the people-and-process controls: a designated Security Official, a documented risk analysis and risk management process, sanction policy, workforce training, access management, incident response procedures, and contingency planning.
Physical safeguards sit at 45 CFR § 164.310. These cover facility access, workstation use and location, and device and media controls. In a dental office this translates to who can walk behind the front desk, whether operatory computers face the hallway, how old hard drives are destroyed, and how the server (if there is one) is physically secured.
Technical safeguards sit at 45 CFR § 164.312. These are the controls that touch the systems directly: access control, audit controls, integrity controls, person or entity authentication, and transmission security.
Two more sections matter and are often forgotten. 45 CFR § 164.314 covers the organizational requirements — primarily Business Associate Agreements. 45 CFR § 164.316 covers documentation requirements, including the six-year retention rule for policies, procedures, and Security Rule records.
Inside those standards, individual implementation specifications are labeled either Required or Addressable. Almost every dental practice we have audited misreads the second category.
"Addressable" does not mean optional. It means the practice must do one of three things, and document the choice: implement the specification as written; implement a reasonable and appropriate alternative that achieves the same objective; or document why the specification is not reasonable and appropriate for the practice and what equivalent measure is in place. OCR has been very clear in guidance and in enforcement that "we read it, we passed" is not a valid third option.
Encryption of ePHI at rest and in transit is Addressable. In 2026, with the threat environment as it is, there is essentially no defensible "not reasonable" argument for skipping disk encryption on laptops or TLS on email carrying claim attachments. The Addressable label is not a loophole; it is a documentation obligation.
Before any of the safeguards make sense, the practice has to know where its electronic Protected Health Information is. In our experience, the typical dental ePHI map is wider than the owner realizes.
The practice management system is the obvious one — Dentrix, Eaglesoft, Open Dental, Curve Dental, Carestream, Dentrix Ascend, Denticon, and newer cloud entrants all qualify. But ePHI also flows through, and rests in:
Each system has to appear in your risk analysis. The doctor's home laptop with ePHI and no full-disk encryption is one of the most common findings we see, and one of the easiest for OCR or a plaintiff's attorney to identify after the fact.
45 CFR § 164.308(a)(1)(ii)(A) requires a covered entity to "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity."
That sentence has done more enforcement damage than any other in the Security Rule. OCR publishes its resolution agreements and corrective action plans, and the single most consistent finding across small healthcare providers — dental included — is the absence of a current, accurate, and thorough risk analysis. The next most consistent is the absence of a written risk management plan addressing the gaps the analysis identified.
A real risk analysis is not a checklist a vendor sells for $399. It identifies every system that creates, receives, maintains, or transmits ePHI; documents the applicable threats and vulnerabilities; assesses likelihood and impact; and produces a remediation roadmap with owners and dates. NIST SP 800-66 Rev. 2 is the closest thing to an official methodology walkthrough.
Cadence matters too. Re-perform the analysis at least annually and after any material change — new PMS, new imaging system, an office move, a new IT vendor, an acquisition, an incident, or a significant staffing change.
In late 2024, HHS published a Notice of Proposed Rulemaking that would significantly modernize the Security Rule. It is still a proposal, but it is the clearest signal HHS has given in two decades about the direction of enforcement. We recommend most practices align with it now rather than wait.
Proposed changes that matter most for a dental practice:
Some of those will be operationally heavy for a single-location practice, and the final rule may soften specific timelines. But the underlying message — that Addressable is being narrowed, and that documented technical control is now the floor — is not going to reverse. Treat the NPRM as the planning baseline.
45 CFR § 164.314 and the definition of Business Associate at § 160.103 require a written agreement with any vendor that creates, receives, maintains, or transmits ePHI on behalf of the practice. In dental, this gets more complicated than most owners expect.
Where we routinely find missing or stale BAAs:
Vendors that typically refuse to sign BAAs — and therefore should not be receiving ePHI — include most consumer-grade SMS tools, free email marketing platforms, and general-purpose cloud storage on default plans.
45 CFR §§ 164.400-414 define what counts as a breach and how a practice has to respond. A breach is, broadly, the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the information. The 2013 Omnibus Rule shifted the standard so that an impermissible use or disclosure is presumed to be a breach unless the covered entity can demonstrate, through a documented four-factor risk assessment, that there is a low probability the PHI was compromised.
Timelines:
A practical note: the 60-day clock starts at discovery, not at the date of the underlying incident. Once a staff member becomes aware that ePHI may have been improperly accessed, the clock runs. This is one reason a written incident response procedure matters — without it, the discovery date becomes ambiguous and arguments about timeliness get harder to defend.
We are deliberately cautious about citing specific dental enforcement actions, because we would rather be conservative than wrong. What we can say is what OCR's published settlements consistently reveal across small healthcare providers, dental included:
OCR does not require perfection. It requires reasonable, documented, consistent application of the Security Rule, with the risk analysis as the central artifact. Practices that can produce a current risk analysis, a remediation plan, training records, BAAs, and a documented incident history almost always come out of investigations far better than those that cannot.
Almost every initial assessment surfaces some combination of the following:
None of these are exotic. All are fixable. Most are exactly what OCR, an insurance underwriter, or an attorney's expert witness will look for first.
For a one-doctor or small-group practice, defensible HIPAA remediation usually fits inside a quarter if there is real ownership. Order matters.
Weeks 1–2: scope and inventory. Build the ePHI map. Every system, every vendor, every device. List the Business Associates and check which BAAs are actually executed.
Weeks 3–4: risk analysis. Conduct a real risk analysis against the inventory. Output: a written document with identified risks, likelihood and impact, and a remediation plan with owners and target dates.
Weeks 5–8: technical remediation. Enforce MFA on Microsoft 365 or Google Workspace and on any remote access. Enforce unique user accounts on the PMS and Windows — eliminate shared logins. Encrypt every laptop. Confirm the backup actually restores. Segment guest Wi-Fi off the operatory network. Deploy managed endpoint detection on every workstation and server with ePHI. We typically deploy Huntress Managed EDR and Managed ITDR here, because the technical safeguards at § 164.312 are essentially impossible to evidence without managed detection and identity threat detection running.
Weeks 9–10: administrative remediation. Update policies to match what is now actually happening — sanction policy, access management, contingency plan, incident response. Train staff and document the training. Annual security awareness with phishing simulation is now baseline; our managed security awareness training service handles this for clients who prefer not to operate it themselves.
Weeks 11–12: documentation and ongoing operation. Execute missing BAAs. Build a single folder containing the risk analysis, risk management plan, policies, training records, BAAs, and incident log. Set cadence: quarterly access review, annual risk analysis refresh, annual training, monthly backup restore tests.
This sequence is also what most cyber insurance underwriters now expect at renewal. If you are heading into renewal, our cyber insurance readiness walkthrough covers the underwriter questions in detail.
We want to be precise about our role, because dental owners are often sold "HIPAA compliance" as a single product, and it is not.
We operate the technical safeguards:
We can also help build the ePHI inventory, structure the risk analysis, and pressure-test your incident response procedure.
What we are not: we are not your HIPAA Privacy Officer, we are not your attorney, and we do not file your breach notifications. The practice owner remains the Privacy Officer, and substantive legal questions go to qualified counsel. We have seen too many practices buy a "HIPAA program" from a single vendor that promised to handle everything and ended up with neither a Privacy Officer nor a defensible technical environment.
If you are reading this and realizing your practice does not have a current risk analysis, your BAAs are incomplete, or your front desk is sharing a login — you are not unusual. You are also exactly where OCR's enforcement pattern says the risk lives.
The right next step is not panic. It is an honest 60-minute assessment of where you actually stand against the Security Rule, followed by a written plan with owners and dates. We offer that as a fixed-scope engagement for dental practices, and we are happy to walk through your environment with no expectation that you sign anything afterward.
Book a briefing, or send us your most recent risk analysis and we will tell you honestly whether it would hold up. The worst time to find out is during an OCR letter or an underwriter's renewal question. The best time is now, on your own schedule, before either happens.
Last updated
May 14, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
The Security Rule does not name MFA by exact title, but the 2025 NPRM and OCR enforcement clearly expect strong authentication on systems accessing ePHI. Treat MFA on Microsoft 365, the practice management system, and any remote-access tooling as a baseline expectation, not an optional control.
Anything electronic that identifies a patient and relates to their care, payment, or condition. That includes the practice management system, digital X-ray and CBCT images, intra-oral scans, insurance claim emails, treatment plan PDFs on the front-desk computer, backups, and even text messages confirming appointments if they contain patient identifiers.
Yes, if the vendor stores, transmits, or can access ePHI on your behalf. Cloud-hosted PMS platforms (Curve, Dentrix Ascend, Denticon, Open Dental hosted offerings) clearly require a BAA. Local installations still require a BAA if the vendor provides remote support that touches patient data. The same applies to your IT MSP, cloud backup vendor, and imaging cloud.
For breaches affecting fewer than 500 individuals, you must notify affected patients without unreasonable delay and no later than 60 days from discovery, and report to HHS within 60 days after the end of the calendar year. For breaches affecting 500 or more individuals, notification to patients, HHS, and prominent media outlets in the state is required without unreasonable delay and no later than 60 days from discovery.
At minimum annually, and again whenever there is a material change — new PMS, new imaging system, an office move, an acquisition, a significant staffing change, or after a security incident. Missing or stale risk analysis is the single most cited deficiency in OCR settlements with small healthcare providers, dental included.
OCR's published enforcement pattern across small providers points to a small number of repeat issues: no current risk analysis, no written risk management plan, missing or inadequate Business Associate Agreements, weak access controls (especially shared logins), and failure to implement audit controls or encryption. Dental practices are not exempt; smaller settlements involving dental providers have followed these same patterns.
Encryption is an Addressable specification under 45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii), which does not mean optional. It means you either implement it, or document a reasonable equivalent that meets the same risk objective. In modern dental practice, there is rarely a defensible reason not to encrypt laptops, backups, and email containing ePHI.
Yes. 45 CFR § 164.308(a)(5) requires a security awareness and training program for the entire workforce, including periodic reminders, password practices, malware protection, and login monitoring. Annual training plus phishing simulation is the operating baseline most insurers and OCR investigators expect to see.
Related reading
What dental cyber insurance actually covers in 2026, the underwriting questionnaire controls that move premiums, and how to pass the application without overspending.
Read articleWhy DSO and multi-location dental groups inherit the worst cybersecurity posture of their weakest practice — and the 4-quarter program that fixes it without slowing down acquisitions.
Read articleA practical guide to SOC 2 readiness for small businesses, including what founders should do first, what to avoid, and how to prepare without wasting money.
Read article