What Dental Practices Need to Know About the Proposed HIPAA Security Rule Changes
The healthcare industry is facing one of the most significant cybersecurity regulatory updates in more than a decade. In January 2025, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a proposed overhaul of the HIPAA Security Rule designed to strengthen protections for electronic protected health information (ePHI). These changes come in response to a dramatic increase in ransomware attacks, data breaches, and cyber threats targeting healthcare organizations across the country.
For dental practices, these proposed updates are especially important. Your offices increasingly rely on digital imaging, cloud-based practice management systems, patient portals, e-prescribing platforms, and third-party vendors to manage patient information. As a result, dental practices are now viewed as viable targets for cybercriminals, particularly smaller practices that may not have robust cybersecurity programs in place.
Although the rule is not yet finalized, practices should begin preparing now because many of the proposed requirements will require operational, technical, and financial planning.
Why HHS Is Updating the HIPAA Security Rule
The original HIPAA Security Rule was finalized in 2003, long before today’s sophisticated ransomware threats and widespread cloud computing. Since then, healthcare cyberattacks have surged dramatically. According to HHS, large breaches affecting 500 or more individuals have increased substantially over the last several years, with ransomware becoming one of the primary threats to healthcare operations.
The proposed changes aim to modernize HIPAA by converting many “addressable” implementation specifications into mandatory requirements and creating more detailed cybersecurity expectations for covered entities and business associates alike.
For dental practices, this means cybersecurity will no longer be viewed as a flexible recommendation—it will become a compliance obligation.
Key Changes Dental Practices Should Expect
Mandatory Risk Analysis and Asset Inventory
One of the most important proposed changes involves risk analysis requirements. Under the updated rule, practices would be required to maintain a detailed inventory of all technology assets that create, receive, maintain, or transmit ePHI.
This includes:
- Practice management software
- Digital X-ray systems
- Imaging devices
- Cloud storage platforms
- Laptops and desktop computers
- Mobile devices
- Email systems
- Backup systems
- Connected dental equipment
Practices would also need to conduct comprehensive risk assessments on a regular basis and document how identified risks are addressed.
For many smaller dental practices, this could require significant upgrades to documentation and cybersecurity procedures.
Multi-Factor Authentication (MFA) Becomes Essential
The proposed rule strongly emphasizes multi-factor authentication (MFA), which has become one of the most effective defenses against ransomware and credential theft.
Dental practices would need to implement MFA for:
- Remote access systems
- Email accounts
- Cloud-based applications
- Administrative logins
- Systems containing ePHI
- Desktop logins (Both Windows and Mac)
Many cyberattacks begin when attackers gain access through stolen passwords. MFA significantly reduces this risk by requiring additional verification methods beyond a simple password.
Practices still relying solely on usernames and passwords should consider upgrading immediately.
Encryption Requirements Expand
Although encryption has long been recommended under HIPAA, the proposed rule places far greater emphasis on encrypting ePHI both at rest and in transit.
Encryption at Rest
This means data is encrypted while it is stored on a device, database, hard drive, or cloud storage. If someone steals the storage or gains unauthorized access, they cannot read the data without the encryption key.
Encryption in Transit
This means data is encrypted while it is moving between devices or over the internet.
It protects the data from being intercepted during transfer.
This means dental practices must ensure encryption is used for:
- Emails containing patient information
- Portable devices
- Cloud storage systems
- Data backups
- File transfers
- Internal network communications
Failure to encrypt sensitive patient data will become difficult to justify under the new framework.
Written Incident Response and Disaster Recovery Plans
Another major focus of the proposal is operational resilience.
Practices would need formal written procedures for:
- Responding to cyber incidents
- Recovering from ransomware attacks
- Restoring data backups
- Maintaining continuity of operations
- Communicating during security incidents
Practices also need to test these plans regularly to demonstrate preparedness.
This is particularly important because ransomware attacks can completely shut down scheduling systems, billing operations, digital imaging access, and patient records.
For a busy dental office, even a short operational disruption can create serious financial and patient care consequences.
Business Associates Face Greater Scrutiny
The proposed rule also increases accountability for business associates, including vendors that handle ePHI on behalf of dental practices.
Examples include:
- IT/Managed Service providers
- Cloud hosting companies
- Billing services
- Managed service providers
- Patient communication platforms
- Software vendors
Business associates would be directly required to comply with many of the same cybersecurity standards as covered entities.
However, you cannot assume vendors are automatically complying. Practices will still need to conduct due diligence and carefully review Business Associate Agreements (BAAs).
Now is the time to begin conversations with vendors and service providers about the upcoming changes and their readiness to comply once the final rule is published.
Dental practices should ask whether these vendors:
- Are aware of the proposed HIPAA Security Rule changes?
- Are evaluating their cybersecurity controls?
- Plan to implement new safeguards?
- Have updated incident response procedures?
- Use multi-factor authentication and encryption?
- Will be prepared when the final rule takes effect?
Because so many rely heavily on outside vendors for technology and data management, a security weakness at the vendor level can quickly become a security issue for the practice itself.
Having proactive discussions now can help identify gaps early, avoid surprises later, and ensure their technology partners are taking cybersecurity and HIPAA compliance seriously.
Compliance Deadlines and Preparation
While nothing is final yet, HIPAA rule updates typically follow a predictable timeline. Once published, the final rule generally becomes effective 60 days after publication, followed by an additional 180-day compliance period for covered entities and business associates. In total, organizations can typically expect approximately eight months to achieve compliance.
However, it is important to note that OCR has the authority to adjust these timelines in the final rule if needed, especially given the size and impact of what is expected to be the biggest overhaul of the HIPAA Security Rule in more than two decades. With the updated rule potentially being published at any time, practices should begin preparing now rather than waiting for the final deadline.
Cybersecurity Is Now a Patient Care Issue
The proposed HIPAA Security Rule changes reflect a larger shift in healthcare: cybersecurity is no longer simply an IT concern. It is now directly tied to patient safety, operational continuity, financial stability, and regulatory compliance.
For practices, the message from regulators is clear: organizations of every size are expected to adopt stronger cybersecurity protections.
While the proposed requirements may seem daunting, practices that begin preparing early will be better positioned to reduce risk, maintain patient trust, and avoid costly compliance problems in the future.
By investing in stronger security controls today, practices better protect both their patients and their long-term business operations in an increasingly digital healthcare environment.
Join our webinar on Friday, June 19, 2026, to review the core changes coming to the 2026 HIPAA Security Rule.