The 2026 HIPAA Security Rule Update for Dental Practices: What's Proposed and Where It Stands

This article explains the proposed 2026 HIPAA Security Rule and what it would mean for a dental practice. It is general information, not legal advice for your specific situation. For that, consult a healthcare attorney or a qualified HIPAA compliance professional.

Is the 2026 Security Rule in effect? Not yet

It is not. The Office for Civil Rights, the part of HHS that enforces HIPAA, published the proposed rule in the Federal Register on January 6, 2025, under the title HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information. The public comment period closed on March 7, 2025. Since then the rule has sat in review, and no final version has been issued. Until one is, the current Security Rule is what applies to your practice, and it is what the Office for Civil Rights continues to enforce.

A proposed rule is a draft. It is published so the public can comment, and it binds no one while it is in that stage. The government's own regulatory agenda had pencilled in May 2026 to finalize this one, but that month came and went with nothing published, and there is no confirmed timeline for when, or whether, a final rule will appear.

What the proposal would change

The clearest way to see the proposal is side by side with the rule as it stands today. All of it concerns the same thing the Security Rule has always protected: electronic patient data, what the law calls electronic protected health information, or ePHI. Paper records sit under other HIPAA rules, not this one. Most of these changes are not brand-new ideas. They are existing expectations that the proposal would turn from flexible or unstated into written requirements with specific deadlines.

Start with the change underneath all the others. Since 2003, some of the rule's safeguards have been labeled addressable. Addressable has never meant optional. It means you either implement the safeguard, adopt an equal alternative, or document why neither is reasonable for you. In practice, many practices treated it as a way to opt out, and encryption is the classic example. Encryption of patient data is addressable today. The proposal would make it required, both for data sitting on your systems and data moving across the internet, with only narrow exceptions. The same logic runs through the rest of the rule: it removes the addressable category and writes the expectations down.

On top of that, the HHS fact sheet lists a set of controls that would become explicit requirements. Multi-factor authentication, the second step beyond a password, would be required for access to systems that hold patient data; we cover that one control on its own in does HIPAA require MFA for a dental practice. Automated vulnerability scans would be required at least every six months, and a deeper penetration test, where someone tries to break in the way an attacker would, at least once a year. Network segmentation, which keeps a breach in one part of your network from spreading to the rest, would be required as well.

Two more would change everyday paperwork. You would have to keep a written inventory of your technology and a map of how patient data moves through it, updated at least once a year and whenever something changes. Your backups would have to meet a clock: retrievable copies no more than 48 hours old, with critical systems restored within 72 hours of an outage. A yearly compliance audit, and a written check that each of your vendors has actually put the required safeguards in place, round out the list.

Underneath every one of these is the same document the rule has always centered on: an accurate, current risk analysis. The proposal does not replace it. It sharpens it, and asks you to base it on that asset inventory and network map. If your risk analysis is solid today, you have a head start on almost everything the proposal would add.

Does this apply to a small dental practice? Yes

This is the part that surprises owners of small practices. There is no carve-out for size. The proposal would apply to every covered entity and business associate. In plain terms, that means any dental practice that bills insurance or files claims electronically, no matter how small. HHS addressed the small-practice burden directly in its regulatory impact analysis and declined to create a size-based exemption. A one-dentist office and a five-hundred-bed hospital would face the same list of requirements. What differs is resources. The hospital has a security team and a budget for this, and most independent practices have neither, which is exactly why the rule would land hardest on the smallest offices.

That is also the heart of the objection from organized dentistry. The American Dental Association has argued that dental practices tend to be small, single-site operations with limited IT support, and that requirements designed around large hospital systems would shift cost and time away from patient care without a dental-specific path to comply. The ADA supports strong cybersecurity. Its position is that this particular proposal is the wrong way to get there.

Where the rule stands, and why it has stalled

The proposal landed at an awkward moment. It was one of the last acts of the prior administration's civil rights office, published days before a change in administration that has prioritized cutting regulations rather than adding them. The coalition seeking withdrawal has leaned on exactly that, arguing the rule runs counter to the current deregulatory agenda. More than a hundred organizations, the American Dental Association included, have asked HHS to pull it back.

At the same time, the Office for Civil Rights is still working through the thousands of public comments it received, and has defended the core of the proposal as basic security practice. So the honest answer about its future is that nobody outside the agency knows. A final rule could appear roughly as proposed, appear in a narrower form after the comments are weighed, be delayed again, or be withdrawn altogether. Planning that bets everything on one of those outcomes is planning to be wrong.

If you want a fast read on where your foundation stands today, the free HIPAA Scorecard checks ten core Security Rule controls that line up with the issues OCR raises most in enforcement, like your risk analysis and your vendor agreements, then scores your practice and names your biggest gap in about three minutes. It checks the rule as it stands now, not the proposal, but those are the same controls the proposal would build on.

What a dental practice should do now

Here is the practical way to hold both facts at once. You are not required to comply with a rule that is not final, and you should not spend money chasing requirements that may change. At the same time, almost everything the proposal would require is already either required today or simply good security, so the low-regret move is to get your foundation in order. None of the steps below is wasted effort if the rule is narrowed or never finalized.

This is general information about HIPAA and a proposed federal rule, not legal advice, and the rule's status can change. Before you make compliance decisions based on the proposal, confirm its current status and check with a healthcare attorney or a qualified HIPAA compliance professional.

About the author

Dolev Arama is Hipsana's founder. He's the one behind the Scorecard and the short risk reviews it produces. He is not an attorney, and Hipsana is a publisher and referral service, not a law firm or a healthcare provider. The writing here starts where the rules actually live, at HHS, OCR, and NIST, and gets checked against their current text before it goes up. Regulatory claims trace back to those sources, and figures name where they come from; anything that can't be verified is labeled rather than asserted. More about Hipsana →

Sources

• U.S. Department of Health and Human Services, Office for Civil Rights, “HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information,” notice of proposed rulemaking, 90 FR 898 (Federal Register, Jan. 6, 2025): published for public comment, comment period closed March 7, 2025, and not finalized as of June 2026.
• HHS Office for Civil Rights, HIPAA Security Rule NPRM fact sheet: the proposed requirements, including removing the “addressable” category, encryption of ePHI, multi-factor authentication, vulnerability scanning at least every six months, penetration testing at least once every 12 months, network segmentation, a technology asset inventory and network map, a 12-month compliance audit, and business associate verification (hhs.gov, accessed June 2026).
• 45 CFR § 164.306 (security standards: general rules, including the “required” versus “addressable” framework at § 164.306(d)) (eCFR, current as of June 2026).
• 45 CFR § 164.312 (technical safeguards, including encryption as an addressable specification at § 164.312(a)(2)(iv) for stored ePHI and § 164.312(e)(2)(ii) for transmitted ePHI) (eCFR, current as of June 2026).
• 45 CFR § 164.308 (administrative safeguards, including the risk analysis requirement at § 164.308(a)(1)(ii)(A) and the contingency plan standard at § 164.308(a)(7)) (eCFR, current as of June 2026).
• 45 CFR § 160.105 (compliance dates: regulated entities have at least 180 days after the effective date of a new or modified standard) (eCFR, current as of June 2026).
• American Dental Association, “ADA urges HHS to withdraw proposed HIPAA cybersecurity rule” and ADA Regulatory Reform comments (ada.org, December 2025): the ADA joined a coalition of more than 100 organizations seeking withdrawal, citing the burden on small, single-site dental practices.
• Executive Order 14192, “Unleashing Prosperity Through Deregulation” (2025), and the federal Unified Agenda entry for this rulemaking (reginfo.gov, RIN 0945-AA22): the rule is designated “Regulatory” under the administration's deregulatory order, its Unified Agenda timetable lists a May 2026 target for final action, and its legal deadline is listed as “None” (accessed June 2026).
• Change Healthcare / UnitedHealth Group: the 2024 ransomware breach, the largest reported to HHS; Change Healthcare notified OCR on July 31, 2025 that approximately 192.7 million individuals were affected, and the intrusion began on a remote-access portal that had no multi-factor authentication (HHS Change Healthcare FAQ and OCR breach portal, plus UnitedHealth Group congressional testimony, accessed June 2026).