Skip to main content
CoreFolioHIPAA
The 2026 rule

What the 2026 HIPAA Security Rule update means for a solo dental practice

Solo and small dental practices face specific HIPAA compliance challenges — legacy imaging software, shared workstations, and minimal IT support. Here is what the proposed 2026 rule changes for you.

5-minute read

Dental practices are covered entities under HIPAA. If your practice submits insurance claims electronically — which virtually every practice does — you fall under the Security Rule and its requirements for protecting electronic protected health information (ePHI).

The proposed 2026 Security Rule update (NPRM, 90 Fed. Reg. 898) would change several things that hit dental practices particularly hard. This article covers the specific impact on a solo or small dental practice — not the theoretical hospital version.

What a solo dental practice's ePHI landscape actually looks like

Before getting to the rule changes, it helps to map what most small dental practices actually have:

  • EHR/practice management software — Dentrix, Eaglesoft, Carestream, Curve Dental, or similar. Often installed locally on Windows computers.
  • Digital imaging — intraoral cameras, digital X-rays, cone beam CT. These are often on separate workstations or a dedicated imaging server.
  • Billing — either in-house via the practice management software or outsourced to a dental billing company.
  • Email — usually a general consumer or small-business email account (Gmail, Outlook) not configured for HIPAA-compliant transmission.
  • Remote access — the dentist often checks schedules or messages after hours via a personal phone or home computer.

Each of these touches ePHI. Each is in scope for the Security Rule. And several of them have specific challenges under the proposed 2026 rule.

The six most impactful 2026 changes for dental practices

1. Annual risk analysis, mandatory

The existing rule requires risk analysis but does not specify a frequency. The 2026 NPRM would make it explicitly annual.

Most dental practices have never done a formal risk analysis, or did one when they opened and never updated it. The proposed change formalizes what OCR already expects.

Your action: Complete a current-year risk analysis covering all the systems above — not just the EHR. Dental imaging systems are in scope. Remote access is in scope.

Citation: proposed 45 CFR § 164.308(a)(1)(ii)(A)

2. MFA on every system that touches ePHI

This is the most operationally significant change for dental practices.

Your practice management software — Dentrix, Eaglesoft, or any locally installed system — may not support MFA, or may support it only in newer versions. Your imaging software almost certainly does not.

The proposed rule would require MFA on every system that creates, receives, maintains, or transmits ePHI. That means:

  • Your practice management software login
  • Your imaging workstation login
  • Your email if you use it for patient communication
  • Any remote access method (VPN, remote desktop, cloud portal)
  • Your billing software if it is separate

Your action: Contact your practice management software vendor and ask whether MFA is available and how to enable it. If not, this is a gap that will need a plan before the rule finalizes.

Citation: proposed 45 CFR § 164.312(d)

3. Encryption at rest and in transit

Digital X-rays, cone beam CT images, and patient records contain ePHI. The proposed rule would require this data to be encrypted when stored and when transmitted.

Cloud-based dental software (Curve Dental, Carestream Cloud) typically encrypts by default. Locally installed systems like Dentrix and Eaglesoft store data on your local server or workstations — encryption of that storage is a configuration choice that many practices have never made.

Your action: Ask your software vendor and your IT provider whether your local storage is encrypted. If you are on local servers, this is likely a gap.

Citation: proposed 45 CFR §§ 164.312(a)(2)(iv) and 164.312(e)(2)(ii)

4. Technology asset inventory

The proposed rule would require a documented inventory of all hardware and software that touches ePHI, reviewed annually.

For a dental practice, this means: every computer, every imaging workstation, every mobile device used by staff, every server, every cloud service, and every external vendor system. The imaging server that runs your cone beam CT is in scope.

Your action: Walk through your office and list every device and system that touches patient data. This is also the starting point for your risk analysis.

Citation: proposed 45 CFR § 164.308(a)(1)(ii)(A)(2)

5. BAA annual verification

The 2026 NPRM would require covered entities to verify annually that their business associates have implemented required safeguards.

For a dental practice, your business associates include: your practice management software vendor (if they host your data), your dental billing company, your IT managed service provider, and any cloud services that store patient data.

Your action: Make sure you have a current BAA with each of these vendors. File a copy in your compliance records. Note the date of each agreement.

Citation: proposed 45 CFR § 164.308(b)(1)

6. 72-hour restoration requirement

A ransomware attack on a dental practice is not hypothetical — dental practice management systems are a known ransomware target because they often run on outdated Windows versions with no off-site backup.

The proposed rule would require covered entities to restore critical systems within 72 hours of a security incident.

Your action: Confirm you have an off-site backup of your practice management data and imaging data. Test that you can restore from it. Know who to call if your systems go down.

Citation: proposed 45 CFR § 164.308(a)(6)(ii)

What has not changed

The existing 2013 Security Rule is still in effect and still requires:

  • A risk analysis (the annual requirement is proposed, not final, but the requirement to keep it current is existing law)
  • A risk management plan to respond to identified risks
  • Workforce training
  • BAAs with business associates
  • Policies for workstation security and device disposal

The 2026 NPRM strengthens these requirements. It does not replace them.

The practical priority list for a solo dental practice right now

Given the current state of enforcement (the 2013 rule is actively enforced; the 2026 rule is not yet final):

  1. Do a current risk analysis covering all systems above
  2. Verify your BAAs with your major vendors
  3. Enable MFA on any system where it is available
  4. Confirm off-site backup of practice management and imaging data
  5. Ask your software vendors about encryption status

That is the floor. The 2026 changes, when finalized, will raise it — but starting from the floor now means the incremental lift later is manageable.

Sources: NPRM: HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information, 90 Fed. Reg. 898 (Jan. 6, 2025). Existing rule: 45 CFR §§ 164.308–164.312. Final rule timing not guaranteed as of 2026-05-08.