The HIPAA Security Rule may be getting its biggest update in more than a decade — and dental practices should be paying attention.

A proposed modification to the HIPAA Security Rule was released on December 27, 2024, and according to RubinBrown, it includes some of the most sweeping proposed updates since 2013. The rule is expected to become final around May 2026, with a proposed 240-day compliance window after finalization.

That may sound like plenty of time.

It is not.

If your dental practice relies on cloud systems, remote access, digital imaging, practice management software, email, online forms, or third-party vendors, these changes could significantly raise the bar for how you secure electronic protected health information (ePHI).

And here’s the biggest takeaway:

HIPAA cybersecurity requirements are moving from “flexible and documented” toward “mandatory and provable.”

That is a major shift for healthcare organizations — including dental practices and DSOs.

Why HIPAA Is Changing

Healthcare continues to be one of the most targeted industries for cyberattacks, and dental practices are no exception.

Cybercriminals know dental offices rely on uninterrupted access to:

• Patient records
• Digital imaging
• Scheduling systems
• Insurance and billing platforms
• Clinical software
• Cloud applications

When those systems go down, production stops quickly.

According to RubinBrown, one of the largest proposed changes is the removal of the distinction between “required” and “addressable” safeguards, meaning many controls that were previously flexible may soon become mandatory.

In plain English:

Today, some HIPAA safeguards allow practices to decide whether a control is “reasonable and appropriate” and document why they implemented — or skipped — it.

Under the proposed changes, many of those controls would simply be expected.

That means dental practices need to start thinking less like:

“Do we have a reason not to do this?”

And more like:

“Can we prove this is already in place?”

Key Proposed HIPAA Security Rule Changes for Dental Practices

1. Required Technology Asset Inventory and Network Mapping

One major proposed requirement is maintaining and annually updating a complete technology asset inventory and network map showing systems and ePHI data flows.

For dental practices, this could include:

• Servers
• Workstations
• Imaging computers
• Firewalls
• Wireless access points
• Practice management software
• Imaging systems
• Cloud platforms
• Backup systems
• Email systems
• Remote access tools
• Third-party integrations

This matters because you cannot secure what you cannot see.

If your practice does not have a current inventory of every device and system touching patient data, now is the time to fix that.

2. Annual Risk Analysis and Risk Management Plans

HIPAA has long required risk analysis, but the proposed changes push for more detailed, recurring, and documented assessments tied directly to your asset inventory and network map.

A proper dental IT risk analysis should answer questions like:

• Where does ePHI live?
• Who has access to it?
• How is access controlled?
• Which systems are mission-critical?
• What vulnerabilities exist?
• What happens during downtime?
• How are backups protected?
• Which vendors can access patient data?
• What gaps still need remediation?

The key word here is documented.

If it is not written down, it becomes very difficult to prove compliance during an audit or investigation.

3. Mandatory Multi-Factor Authentication (MFA)

The proposed rule includes MFA requirements for systems containing ePHI, with limited exceptions.

For dental practices, MFA should already be standard for:

• Email accounts
• Remote access tools
• Cloud applications
• Admin accounts
• Backup portals
• Vendor access
• Firewall management

Passwords alone are no longer enough.

If your office still relies on shared logins, weak passwords, or remote access without MFA, those are high-risk gaps that need attention now.

4. Encryption Requirements for ePHI

RubinBrown notes the proposed rule would require encryption of ePHI both in transit and at rest, with limited documented exceptions.

For dental practices, this could affect:

• Email transmission
• Cloud storage
• Backup systems
• Laptops
• Servers
• External drives
• Imaging data
• Remote access systems

Encryption dramatically reduces the damage if a device is lost, stolen, or compromised.

A stolen laptop is bad.

A stolen laptop full of unencrypted patient data is the kind of bad that involves attorneys, regulators, breach notifications, and several sleepless nights.

5. Vulnerability Scanning and Penetration Testing

The proposed rule includes:

• Vulnerability scans at least every six months
• Annual penetration testing

This is a significant operational shift for many smaller healthcare organizations.

Dental practices should expect formal testing of:

• Firewalls
• Remote access systems
• Servers
• Workstations
• Cloud services
• Misconfigurations
• Unsupported software
• Weak authentication
• Unpatched vulnerabilities

This is not just about checking a compliance box.

Vulnerability management is one of the most effective ways to identify security problems before attackers do.

Which is generally preferable — attackers are notoriously bad at submitting polite support tickets.

6. Incident Response and 72-Hour Restoration Expectations

RubinBrown highlights a proposed requirement for documented incident response plans and restoration of affected systems and ePHI within 72 hours.

For dental practices, that raises the importance of backup and disaster recovery planning dramatically.

Practices should be asking:

• Do we have current backups?
• Are backups isolated from ransomware?
• Are backups encrypted?
• Have we tested restoration recently?
• How long would it take to restore Open Dental and imaging systems?
• Who handles vendors during an outage?
• Who communicates with staff?
• Who handles legal and compliance notifications?

Having backups is good.

Having tested backups is better.

Having a written recovery process your team actually understands is where the real protection happens.

7. Faster Employee Access Termination

The proposed rule includes workforce access requirements, including termination of access within a specific timeframe after employee separation. RubinBrown’s comparison notes a proposed one-hour access termination expectation.

For dental offices, this means offboarding procedures need to be tight.

When someone leaves, access should immediately be removed from:

• Email
• Practice management systems
• Imaging software
• Remote access tools
• Cloud storage
• Password managers
• Vendor portals
• Shared accounts
• Phone systems
• Billing platforms

This becomes even more important with remote workers, consultants, temporary staff, and vendors.

8. Increased Vendor and Business Associate Oversight

The proposed updates also create stronger expectations around business associates and subcontractors, including annual verification of safeguards and contingency planning requirements.

Dental practices should expect increased focus on vendor documentation, including:

• Business Associate Agreements (BAAs)
• Security questionnaires
• Written verification of safeguards
• Backup and recovery expectations
• Incident response responsibilities
• Access controls
• Data handling practices

Even if your internal systems are secure, your vendors can still create serious cybersecurity risk.

Your practice’s security is only as strong as the weakest company with access to your patient data.

Not catchy. Very true.

What Dental Practices Should Do Now

These rules are not final yet, and details may still change. RubinBrown notes that provisions could be delayed or modified by the Department of Health and Human Services before finalization.

But the direction is very clear:

Healthcare cybersecurity expectations are increasing.

Dental practices should not wait for the final rule before preparing.

1. Build or Update Your Technology Inventory

Start documenting:

• Every workstation
• Every server
• Every firewall
• Every wireless access point
• Every cloud platform
• Every backup system
• Every vendor with access
• Every system touching ePHI

This becomes the foundation for everything else.

2. Review MFA Coverage

Identify where MFA is enabled — and where it is missing.

Prioritize:

• Email
• Remote access
• Admin accounts
• Cloud systems
• Backup platforms
• Vendor portals

If MFA is not enabled everywhere it reasonably can be, start closing those gaps now.

3. Confirm Backup and Recovery Readiness

Ask your IT provider:

• Are backups monitored?
• Are they encrypted?
• Are they protected from ransomware?
• Have they been tested recently?
• How quickly can we restore systems?
• Which systems recover first?

The proposed 72-hour restoration expectation means:

“We think backups exist somewhere” is no longer a recovery strategy.

4. Schedule Vulnerability Scanning

If your practice is not already performing recurring vulnerability scans, now is the time to begin.

At minimum, you should understand:

• Which systems are externally exposed
• Which patches are missing
• Which devices are unsupported
• Which configurations are risky
• Which remediation projects are needed

5. Tighten Employee Onboarding and Offboarding

Document exactly how access is:

• Granted
• Changed
• Removed

Your process should include:

• New hire approvals
• Role-based permissions
• MFA setup
• Password policies
• Termination checklists
• Vendor access removal
• Shared account elimination

This is not glamorous work.

But neither is explaining to OCR why a former employee still had access six months later.

6. Review Vendor Documentation

Create a list of every vendor touching patient data.

Then confirm:

• Do we have a signed BAA?
• Do they use MFA?
• Do they encrypt data?
• Do they have incident response procedures?
• Do they have backup and recovery plans?
• Can they provide written security documentation?

Vendor risk management is becoming much harder to ignore.

The Bottom Line

The proposed HIPAA Security Rule changes are a warning shot for healthcare organizations — including dental practices and DSOs.

The future of HIPAA compliance is likely to be:

• More technical
• More documented
• More prescriptive
• More cybersecurity-focused
• More demanding of vendors and business associates

For dental practices, the smartest move is to start preparing now.

Not in panic mode.

Not in “buy every shiny cybersecurity product” mode.

But in a practical, methodical way:

Know what you have. Protect what matters. Document what you do. Test whether it works.

That is the playbook.

And if your practice is not sure where to start, Darkhorse Tech can help evaluate your current IT and cybersecurity posture, identify security gaps, and build a roadmap toward stronger HIPAA readiness.

Because when HIPAA expectations rise, your technology foundation needs to rise with them.

‍

Darkhorse Dental IT Is Here For You

We understand that caring for your patients is your top priority. Dealing with a computer issue, slow IT response time or HIPAA compliance requirements just aren’t high on your list of to-do’s. That’s where Darkhorse Dental Tech comes in. Our team of Dental IT specialists are experts when it comes to running a great, secure and successful practice —and so much more. Whether you’re looking for IT services for startups, or existing support and security services for your practice, Darkhorse can do it all for you, so you can get back to your patients.

Have questions? Looking for ideas? Just want to talk teeth? Drop us a line at sales@darkhorsetech.com to get the conversation started! Or head to our Contact page to send us a message. Don’t forget to follow us on Instagram!

Dental IT Support, Dental Startups, Dental IT Support New York, Dental IT Support Texas, Dental IT Support North Carolina, Dental IT Support Raleigh, Dental IT Support Charlotte, Dental IT Support Wake Forest, Dental IT Support Florida, Dental IT Support California, Dental IT Support Pennsylvania, Dental IT Support New Jersey, Cloud Dental Solutions, Dental Technology.