HIPAA Security Rule Update 2026: What Dental Practices Must Do Before the Final Rule

What's in the Proposed HIPAA Security Rule Update

The proposed update builds on the 2026 Security Rule Final Rule changes (MFA, encryption, penetration testing) and adds new requirements that signal where OCR enforcement is heading. The core additions under discussion include:

• Enhanced asset inventory requirements: Practices must maintain a documented inventory of all technology assets that touch ePHI — hardware, software, cloud services, and mobile devices. A mental inventory doesn't count; it must be written, dated, and updated when assets change.
• Stricter vendor security validation: Business Associate Agreements will need to include specific security controls, not just general HIPAA compliance language. OCR wants evidence that your vendors actually meet the standard, not just that they've signed a document saying they do.
• Expanded workforce security training: Training requirements are being extended to cover social engineering attacks, insider threat recognition, and secure remote access procedures — not just general HIPAA awareness.
• Incident response plan documentation: Dental practices will be expected to have a documented, tested incident response plan — covering ransomware, phishing, and accidental disclosure scenarios. A plan in someone's head is not a compliant plan.
• Regular security posture reviews: Beyond the annual SRA, OCR is signaling expectations for triggered reviews when the threat environment changes significantly — not just after a breach occurs.

Why OCR Is Already Enforcing Before the Rule Is Final

This is the part that catches most dental practices off guard. In administrative law, a 'proposed rule' doesn't yet have the force of law — so why is it affecting enforcement now?

The answer is in how OCR applies the existing 'reasonable safeguards' standard. HIPAA's Security Rule has always required dental practices to implement 'reasonable and appropriate' safeguards — but what counts as reasonable changes as the threat environment and industry standards evolve.

When OCR proposes new specific standards, it is simultaneously signaling that these standards represent what it now considers 'reasonable' — meaning a practice that doesn't meet them may be found non-compliant under the existing rule, even before the new one takes effect.

Recent OCR enforcement actions show exactly this pattern: practices are being cited not just for missing the technical requirement, but for failing to keep pace with what the healthcare security standard of care has become.

The 5 Gaps Most Dental Practices Have Right Now

The 42% high-or-critical-risk figure isn't driven by large hospital systems — it skews toward smaller providers, including dental practices, that don't have dedicated compliance or IT staff. These are the five gaps OCR is finding most frequently:

• No documented asset inventory: Most dental practices have never written down every system that touches patient data. The practice management software is obvious — but what about the text reminder service, the patient portal, the imaging software, the billing clearinghouse, and the cloud backup?
• BAAs that predate current security requirements: If your Business Associate Agreements were signed before 2024, they almost certainly don't include the specific security provisions OCR now expects. Outdated BAAs are one of the top findings in dental investigations.
• Training that covers privacy but not security: Many dental practices completed HIPAA privacy training years ago and haven't updated it. The 2026 requirements added phishing recognition, MFA usage, and ransomware response — content that wasn't in most dental training programs.
• No incident response plan: Fewer than 30% of small dental practices have a documented plan for what to do when (not if) they receive a phishing email, a ransomware demand, or discover an unauthorized access. Without a plan, the 60-day notification clock starts while you're still figuring out what happened.
• SRA completed once, never updated: The Security Risk Analysis requirement is annual — but many dental practices completed one when they opened and haven't returned to it. An SRA from 2021 doesn't account for the cloud services, remote work tools, or software changes the practice has adopted since then.

What 'High or Critical Compliance Risk' Looks Like in a Dental Practice

The 42% high-or-critical figure comes from assessments of healthcare organizations' actual security posture against current and proposed requirements. For dental practices, high compliance risk typically looks like this:

The practice uses a modern practice management system with MFA enabled — but the patient communication platform (text reminders, email recalls) was set up three years ago with no BAA review since. The front desk uses a shared login for the scheduling system because 'it's easier.' Staff received HIPAA training at onboarding but nothing since. There's no written plan for what to do if the system gets locked by ransomware.

None of these are unusual. In fact, this describes the majority of independent dental practices. The risk isn't that the practice is being reckless — it's that compliance has simply not kept up with how the practice actually operates.

What to Do Now — Before the Final Rule Lands

You don't need to wait for the final rule to start closing gaps. The steps below address both current requirements and the direction OCR enforcement is heading:

• Step 1: Build your asset inventory: List every system, service, and device that touches patient data. Include software, cloud services, mobile devices, and any vendor portals. This becomes the foundation of your updated SRA.
• Step 2: Audit your BAAs: Pull every Business Associate Agreement your practice has signed. Verify each one includes breach notification timelines, specific security obligations, and a current contact. Replace any BAA that's more than 3 years old or that doesn't include specific security language.
• Step 3: Update workforce training: Add a security awareness component that covers phishing recognition, MFA usage, and what to do if staff suspect a breach. Document completion for every employee.
• Step 4: Write a one-page incident response plan: It doesn't need to be elaborate. Who do you call if you get a ransomware message? Who assesses whether the 60-day clock has started? Who notifies patients? Getting this documented now means you're not making these decisions under pressure.
• Step 5: Complete or update your SRA: If your last Security Risk Analysis is more than 12 months old, redo it against your current asset inventory. The HHS SRA Tool is free. A compliance platform can walk you through it faster with dental-specific guidance.