The Department of Health and Human Services published updated HIPAA Security Rule requirements that took effect in phases through 2025 and into 2026. For dental practices, the changes are significant: encryption is no longer "addressable" (meaning optional with documentation), risk analysis requirements became more prescriptive, and the penalties for non-compliance increased. If your practice hasn't reviewed its IT compliance posture since 2023, you're likely out of date.

This guide covers the IT-specific requirements that affect dental practices. We're not covering the Privacy Rule or Breach Notification Rule in detail here — those are important but involve legal and administrative processes beyond IT scope.

Disclaimer: This assessment is informational and does not constitute legal advice. HIPAA compliance involves legal, administrative, and technical safeguards. Consult a healthcare compliance attorney or qualified HIPAA consultant for a complete compliance assessment specific to your practice.

What Changed in the HIPAA Security Rule for 2025–2026

The updated rule eliminated the distinction between "required" and "addressable" implementation specifications. Previously, dental practices could decide that certain safeguards (like encryption at rest) were not reasonable for their environment and document why. That flexibility is gone. Key changes:

  • Encryption is mandatory — All electronic protected health information (ePHI) must be encrypted both at rest and in transit. This applies to your server, workstations, backup drives, and any data transmitted over the network.
  • Risk analysis must be documented and detailed — A one-page risk assessment no longer meets the standard. HHS expects a comprehensive analysis that inventories every system touching ePHI, identifies threats, evaluates vulnerabilities, and assigns risk ratings.
  • 72-hour notification — Practices must notify HHS within 72 hours of discovering a breach, down from the previous "without unreasonable delay" language that gave practices more time.
  • Business Associate Agreements (BAAs) must be current — Every vendor that touches your patient data needs a signed BAA. This includes your IT provider, your cloud backup service, your email provider (if you email any patient information), and your practice management software vendor.

Encryption Requirements: What Dental Practices Need

Encryption is where most dental practices fall short. Here's what the updated rule requires and what it means for your IT infrastructure:

Encryption at rest means that data stored on your server's hard drives, workstation hard drives, and backup media is encrypted. If someone steals your server, the data on the drives is unreadable without the encryption key. For Windows environments (which covers 99% of dental practices), this means enabling BitLocker on every drive that stores patient data.

Open Dental stores its MySQL database on the server's local drive. Dentrix stores its SQL Server Express database locally. Eaglesoft stores its Sybase database locally. If those drives aren't encrypted with BitLocker, you're not compliant.

Encryption in transit means that data moving across your network is encrypted. Patient data traveling from a workstation to the server, from the server to a cloud backup, or from your practice to an insurance clearinghouse must be encrypted using TLS 1.2 or higher. Most modern dental software handles this for external connections, but internal network traffic between workstations and the server is often unencrypted — and that's a compliance gap.

A Practical Risk Analysis Checklist for a 5-Operatory Practice

HHS doesn't prescribe a specific risk analysis methodology, but they do expect certain elements. Here's a practical checklist for a typical 5-operatory dental practice with 8–12 workstations:

  1. Inventory all systems that store or transmit ePHI — Your server, every workstation, the X-ray imaging computer, backup drives, any tablets used for patient intake, your email system, and any cloud services. List them all with location, operating system, and what patient data they access.
  2. Identify threats — Ransomware, phishing emails, disgruntled employees, stolen laptops, natural disasters (flood, fire), hardware failure, software vulnerabilities. Be specific to your practice's environment.
  3. Evaluate vulnerabilities — Does every workstation have a strong password? Is the server in a locked room? Are USB ports disabled? Is remote desktop exposed to the internet? Is your WiFi network segmented? Score each vulnerability on likelihood and impact.
  4. Determine current safeguards — Document what you already have: antivirus, firewall, BitLocker, password policy, physical locks, backup schedule. Identify gaps between current safeguards and identified threats.
  5. Calculate risk levels — For each threat-vulnerability pair, assign a risk rating (high, medium, low) based on likelihood of exploitation and potential impact on patient data.
  6. Create a remediation plan — For every medium and high risk, document what you will do to reduce it, who is responsible, and when it will be completed.
Practical tip: CyberCore generates a hardware and software inventory automatically for every managed practice. This inventory becomes the foundation of your risk analysis — no manual auditing of each workstation required.

Business Associate Agreement Gaps

A BAA is a legal document that requires any vendor handling your patient data to protect it according to HIPAA standards. You need BAAs with more vendors than most practices realize:

  • Your IT provider / MSP — If they can access your server remotely (and they can), they need a BAA.
  • Your cloud backup provider — Carbonite, Datto, Veeam cloud — whoever stores your backup data needs a BAA.
  • Your email provider — If your staff has ever emailed a patient's name, appointment time, or treatment plan, your email provider needs a BAA. Google Workspace and Microsoft 365 both offer BAA-eligible plans, but you have to request and sign the BAA specifically.
  • Open Dental, Dentrix, Eaglesoft — Your PMS vendor. They typically have a BAA available on request.
  • Your phone system — If your VoIP system records calls or stores voicemails that mention patient names, the provider needs a BAA.

Audit your vendor list. For each vendor, confirm you have a signed BAA on file. If you don't, request one. If the vendor won't sign a BAA, find a vendor who will — or stop sending them patient data.

Penalties Are Increasing — and Dental Isn't Exempt

HHS has been increasing HIPAA enforcement across all healthcare sectors, including dental. The Office for Civil Rights (OCR) settled multiple cases in 2025 involving dental practices that failed to conduct a risk analysis or implement encryption. Penalties ranged from $50,000 to $350,000 for single-location practices.

The most common violation? Failure to conduct a risk analysis. Not a breach. Not a hack. Simply not having a documented risk analysis on file when OCR came asking. This is the lowest-hanging compliance fruit — and the one most dental practices skip because their IT provider never told them it was required.

Your Next Steps

HIPAA compliance is not a one-time project. It's an ongoing process that requires regular review, updated documentation, and continuous monitoring. Here's where to start:

  1. Confirm encryption is enabled — Open a command prompt on your server and type manage-bde -status. If BitLocker is not enabled on the drive containing your practice management database, that's your first remediation item.
  2. Request BAAs from all vendors — Send an email to every vendor that touches patient data. Ask for their BAA. File them in a dedicated compliance folder.
  3. Schedule a risk analysis — Block two hours with your IT provider (or do it yourself using the checklist above). Document everything. Date it. Store it securely.
  4. Set a review cadence — HIPAA requires periodic review. Annually is the minimum, but quarterly reviews catch drift faster.

CyberCore monitors encryption status, tracks software inventory, and flags configuration changes that affect compliance posture — automatically, every six hours. That doesn't replace a formal risk analysis, but it gives you continuous visibility into the technical safeguards that HIPAA requires.