Full Article
The HIPAA Security Rule Just Got Its Biggest Overhaul in a Decade
On December 27, 2024, the Office for Civil Rights at HHS dropped a Notice of Proposed Rulemaking that rewrites the HIPAA Security Rule top to bottom. It was published in the Federal Register on January 6, 2025. This is the first meaningful update in over ten years, and it changes the game for every dental practice that touches electronic patient data — which is all of you.
Here's the short version: the government got tired of healthcare organizations treating security as a checklist exercise. So they eliminated the loopholes, raised the floor, and added teeth to enforcement. If you've been skating by with "addressable" safeguards you never actually addressed, that era is over.
The Changes That Actually Matter
Let's cut through the 400 pages of regulatory language and focus on what hits dental practices hardest.
MFA Is No Longer Optional
Multi-factor authentication for accessing patient data was previously classified as "addressable" — regulatory speak for "you can skip it if you document why." That distinction is gone. MFA is now mandatory, full stop.
This is the single most important change in the entire rule. Here's why: 62% of dental data breaches are tied to three things — unpatched imaging software, unsecured intraoral camera WiFi, and legacy practice management systems that don't support MFA. That last one is about to become a serious liability.
If your PMS doesn't support MFA, you have a problem. Not a theoretical compliance gap — an actual, fine-attracting, breach-enabling problem. This is where a lot of practices running older systems are going to feel the squeeze.
Encryption Is Mandatory Everywhere
AES-256 encryption is now required for ePHI both at rest and in transit. No exceptions, no "addressable" wiggle room.
Here's why you should actually want this: 68% of healthcare data breaches since 2010 came from device theft or loss. A stolen laptop with an unencrypted database is a reportable breach. A stolen laptop with AES-256 encryption? That's HIPAA "Safe Harbor" — no breach notification required. Encryption doesn't just check a compliance box. It's your get-out-of-jail-free card when hardware walks out the door.
The "Addressable" Loophole Is Dead
This is the structural change underneath everything else. The old HIPAA Security Rule had two tiers: "required" safeguards you had to implement, and "addressable" ones where you could substitute alternatives or skip them with documentation. In practice, "addressable" became "optional" for most small practices.
The new rule eliminates that distinction entirely. Every security standard is now required. Period. If you've been relying on the addressable category to defer security investments, budget accordingly.
Vulnerability Scanning and Pen Testing Are Now on the Clock
Vulnerability scanning: at least every six months. Penetration testing: at least annually. These were best practices before. Now they're requirements with specific timelines.
For a typical dental practice, this means engaging a managed security provider or IT firm that can run these assessments on schedule. You're not doing this in-house. Budget $3,000 to $8,000 annually depending on your practice size and network complexity.
Breach Notification Just Got Tighter
The deadline to notify after a breach dropped from 60 days to 30. That's a significant compression for practices that need to investigate incidents, determine scope, and coordinate notification — especially if you're a multi-location group.
Your Vendors Are on the Hook Too
Business associates — your PMS vendor, cloud backup provider, imaging software company, IT managed service provider — must now verify their security controls annually and notify you within 24 hours of activating any contingency plan. This means if your cloud vendor has an incident, you'll know about it the next day, not the next quarter.
More importantly: if your vendor has inadequate security and a breach results, regulators can classify that as willful neglect on your part. Willful neglect penalties start at $250,000 per violation. Choose your vendors carefully.
The Compliance-vs.-Security Gap
Here's something the regulation can't fix, and it's worth being blunt about: HIPAA compliance is not the same thing as actual security. A compliant practice can still get breached.
Real example: A dental group had all their HIPAA documentation in order. Annual training completed. Policies reviewed. Then a phishing email compromised a credential. MFA wasn't fully enforced across all systems. An attacker encrypted their files. Operations stopped.
They were compliant. They still got hit. The new rules narrow this gap — mandatory MFA and encryption would have stopped that specific attack — but no regulation makes you bulletproof. Compliance is the floor, not the ceiling.
What the Smart Practices Are Doing
Heart of Texas Oral Surgery didn't wait for this rule. They proactively ran the HHS Security Risk Assessment Tool and found 23 vulnerabilities they didn't know existed. They fixed them before anyone told them to.
Compare that to a Florida oral surgery practice that got fined $85,000 for failing to provide records within the 15-day requirement. The difference isn't sophistication — it's initiative.
The Cost Reality
HHS estimates first-year compliance costs at $9 billion across the entire healthcare industry. For a dental practice, the practical translation depends on where you're starting:
- Already running modern, cloud-based PMS with MFA: Your costs are incremental. Pen testing, vulnerability scanning, policy documentation updates. Maybe $5,000 to $15,000.
- Running legacy systems without MFA or encryption: You're looking at a system migration on top of everything else. That's $20,000 to $50,000+ depending on practice size.
- Multi-location groups: Multiply accordingly, but you get economies of scale on assessments and policy work.
The Penalty Math
Get this wrong and the numbers escalate fast:
- Unintentional violations: $120 to $50,000 per violation
- Willful neglect (corrected): Up to $50,000 per violation
- Willful neglect (not corrected): Starts at $250,000 per violation
- Vendor security failures: Classified as willful neglect
That Florida practice paid $85,000 for a records access violation — not even a breach. Imagine the math on an actual security incident with thousands of patient records.
One More Thing: Emerging Tech
OCR specifically flagged AI, quantum computing, and VR/AR as emerging technologies requiring risk evaluation. If you're adopting AI-powered diagnostic tools, virtual reality patient education, or any cutting-edge tech in your practice, you need to document how it interacts with ePHI and assess the risks. This is a forward-looking provision, but it signals where enforcement is headed.
What to Do This Week
- Check if your PMS supports MFA. If it doesn't, start evaluating alternatives now. Not next quarter. Now.
- Verify your encryption status. Are backups encrypted? Is data in transit encrypted? What about that old workstation in operatory 3?
- Review your vendor agreements. Do your business associate agreements reflect the new annual verification and 24-hour notification requirements?
- Schedule a risk assessment. The HHS Security Risk Assessment Tool is free. Use it.
- Budget for pen testing and vulnerability scanning. Find a qualified firm and get on their schedule.
- Update your policies. The new rule requires annual review. If your policies haven't been touched since they were first written, that's a compliance gap starting day one.
The new HIPAA Security Rule is the most significant regulatory change dental practices have faced in cybersecurity. But here's our take: most of these requirements are things you should have been doing anyway. The rule just made "should" into "must." Treat it as an opportunity to actually secure your practice, not just check boxes on a compliance form.