The HIPAA Security Rule Just Got Its Biggest Overhaul in a Decade
On December 27, 2024, the Office for Civil Rights at HHS dropped a Notice of Proposed Rulemaking that rewrites the HIPAA Security Rule top to bottom. It was published in the Federal Register on January 6, 2025. This is the first meaningful update in over ten years, and it changes the game for every dental practice that touches electronic patient data — which is all of you.
Here's the short version: the government got tired of healthcare organizations treating security as a checklist exercise. So they eliminated the loopholes, raised the floor, and added teeth to enforcement. If you've been skating by with "addressable" safeguards you never actually addressed, that era is over.
The Changes That Actually Matter
Let's cut through the 400 pages of regulatory language and focus on what hits dental practices hardest.
MFA Is No Longer Optional
Multi-factor authentication for accessing patient data was previously classified as "addressable" — regulatory speak for "you can skip it if you document why." That distinction is gone. MFA is now mandatory, full stop.
This is the single most important change in the entire rule. Here's why: 62% of dental data breaches are tied to three things — unpatched imaging software, unsecured intraoral camera WiFi, and legacy practice management systems that don't support MFA. That last one is about to become a serious liability.
If your PMS doesn't support MFA, you have a problem. Not a theoretical compliance gap — an actual, fine-attracting, breach-enabling problem. This is where a lot of practices running older systems are going to feel the squeeze.
Encryption Is Mandatory Everywhere
AES-256 encryption is now required for ePHI both at rest and in transit. No exceptions, no "addressable" wiggle room.
Here's why you should actually want this: 68% of healthcare data breaches since 2010 came from device theft or loss. A stolen laptop with an unencrypted database is a reportable breach. A stolen laptop with AES-256 encryption? That's HIPAA "Safe Harbor" — no breach notification required. Encryption doesn't just check a compliance box. It's your get-out-of-jail-free card when hardware walks out the door.
The "Addressable" Loophole Is Dead
This is the structural change underneath everything else. The old HIPAA Security Rule had two tiers: "required" safeguards you had to implement, and "addressable" ones where you could substitute alternatives or skip them with documentation. In practice, "addressable" became "optional" for most small practices.
The new rule eliminates that distinction entirely. Every security standard is now required. Period. If you've been relying on the addressable category to defer security investments, budget accordingly.
Vulnerability Scanning and Pen Testing Are Now on the Clock
Vulnerability scanning: at least every six months. Penetration testing: at least annually. These were best practices before. Now they're requirements with specific timelines.
For a typical dental practice, this means engaging a managed security provider or IT firm that can run these assessments on schedule. You're not doing this in-house. Budget $3,000 to $8,000 annually depending on your practice size and network complexity.
Breach Notification Just Got Tighter
The deadline to notify after a breach dropped from 60 days to 30. That's a significant compression for practices that need to investigate incidents, determine scope, and coordinate notification — especially if you're a multi-location group.
Your Vendors Are on the Hook Too
Business associates — your PMS vendor, cloud backup provider, imaging software company, IT managed service provider — must now verify their security controls annually and notify you within 24 hours of activating any contingency plan. This means if your cloud vendor has an incident, you'll know about it the next day, not the next quarter.
More importantly: if your vendor has inadequate security and a breach results, regulators can classify that as willful neglect on your part. Willful neglect penalties start at $250,000 per violation. Choose your vendors carefully.



