The first major overhaul of the HIPAA Security Rule in over 20 years. Mandatory encryption, required multi-factor authentication, annual penetration testing, and 72-hour recovery windows — no exceptions, no opt-outs, regardless of practice size.
The 2026 HIPAA Security Rule eliminates every "addressable" loophole. What was once optional — encryption, MFA, penetration testing — is now mandatory for every covered entity, including solo dental practices. Non-compliance penalties reach up to $2.13 million per violation category.
All ePHI must be encrypted at rest (AES-256) and in transit (TLS 1.2+). This applies to servers, databases, laptops, mobile devices, backup systems, email, file transfers, and remote access sessions. No exceptions.
MFA is mandatory for all interactive access to ePHI — employees, contractors, and business associates. At least two factors required: something you know, have, or are. Phishing-resistant methods (FIDO2, WebAuthn) preferred for privileged access.
Every covered entity must conduct annual penetration testing and biannual vulnerability scanning. This means hiring qualified professionals to actively attempt to breach your systems — and documenting every finding.
Documented procedures to restore critical systems within 72 hours of any security incident. This requires criticality analysis, tested backup systems, and validated recovery plans — not just a policy binder on a shelf.
Annual written inventories of every technology asset that touches ePHI — including network maps, data flow diagrams, and identification of all threats and vulnerabilities with documented risk levels.
Documented security incident response plans with specific procedures, roles, and 24-hour notification to plan sponsors when contingency plans are activated. Business associates now carry direct compliance liability.
Deploy anti-malware protection on all systems, remove extraneous software, and disable all unnecessary network ports. Every endpoint that touches ePHI must be locked down and actively monitored.
of dental practices lack basic encryption on at least one system that touches patient records.
have never conducted a formal penetration test — now required annually under the new rule.
opt-outs for small practices. The 2026 rule eliminates size-based exceptions entirely.
maximum penalty per violation category. OCR has signaled aggressive enforcement for 2026.
Every tier is built specifically for dental practices. No generic IT. No one-size-fits-all templates.
Get a free HIPAA 2026 readiness assessment from Florida's dental-exclusive MSP. We'll tell you exactly where you stand — and exactly what it takes to get compliant.