What are the 2026 HIPAA Security Rule changes?
The "2026 HIPAA Security Rule changes" refer to a major proposed update to the Security Rule - the first significant overhaul in years. As of mid-2026 it is not final law: the proposed rule (NPRM) was published in January 2025, the comment period closed in March 2025, and no final rule has been issued, with no confirmed timeline. If finalized, the proposal would remove much of the rule's flexibility and make a long list of security practices mandatory. Dental practices should understand what is coming and prepare - while treating the specifics as proposed, not settled. (General information, not legal advice.)
Where things stand (mid-2026)
The proposal drew thousands of public comments, and more than a hundred hospital systems and provider associations formally asked the Department to withdraw or scale it back, largely over cost and feasibility. A final rule that had been targeted for spring 2026 has not appeared. So the honest status is: a serious proposal, heavy industry pushback, and an uncertain finish line - not a deadline on your calendar yet. (See the HIPAA Journal and OCR for the current status.)
What the proposal would change
- Encryption becomes mandatory. Encrypting ePHI at rest and in transit would no longer be "addressable" - it would be required.
- Multi-factor authentication required for systems that access ePHI.
- The "addressable" vs "required" distinction goes away. Implementation specifications that practices could previously justify skipping would become mandatory.
- Asset inventories and network maps of where ePHI lives and flows.
- Regular testing - including vulnerability scanning and penetration testing.
- Faster incident response obligations and tighter timelines.
- Stronger business-associate oversight, with updated agreements.
If finalized, covered entities would get roughly 180 days to comply, with business associates given additional time to update agreements.
What a dental office should do now
Here is the useful part: nearly everything in the proposal is good practice regardless of whether it is finalized. You do not need to wait for a final rule to:
- Turn on MFA for email, remote access, and admin accounts.
- Encrypt ePHI at rest and in transit, including backups.
- Do (and document) a security risk analysis.
- Inventory your systems and know where patient data lives. (See backup and disaster recovery.)
- Sign current BAAs with every vendor that touches PHI. (See what is a BAA?)
- Keep tested, immutable backups. (See do my dental backups actually work?)
A practice that does these is both more secure today and largely ready if the rule lands - the opposite of a last-minute scramble.
This summarizes a proposed rule for general awareness and is not legal advice. The proposal may change before finalization, or not be finalized; confirm current requirements with a compliance professional or counsel.