HIPAA Security Rule Updates: What Dental Practices Need to Know

As the CEO of Darkhorse Tech, I want to bring to your attention some significant proposed changes to the HIPAA Security Rule that could have a direct impact on your dental practice. On December 27, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to update the Security Rule for the first time in over a decade. The official version was published on January 6, 2025. These updates are designed to improve clarity, enhance cybersecurity measures, and ensure better compliance in protecting electronic protected health information (ePHI). Let's break down what this means for dental practices.

Key Updates and What They Mean for You

1. A Shift Towards Specific, Mandatory Security Measures

For years, the HIPAA Security Rule has been broad and flexible to accommodate various healthcare providers. However, OCR is now making it clear that certain cybersecurity measures are no longer optional. In the past, some security measures were labeled as "addressable," which led to confusion and noncompliance. Now, all security standards will be required, ensuring that dental practices take cybersecurity seriously.

2. Focus on Emerging Technologies: AI, Quantum Computing, and More

OCR has highlighted artificial intelligence (AI), quantum computing, and virtual/augmented reality as emerging technologies that could impact data privacy. Even if your dental practice does not currently use these technologies, OCR wants you to evaluate their potential risks and implement security measures proactively.

3. Written Documentation and Compliance Audits

Written documentation has always been required under HIPAA, but OCR has found that many organizations fail to maintain up-to-date policies. The proposed rule emphasizes the necessity of regularly evaluating and updating all security policies and procedures. Additionally, dental practices will be required to conduct annual compliance audits to assess their adherence to security standards. These audits will serve as critical documentation if your practice ever faces an OCR investigation.

4. Stricter Data Protection Standards

Some of the most impactful changes include:

• Mandatory Encryption: ePHI must now be encrypted both in transit and at rest, ensuring that patient data remains protected from cyber threats.
• Vulnerability Scanning and Penetration Testing: Dental practices must conduct vulnerability scans at least every six months and penetration testing at least once a year to identify security gaps before cybercriminals exploit them.
• Patch Management Requirements: Practices will be required to have formal patch management policies in place to ensure timely updates of software and systems, reducing vulnerabilities.

5. Strengthened Access Control and Authentication
‍Cybersecurity threats are often tied to unauthorized access. The new rule will require:

• Multi-Factor Authentication (MFA): Dental practices must implement MFA to verify user identities before accessing ePHI.
• Network Segmentation: Practices must restrict access to sensitive data, ensuring that only authorized personnel have access.

6. Business Associate Contracts and Responsibilities
‍If you work with third-party vendors handling ePHI (such as IT providers, billing services, or cloud storage companies), the proposed rule places new requirements on them as well. Business associates must now:

• Verify, at least annually, that they have implemented the required security controls.
• Notify covered entities within 24 hours of activating their contingency plans due to security incidents.

7. New Compliance Deadlines and Expectations
‍To ensure timely compliance, the OCR is introducing specific deadlines for security reviews:

• Policies and procedures must be reviewed, updated, and verified at least once every 12 months.
• Certain security measures (such as vulnerability scanning and penetration testing) must be performed at regular intervals.

What This Means for Your Dental Practice
‍These updates signal a shift in how the government views cybersecurity in healthcare, and the changes are particularly relevant to dental practices, which often have smaller IT teams and fewer cybersecurity resources. However, compliance is no longer just about avoiding fines—it’s about protecting your patients’ data and maintaining trust.

‍Actionable Steps for Dental Practices:

• Assess your current security measures against the new requirements.
• Implement encryption and multi-factor authentication to safeguard ePHI.
• Regularly test your cybersecurity defenses through vulnerability scanning and penetration testing.
• Update written policies and perform annual compliance audits.
• Ensure business associates comply with the updated HIPAA Security Rule.

At Darkhorse Tech, we specialize in helping dental practices stay ahead of these regulatory changes while maintaining seamless, secure IT operations. If you have questions about how these HIPAA updates will impact your practice or need assistance in meeting compliance requirements, we are here to help. The proposed rule is currently open for public comment until March 7, 2025, so there is still time for adjustments before finalization. However, given the direction OCR is taking, dental practices should start preparing now.

‍Need Help Staying Compliant?
‍Darkhorse Tech is committed to ensuring that dental professionals have the most up-to-date cybersecurity solutions to meet HIPAA requirements. Contact us today to learn how we can help safeguard your practice against evolving threats.

Darkhorse Dental IT Is Here For You

We understand that caring for your patients is your top priority. Dealing with a computer issue, slow IT response time or HIPAA compliance requirements just aren’t high on your list of to-do’s. That’s where Darkhorse Dental Tech comes in. Our team of Dental IT specialists are experts when it comes to running a great, secure and successful practice —and so much more. Whether you’re looking for IT services for startups, or existing support and security services for your practice, Darkhorse can do it all for you, so you can get back to your patients.

Have questions? Looking for ideas? Just want to talk teeth? Drop us a line at sales@darkhorsetech.com to get the conversation started! Or head to our Contact page to send us a message. Don’t forget to follow us on Instagram!

Dental IT Support, Dental Startups, Dental IT Support New York, Dental IT Support Texas, Dental IT Support North Carolina, Dental IT Support Raleigh, Dental IT Support Charlotte, Dental IT Support Wake Forest, Dental IT Support Florida, Dental IT Support California, Dental IT Support Pennsylvania, Dental IT Support New Jersey, Cloud Dental Solutions, Dental Technology.