When the Office of Civil Rights, part of Health and Human Services (HHS), finalized the HIPAA Omnibus rule in 2013, many people (erroneously) breathed a sigh of relief, assuming that this would be the end of the constant changes to HIPAA requirements. Time has shown, however, that nothing could be further from the truth. HIPAA is constantly being tweaked, and 2026 is set to be a year for major changes. Just a few weeks ago, laws changed related to the Notice of Privacy Practices that dental clinics need to have posted in their offices and website, but the real changes are likely coming soon.
The biggest change is the elimination of many addressable rules and converting them to mandatory rules. “Addressable,” as a refresher, means that if a rule is reasonable and appropriate, you must do it. If not, find an alternative or document why you feel the rule isn’t appropriate for your situation. That will no longer be the case for many of these rules in the next few months.
What’s becoming mandatory
• MFA, or multifactor authentication, is the process that happens when you log into a website and then a secondary code is sent to your phone or email that has to be entered in order to access the site. MFA will be mandatory across systems and applications, for administrators and users, even if software upgrades or development work are required. The “our vendor doesn’t support MFA” excuse will no longer hold. This revision is being made because credential theft remains the top reason for a security breach in health care.
• Most organizations encrypt data in transit (HTTPS). The 2026 HIPAA changes make encryption at rest mandatory as well. This includes databases, file systems, backups, and powered-off storage. HIPAA aligns encryption expectations with recognized NIST cybersecurity standards including secure key management and access controls.
• Annual penetration testing and biannual vulnerability scanning are not the same thing. Vulnerability scanning is automated identification of weaknesses, while penetration testing is human-led attempts to exploit them. Under the 2026 HIPAA changes, vulnerability scans must occur at least twice per year and full penetration testing must be conducted annually. This aligns with broader HHS expectations for proactive breach prevention. Scans aren’t enough anymore. Validate your HIPAA security controls with annual penetration testing performed by experienced security professionals.
• The updated contingency plan standards require organizations to demonstrate the ability to restore critical systems within 72 hours following an incident. This requirement is heavily influenced by HHS ransomware guidance, which emphasizes recovery capability as a core security function. Paper disaster recovery plans are not sufficient—restoration must be testable and repeatable.
While the above are the main changes, there are several administrative and document requirement changes coming down the pike as well.
How to prepare before the compliance clock starts
What should dentists do at this point? My best suggestion is a risk assessment/gap analysis. Basically, you want to compare what you are doing now to what the new requirements will entail and start planning. Once these laws are finalized, you’ll only have a six-month grace period to comply.
Dentists are covered entities, and as such, they must follow all HIPAA rules and guidelines. I highly recommend working with a dental health care-specific IT provider to make sure you are compliant with both current and future HIPAA laws.
Editor's note: This article appeared in the June 2026 print edition of Dental Economics magazine. Dentists in North America are eligible for a complimentary print subscription. Sign up here.
