Back to all insights
HIPAAComplianceSecurity RuleHealthcare

HIPAA Security Rule 2026: What Small Medical and Dental Practices Need to Know Now

B Byzantine Technologies · · 9 min read

Two Layers, One Clear Picture

If you run a small medical or dental practice and you’ve been hearing conflicting things about the HIPAA Security Rule, here is the situation as of 2026, stated plainly. There are two layers to understand, and keeping them straight removes most of the confusion.

The first layer is the current, enforceable Security Rule — the rule that has been in effect for years and that HHS continues to enforce today. The second layer is a proposed update to that rule, published by HHS through the Office for Civil Rights (OCR) in early 2025. HHS has been explicit that the current Security Rule remains in effect while the rulemaking process proceeds. In other words: nothing about your current obligations has been replaced. The proposed rule signals where requirements are likely heading, but it is not yet the law you must comply with today.

This post breaks down both layers without the fearmongering that tends to accompany regulatory news. The goal is to help you understand what you actually have to do now and how to position yourself sensibly for what’s proposed — not to scare you into a panic purchase.

What the Current Security Rule Requires

The current Security Rule protects electronic protected health information (ePHI) through three categories of safeguards. It is deliberately flexible: it does not prescribe specific products or settings, but instead requires controls that are “reasonable and appropriate” for an organization of your size and risk profile.

Administrative Safeguards

These are the policies, procedures, and people-focused controls. The cornerstone is the risk analysis — a formal, documented assessment of the risks to the confidentiality, integrity, and availability of your ePHI, followed by a risk management process to reduce those risks to a reasonable level. The administrative safeguards also cover workforce training, access management, contingency planning, and security incident procedures.

Physical Safeguards

These control physical access to the systems that store and transmit ePHI: facility access controls, workstation security, and policies governing the use and disposal of devices and media.

Technical Safeguards

These are the technology controls: access controls (such as unique user identification and automatic logoff), audit controls that record activity, integrity controls that protect ePHI from improper alteration, and transmission security that protects ePHI as it moves across networks.

The defining characteristic of the current rule is flexibility through the “addressable” versus “required” distinction. Some implementation specifications are required outright; others are “addressable,” meaning you must assess whether the safeguard is reasonable and appropriate for your environment and, if so, implement it — or document why you chose an equivalent alternative. This flexibility is a strength, but it has also led to inconsistency, which is part of what the proposed update aims to address.

“The current rule asks what is reasonable and appropriate for a practice your size. The proposed rule moves toward asking whether you have specific, named controls. Understanding that shift is the key to reading the 2026 landscape correctly.”

What the Proposed Update Would Change

The 2025 proposed rule would make the Security Rule considerably more prescriptive. Rather than leaving as much to interpretation, it would name specific controls that covered entities and business associates would be expected to implement. The proposed controls reflect modern cybersecurity practice and include:

  • Asset inventories and network maps — maintaining a current inventory of systems that touch ePHI and documentation of how data flows across the network.
  • Multi-factor authentication (MFA) — explicit expectations for MFA on systems that access ePHI.
  • Encryption of ePHI at rest and in transit, with narrower room to treat it as optional.
  • Vulnerability scanning and penetration testing — regular technical testing to find weaknesses before attackers do.
  • Network segmentation — separating systems so that a compromise in one area cannot spread freely.
  • Incident response — more defined requirements around detecting, responding to, and recovering from security incidents.
  • Annual compliance audits — regular, documented verification that controls are actually in place and effective.

The through-line is a shift from “decide what’s reasonable” toward “implement these specific controls.” For practices that have maintained strong security all along, much of this will feel like documentation of what they already do. For practices that have leaned heavily on the flexibility of the current rule, the proposed update would close that gap.

What This Means for You Right Now

It is worth being clear about timing, because this is where unnecessary anxiety creeps in. The proposed rule is not yet enforceable. Your obligations today are defined by the current Security Rule. You are not out of compliance for lacking a control that only the proposed rule would require.

That said, the smart posture is not to wait. Here is why: nearly every control in the proposed rule is already good security practice, already expected by cyber insurers, and already the kind of control that prevents the breaches small practices actually suffer. MFA, encryption, network segmentation, tested backups, and a documented incident response plan are not exotic future requirements — they are the controls that stop ransomware and credential theft today. Implementing them now improves your security regardless of when (or in what final form) the rule is adopted.

A Sensible Plan for a Small Practice

  1. Make sure your current risk analysis is real and current. This is required today, it is the foundation of everything else, and it is the single most common gap OCR finds.
  2. Inventory where your ePHI actually lives. A current asset inventory and a basic network map are useful now and would be expected under the proposed rule.
  3. Deploy MFA where it matters — email, remote access, administrative accounts, and the EHR.
  4. Confirm encryption of laptops, servers, backups, and data in transit.
  5. Segment your network so guest and untrusted devices cannot reach clinical systems.
  6. Write down your incident response plan and make sure the team knows it.
  7. Keep your Business Associate Agreements current and exercise real oversight of vendors.

None of this requires acting out of fear. It requires acting out of good judgment — the same controls satisfy your current obligations, prepare you for the proposed rule, and reduce the real risk of a breach.

The Byzantine Takeaway

The 2026 HIPAA Security Rule landscape has two layers: a current enforceable rule that remains fully in effect, and a proposed update that would make requirements more prescriptive around modern controls like asset inventories, MFA, encryption, segmentation, testing, and audits. You are governed by the current rule today, so there is no cause for panic — but there is every reason to act. The controls in the proposed rule are the controls that prevent real breaches, satisfy insurers, and reflect plain good practice. Start with an honest, current risk analysis, then work through the list. You will be compliant today and well positioned for whatever the final rule looks like.

Have questions about your practice's security?

Book a free 30-minute consultation — no obligation, no jargon.

Talk to an expert

Continue reading

May 31, 2026·12 min read

MFA for Healthcare: Where It Matters Most and Where Clinics Get It Wrong

Multi-factor authentication is the single highest-leverage security control a medical or dental practice can deploy. Here is where it matters most — and the gaps that quietly leave clinics exposed.
May 29, 2026·8 min read

Why Guest Wi-Fi Should Never Touch Your Clinical Network

A flat network is a quiet liability. Here is why network segmentation — keeping guest Wi-Fi, patient devices, IoT, and medical equipment away from clinical systems — is one of the most important architecture decisions a practice makes.
May 26, 2026·8 min read

Cyber Insurance, HIPAA, and the New Baseline for Healthcare Security

Cyber insurers now expect MFA, EDR, tested backups, patching, incident response, and vendor oversight before they'll write a policy. The good news: those same controls map directly to HIPAA expectations.