HIPAA Updates 2025–2026 — What Dental Practices Need to Know

Critical timeline

February 16, 2026

Mandatory

NPP revision deadline

All covered entities must update their Notices of Privacy Practices to explain patient rights regarding reproductive health and substance use data protections (from the April 2024 Privacy Rule changes). Intake.Dental NPP templates are already updated for this deadline.

February 16, 2026

Mandatory

42 CFR Part 2 full compliance

Alignment of substance use disorder records rules with HIPAA reaches mandatory compliance for affected practices.

Mid 2026 (expected)

Expected

Security Rule final publication

The most sweeping Security Rule update since 2013 will mandate MFA for all ePHI systems, encryption at rest and in transit with no exceptions, annual technology asset inventories, biannual vulnerability scans, annual penetration testing, 72-hour incident response, and direct compliance liability for business associates.

Late 2026 / Early 2027

Projected

Compliance deadline

Organizations will have 180–240 days post-publication to comply with the new Security Rule.

2025 enforcement context

OCR levied over $6.6 million in fines in 2025 alone, with single penalties ranging from $80,000 to $3,000,000. Phase 3 audits launched targeting 50+ entities. Industry cost estimates for compliance with the incoming rules: $9 billion year one, $34 billion over five years.

What dental practices must do

Update Notices of Privacy Practices by February 16, 2026 to explain new reproductive health and SUD protections

Implement multi-factor authentication for all accounts handling ePHI

Encrypt data at rest and in transit using NIST-compliant methods

Maintain append-only audit trails logging every access to PHI

Execute and update Business Associate Agreements with every vendor and subcontractor

Conduct annual vulnerability assessments and penetration testing

Document incident response procedures aligned to the 72-hour standard

Maintain a current technology asset inventory and network map

What Intake.Dental handles automatically

Practices on Intake.Dental don't need to manually track most of the technical requirements — we ship them by default.

Pre-updated NPP templates (February 2026 version already live)

AES-256-GCM encryption at rest, TLS 1.3 in transit, optional Glyph Cipher add-on

MFA-ready infrastructure for every admin account

Comprehensive append-only audit trail logging every PHI access

Maintained BAAs with every sub-processor in our supply chain

72-hour incident response capability built into our runbooks

Frequently asked questions

What happens if we miss the February 2026 deadlines?

Penalties escalate. The new Security Rule also eliminates the 'addressable' safeguard option, meaning all technical safeguards become mandatory — reducing interpretation flexibility compared to current rules.

Does the encryption safe harbor still apply?

Yes. Under 45 CFR § 164.402, properly encrypted PHI may not trigger breach notification if the encryption keys were not compromised. Layered encryption (AES-256-GCM plus our optional Glyph Cipher add-on) strengthens this defense significantly.

Do dental practices handling substance use records need special compliance?

Yes. Practices treating patients with SUD histories must align intake forms and data handling with the unified 42 CFR Part 2 / HIPAA protocols by February 2026. Intake.Dental's form templates are already updated.

What were the 2025 enforcement numbers?

OCR levied over $6.6 million in fines in 2025 with single penalties ranging from $80,000 to $3,000,000. Phase 3 audits targeted 50+ entities. The most common violations were inadequate risk assessments, ransomware incidents, and weak technical safeguards.