HIPAA Security Rule – Proposed Rulemaking Update

Apr 29, 2026
The U.S. Department of Health and Human Services Office for Civil Rights is expected to announce significant changes to the HIPAA Security Rule in May 2026, including requirements for encryption of electronic protected health information, multi-factor authentication and more.

On Dec. 27, 2024, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) proposed significant updates to the HIPAA Security Rule requirements for covered entities, including dental practices.

Under the current rule, safeguards are classified as either "required" or "addressable." Addressable is not the same as optional — regulated entities must implement or adopt an equivalent alternative, and may document why neither is reasonable and appropriate for their environment.

OCR has recognized that addressable specifications have been widely treated as optional in practice and has proposed removing the distinction, which would make nearly all implementation specifications required, with only limited exceptions.

Among the provisions that would shift from addressable to required are encryption of electronic protected health information and multi-factor authentication. The rule would also introduce new requirements such as maintaining a written inventory of systems that handle patient data and establishing procedures to restore critical systems within 72 hours of a security incident.

The proposal has drawn substantial pushback from the healthcare sector. The ADA joined a broad coalition of clinician and provider organizations in a Feb. 17, 2025 letter opposing the rule and urging the administration to rescind it in favor of a more balanced approach that addresses cybersecurity risk without imposing disproportionate costs on practices.

OCR's regulatory agenda currently lists May 2026 as the target for final rule action.

ComplyBetter

Manage HIPAA Compliance & More with ComplyBetter

ComplyBetter — WSDA’s online, on-demand dental compliance service — gives Washington dental offices the tools to manage HIPAA, OSHA/WISHA and infection control compliance with ease.

Our expert team and modern tools offer a proactive, member-focused compliance experience that will have you confident and prepared if an inspector ever walks through your door.

Discounted annual pricing is available for WSDA members. Learn more at complybetter.com.