If you run a small medical or dental practice, you have probably gotten a few emails lately warning you that major new HIPAA rules are coming and you need to act right now. Some of that is true. A lot of it is the same fear pitch every IT and compliance vendor sends when they want a meeting. Here is the honest version, without the scare tactics, so you can decide what actually deserves your attention.

What the 2026 HIPAA Security Rule Actually Is

First, the part almost nobody leads with: it is a proposed rule, not law. The government published the proposal at the end of 2024, the public comment period closed in early 2025, and it would be the biggest change to the HIPAA Security Rule in over a decade.

The original target was to finalize it around the middle of 2026. That window has come and gone with nothing published, there is no confirmed date, and a large group of hospital and provider organizations has formally asked the government to pull the proposal back. So whether it becomes law, when, and in what final form is genuinely up in the air.

That does not make it irrelevant. It tells you clearly where the rules are heading. It just is not a deadline on your calendar yet, and any vendor telling you otherwise is selling urgency that does not exist.

The new rule is a signal of where things are going. It is not a deadline you are already late for.

What It Would Require If It Becomes Final

If the proposal becomes law close to its current form, here is what would change for a practice your size. All of this is still proposed, so treat it as direction, not gospel.

The "addressable" loophole goes away. Right now, some HIPAA safeguards are labeled "addressable," which in the real world means a lot of practices skip them and write a short note explaining why. The proposal removes that flexibility and makes them required.

Multi-factor authentication becomes mandatory. Anything that touches patient data would need MFA, not just a password.

Encryption becomes mandatory. Patient data would have to be encrypted on your devices and when it moves between systems.

More structure around the basics. Network segmentation, a real inventory of every device and system that touches patient data, and vulnerability scanning and testing on a set schedule.

Tighter incident timelines. Specific deadlines for responding to and recovering from an incident, measured in hours, not days.

Annual audits and vendor accountability. Yearly compliance audits, plus your vendors having to report their own compliance status to you every year.

If a final rule is issued, practices would get roughly 240 days to comply. The catch is that the final language can differ from the draft, so building your whole plan around a proposal you cannot see the finished version of is a good way to do the work twice.

The Part That Is Already the Law

Here is what the scary emails tend to skip. While the new rule is still proposed, one of its core requirements is already in force and has been for years: a thorough, written security risk analysis. If you have heard it called an SRA, that is the same thing.

It is the single most common failure the government finds when it investigates a practice, and it is far from the only HIPAA gap that quietly puts practices at risk. The Office for Civil Rights has been running a dedicated enforcement campaign around the risk analysis since late 2024, and as of spring 2026 has closed more than a dozen cases under that campaign alone.

The pattern is almost identical every time. A practice gets hit with ransomware or a breach. The government investigates. It finds there was never a real, documented risk analysis. A settlement follows, along with a corrective action plan that runs two to three years with mandatory progress reports to the federal government. Settlements have ranged from around ten thousand dollars for small organizations to several hundred thousand for larger ones, but the multi-year oversight usually costs more in time and disruption than the fine does in dollars.

And no, being small is not a shield. The government has settled with solo and small practices. The size of your office does not change the standard you are held to.

The breach is what starts the investigation. The missing risk analysis is what turns it into a settlement.

What a Small Practice Should Actually Do Now

The takeaway is not to panic-buy security products because of a proposed rule. It is to get your foundation in order, because it protects you under the rules that already exist and puts you ahead of the one that might be coming. Almost everything the new rule would make mandatory is already considered basic, sound practice.

Get a real, written risk analysis. Not a checklist someone filled out once and filed. A current one that names your actual risks and what you are doing about each. This is the single highest-value move, and it is the thing the government already enforces.

Turn on MFA everywhere it touches patient data. It is usually already sitting in your settings, and it shuts down the most common way practice accounts get taken over.

Confirm your backups actually restore. Not that they "run," that they come back. The only way to know is to test a restore before you are depending on it.

Know your vendors and your BAAs. List every system and company that touches patient data, then check which ones have a signed business associate agreement on file.

Have a first-hour plan. Write down what you would do in the first hour of a suspected breach, with names and phone numbers, before you ever need it.

None of this depends on the new rule being final. These are the things the government already looks for, and the things that keep a small practice out of trouble whether the proposal lands this year, next year, or not at all.

If you are not sure where your practice actually stands, the point is to get a clear picture before a deadline or a breach forces one. You can run our PracticeReady assessment in about ten minutes for a starting read on your risks, or take fifteen minutes with me and I will give you a straight answer on where your real gaps are. No scare tactics, no sales pitch.

Take the PracticeReady Assessment Book a Free 15-Minute Call

Serving small medical practices across Nassau and Suffolk County, Long Island.