Question

Welcome to a Bite-Size HIPAA® Q&A article, where we answer your questions about how HIPAA applies to your dental practice. We recently received the following question in our Bite-Size HIPAA® Q&A inbox. The writer says:

"I've read some recent headlines about potential updates coming to the Security Rule of the HIPAA law. How do you anticipate this affecting my dental practice?"

Thanks for this question! We haven’t had any changes to HIPAA in a long time so this is kind of a big deal in my world. Here’s the bottom line. No changes have been made… yet. What’s happening is that the Department of Health and Human Services, or HHS, has proposed several updates to the Security Rule, but these are still in the proposal stage, meaning they are open for public comment and have not been finalized or implemented. These updates are designed to strengthen data security and reflect how much technology, and the threats to it, have evolved since the rule was last updated in 2013. I mean think about it, the technology you use in your office has likely changed a lot in the past twelve years, so the rules governing how to secure it should probably be updated too.

The HIPAA Law

So, what exactly are we looking at here? Well, on the one hand you could say quite a bit is being changed, there are at least a dozen significant proposed updates. But on the other hand, if your practice (and your IT provider) has been diligently following industry best practices to ensure the security and privacy of your patient data, these updates to the rule may have little impact. This is because HIPAA has always required covered entities to implement reasonable and appropriate administrative, physical, and technical safeguards for protecting ePHI. These proposed updates don’t change that; they just provide much clearer guidance on what those reasonable and appropriate safeguards actually entail by incorporating modern data security best practices into the rule.

This effort from HHS comes after years of reviewing data breaches and discovering that many organizations failed to implement even basic protections. Practices like conducting formal risk analyses at least annually, encrypting ePHI, and creating effective contingency plans are all things that should already be happening under the current rule. But the truth is that many of the large breaches we’ve seen occurred because these basic safeguards weren’t in place. The updates to the rule aim to fix these recurring issues by being more specific about what’s expected.

Let me give you a few examples of what’s being proposed.

1. Practices would need to keep an up-to-date inventory of all technology they use and create a visual map showing how patient data flows into and out of their systems. You will need to track where and by whom PHI is created, stored, used and shared.
2. The risk analysis process would need to be more detailed, identifying vulnerabilities and evaluating how likely they are to be exploited.
3. The updates emphasize stronger security measures, like requiring encryption of all data, requiring multi-factor authentication, and performing regular vulnerability scans.
4. Finally, there’s a bigger focus on being prepared for security incidents, with requirements for clear response plans and the ability to restore systems quickly after a breach.

Another thing I should mention is that the changes would eliminate the distinction between ‘addressable’ and ‘required’ safeguards. This has been one of the biggest sources of confusion in HIPAA. Currently, HIPAA labels some safeguards as ‘addressable’ rather than ‘required,’ which many people mistakenly interpret as meaning those safeguards are optional. In reality, ‘addressable’ means that there are various ways to mitigate a specific data risk, so the covered entity must implement the safeguard or an appropriate alternative based on its unique risk assessment. The proposed update would remove this ambiguity by making every safeguard required.

Summary

Here’s the key takeaway, The Security Rule requirements are not drastically changing. HIPAA has always required “reasonable and appropriate” security practices. What is changing is the level of specificity in what that means and the expectation that you actually follow through. The gray areas that have allowed practices to cut corners or delay security measures are disappearing. If you’re already following those principles, you’re on the right track, keep doing what you're doing. But, if you haven’t been prioritizing security, now is the time to start, because once these changes are finalized, enforcement will likely follow. History shows that when HHS updates a rule, they actively look for ways to enforce it, often making examples out of organizations that fail to comply.

These aren’t new ideas, they’re things you should already be doing. The difference is that soon, there will be far less wiggle room, and regulators will expect to see clear, documented compliance. Taking action now will help ensure you’re ready when these updates become official.

Have a HIPAA Question?

If you have a HIPAA question related to the day-to-day operations of your dental practice, feel free to send it my way. My email address is todd(at)bitesizehipaa(dot)com. I can’t promise I’ll be able to get to every question submitted, but I’ll do my best to find the most applicable ones to address in future Bite-Size HIPAA® Q&As.