CyberDentalHIPAA Back
New HIPAA Regulations

What your practice needs at a glance.

The HIPAA Security Rule protects electronic patient information through administrative, physical, and technical safeguards. HHS has also proposed updates to strengthen ePHI cybersecurity.

Exact Rule 45 CFR Part 164, Subpart C
2026 Context Proposed Security Rule modernization
Doctor Lens Reduce breach, fine, and downtime risk

Encrypted Email

Email containing ePHI should be protected in transit and controlled so only the right people can read it.

Law 45 CFR § 164.312(e)(1), § 164.312(e)(2)(ii), § 164.312(a)(2)(iv)
  • Secure transmission
  • Encryption where reasonable
  • Access control

Cloud Backup

Patient data needs a backup and recovery plan so the practice can keep operating after failure, theft, or ransomware.

Law 45 CFR § 164.308(a)(7)(ii)(A)-(C)
  • Data backup plan
  • Disaster recovery plan
  • Emergency mode operation

Endpoint Protection

Workstations and devices that touch ePHI need malware protection, monitoring, and secure handling.

Law 45 CFR § 164.308(a)(5)(ii)(B), § 164.310(c), § 164.310(d), § 164.312(b)
  • Malware protection
  • Workstation security
  • Device and media controls

HIPAA Training

Staff need privacy and security training so everyday handling of patient information is consistent.

Law 45 CFR § 164.308(a)(5), § 164.530(b)
  • Security awareness
  • Privacy training
  • Documented workforce training

Firewall

HIPAA does not name a firewall product, but network filtering supports access control and transmission security.

Law 45 CFR § 164.312(a)(1), § 164.312(e)(1)
  • Access control
  • Network traffic protection
  • Unauthorized access reduction

Pentesting

Testing helps uncover risks and supports the required risk analysis and periodic evaluation process.

Law 45 CFR § 164.308(a)(1)(ii)(A), § 164.308(a)(8)
  • Risk analysis
  • Technical evaluation
  • Remediation evidence

Access & Audit Logs

The practice should know who can access ePHI and be able to review system activity.

Law 45 CFR § 164.312(a)(1), § 164.312(b)
  • Unique access
  • Audit controls
  • Activity review

Vendors & BAAs

Vendors that handle patient information need the right agreements and safeguards in place.

Law 45 CFR § 164.308(b)(1), § 164.502(e), § 164.504(e)
  • Business associate contracts
  • Vendor safeguards
  • Responsibility mapping