Key Takeaways:
- The proposed 2025 HIPAA Security Rule update — published in the Federal Register on January 6, 2025 (90 FR 898) — is the most significant proposed revision since the rule was first finalized in 2003. It would move several controls from “addressable” to “required.” That distinction matters at audit time and when a cyber insurance claim is on the table.
- Solo dental practices are not exempt. The rule has always applied to practices of every size, and the proposed update closes several gaps that allowed smaller practices to operate on minimal documentation. A solo Fort Wayne or Huntington practice would be held to the same standard as a multi-location group.
- The headline changes to plan for: mandatory MFA, mandatory encryption of ePHI at rest and in transit, a formal annual risk analysis, a written incident response plan with documented testing, and an asset inventory.
- The Indianapolis-based Westend Dental case is the local touchstone for what HIPAA non-compliance looks like in practice — a $350,000 settlement, a four-year legal aftermath, and compliance failures the Indiana dental community is still absorbing.
- Mid-year is a reasonable time to start this work, before the assessment market tightens at year-end and before enforcement pressure builds as the rule moves toward finalization.
HHS published the Notice of Proposed Rulemaking for the Security Rule update in the Federal Register on January 6, 2025, and the public comment period closed in March 2025. As of this writing, the rule remains on OCR’s regulatory agenda for finalization in 2026, though a final date has not been confirmed. Once finalized, most covered entities would have 180 to 240 days to comply.Source: Federal Register, 90 FR 898 (Jan. 6, 2025)
Most solo practitioners in northeast Indiana — including practices around Huntington and across the IDA’s component districts — are still working through what the proposed update would require of them specifically, versus what it would require of larger DSO-aligned practices. The answer is worth understanding now. The proposed standard is the same regardless of practice size.
The early phase of preparation is mostly documentation work: written risk analysis, written policies, a written incident response plan. The technical requirements — MFA, encryption, asset inventory — follow once the documentation foundation is in place.
A practice you intend to keep, transition, or eventually sell carries this work forward whether or not you personally do it. Getting it done now protects what you’ve built. The Westend Dental case in Indianapolis is a clear illustration of what it looks like when the foundations aren’t there.
What changed in the proposed 2025 update versus the rule in place since 2003?
The Security Rule has always required Covered Entities — which includes virtually every dental practice — to implement administrative, physical, and technical safeguards for electronic protected health information (ePHI). The 2003 framework distinguished between “required” specifications and “addressable” specifications. Required meant implement. Addressable meant evaluate, then either implement or document why an alternative was reasonable.
The proposed update would move several historically addressable items to required status. The most significant ones for a solo practice:
| Specification | Pre-Proposed Rule | Proposed Update |
| Multi-factor authentication | Addressable | Required |
| Encryption of ePHI at rest and in transit | Addressable | Required (narrow exceptions) |
| Annual written risk analysis | Required (general) | Required, documentation expectations clarified |
| Written incident response plan with testing | Effectively addressable | Required, annual test documentation |
| Asset inventory of ePHI systems | Implicit | Explicit, written, and current |
| Termination procedures for departing staff | Required | Required, documentation clarified |
Source: HHS Office for Civil Rights, Federal Register 90 FR 898 (Jan. 6, 2025)
The shift from addressable to required removes the “we documented an alternative” escape hatch. If the rule finalizes as proposed, a practice that opted out of MFA for workflow reasons would not have a defensible compliance position.
Is a solo dental practice expected to meet the same standard as a DSO-affiliated practice?
Yes. The Security Rule has never scaled requirements to practice size. A solo practice and a hundred-location DSO are both Covered Entities subject to the same rule, the same risk analysis requirements, and the same documentation obligations. Implementation looks different at different scales — a solo practice is not running a security operations center — but the underlying controls are the same.
OCR has expanded enforcement activity to include small and mid-sized healthcare providers, and the agency’s pattern of enforcement over the last several years shows that smaller practices have not been given softer treatment simply because of their size. In some cases the absence of documentation is more visible at smaller scale. At least the DSO has a binder.
The most common compliance failure pattern in the Indiana dental community is the assumption that “we’re too small for this to matter.” That assumption tends to be expensive to defend when an enforcement question arrives.
Source: OCR enforcement overview, Freeman Mathis & Gary via NetDiligence (Jan. 2025)
What does the Westend Dental case tell us about what to do next?
Westend Dental is an Indianapolis-based dental group that agreed to a $350,000 settlement with the Indiana Attorney General in December 2024, following a ransomware attack in October 2020 that was concealed for nearly two years.
The investigation started with a single patient complaint about an unfulfilled dental records request. That inquiry surfaced the ransomware attack — and from there, a much larger compliance problem. During the investigation, the practice had told state officials that missing patient data was the result of an accidentally formatted hard drive. It took sworn witness testimony in January 2023 to confirm a data breach had actually occurred.
What investigators found when they looked: usernames and passwords in plain text on the compromised server. The same login credentials used across every server holding patient data. Servers physically sitting, unprotected, in employee break rooms and bathrooms. No documented risk analysis. No HIPAA training for staff until November 2023 — three years after the breach. The designated Privacy and Security Officer had no written designation and no training record.
The $350,000 settlement required Westend Dental to notify all patients, pay the penalty, and implement a corrective action plan. The consent judgment resolved the Indiana AG’s case but does not preclude separate action by HHS’ Office for Civil Rights.
The lesson is not that this was a sophisticated attack. The lesson is that the foundations were missing. A practice with written policies, a current risk analysis, documented staff training, and proper access controls is in a fundamentally different position — whether it faces a breach, an audit, or an insurance claim.
Source: HIPAA Journal — Indiana AG Agrees to $350,000 Penalty (Jan. 2, 2025)
What should the office manager actually do this quarter?
The work has a natural sequence. Whoever manages your office — Maureen, or whoever that person is for you — does not need to tackle everything at once.
2025–2026 HIPAA Compliance Roadmap
Q3 starts with documentation — find the gaps, write them down, produce the artifacts. Q4 moves into technical implementation. Q1 formalizes the testing rhythm. By Q2 of next year, the practice is in a defensible posture and the cyber insurance application can be answered honestly.
What about the office manager’s bandwidth?
This is the part that tends to get glossed over. Maureen’s schedule is already full. Stacking HIPAA documentation on top of recall calls, insurance verifications, hygiene scheduling, and the morning huddle is not realistic without some outside support.
Two approaches work well for most solo practices:
A two-layer model: your existing IT person keeps handling break-fix and day-to-day support, while a specialist takes on the risk analysis, written documentation, and technical controls work within a defined scope. No one gets let go, and day-to-day operations stay intact.
Or bring someone in on a quarterly basis to do the documentation work alongside Maureen rather than handing it to her to figure out on her own. Same result, much lighter burden on the practice.
Either approach gets you to a defensible posture at a pace the practice can actually keep up with.
Want a stewardship review of your current HIPAA posture?
A 90-minute conversation with you and your office manager — walking through where the documentation actually stands, where the technical controls are, and what the gaps look like against the proposed update. You get a written summary you can act on at your own pace.
No pitch, no follow-up campaign. Just a working conversation.
Call us: (260) 243-5100
Or schedule a 15-minute conversation online: calendly.com/jnewburg-1/15min
Frequently Asked Questions
Does the proposed update affect Business Associate Agreements (BAAs) with vendors?
Yes. The proposed update reaffirms that BAAs are required with every vendor that touches ePHI and clarifies expectations around vendor risk assessment. Practices should review BAAs with their practice management vendor, imaging vendor, IT support, billing service, and any cloud provider.
Source: HHS Business Associate Agreement guidance
Is encryption of Dentrix on the office workstation “encryption at rest”?
Encryption at rest applies to the storage where ePHI lives. For Dentrix on a local server, the server drives need full-disk encryption — BitLocker on Windows is the standard. For cloud-hosted Dentrix Ascend, the cloud provider handles encryption. The documentation step is confirming and recording which approach applies to each system that handles ePHI.
Source: Microsoft BitLocker documentation
How often does the annual risk analysis actually need to be redone?
At minimum annually, and any time there is a significant change — new practice management system, new associate, new location, significant vendor change, or after a security incident. For a stable solo practice, an annual review with a mid-year check is a sensible rhythm.
Does my professional liability or general dental insurance cover HIPAA fines?
Almost universally no. HIPAA penalties and OCR settlements are excluded from most professional liability policies. A separate cyber liability policy is typically required, and cyber carriers are increasingly requiring documented Security Rule compliance as a condition of coverage and claim payment.
Can a dental office manager serve as the HIPAA Privacy Officer?
In many solo practices, she already functions as one. The proposed update does not require separate people for the Privacy Officer and Security Officer roles in a small practice — one person can hold both. What’s required is the written designation and a training record. The Westend Dental case is instructive here: the missing piece wasn’t the right person, it was the paperwork documenting her role and her training.
About Aptica
Aptica is a locally owned IT provider serving manufacturers, distributors, engineers, healthcare practices, and professional services firms across Northern Indiana, Southern Michigan, and Northwest Ohio. Founded in 2003 and based in Angola and Fort Wayne. BBB Accredited, A+ rated.
Angola: 113 E Maumee St, Angola, IN 46703 · (260) 243-5100
Fort Wayne: 1690 Broadway, Bldg 19, Suite 10, Fort Wayne, IN 46802 · (260) 243-5182
Web: apticallc.com · Email: info@apticallc.com
Call us. We answer the phone.
