HIPAA NPRM Readiness for Dental Practices: What Your IT Provider Should Be Able to Show

REZ CYBER | DENTAL READINESS

A practical dental IT roadmap for stronger controls, clearer documentation, and better evidence around patient data, PMS, imaging, backups, MFA, and vendor access.

If you own or manage a dental practice, HIPAA Security Rule headlines can feel distant from the daily reality of keeping chairs full. The practical question is not whether you can recite regulatory language. It is whether your practice can show evidence that patient data, core dental systems, and recovery workflows are being protected in a disciplined way.

That is the useful way to read the HIPAA Security Rule NPRM: not as panic fuel, but as a readiness roadmap. HHS is pointing toward stronger controls, better documentation, more specific risk analysis, and clearer proof that the systems holding electronic protected health information are understood and managed.

Why this matters for dental practices

Dental IT is production infrastructure. When a server, workstation, imaging bridge, cloud account, email inbox, or vendor remote access path breaks, the impact shows up in scheduling, claims, patient records, imaging, front desk workflow, and chair flow.

The NPRM is valuable because it points owners and office managers toward a more practical conversation with IT: What do we have, where does patient data live, who can access it, how is it protected, and what evidence can we show if something goes wrong?

Start with what is already active today

The current HIPAA Security Rule already establishes standards for protecting electronic protected health information. In plain dental terms, that means your practice should be able to show reasonable administrative, physical, and technical safeguards around the systems that create, receive, maintain, or transmit ePHI.

Current Security Rule translation

Administrative safeguards: ownership, training, access decisions, incident procedures, contingency planning, evaluation, and vendor documentation.

Physical safeguards: how devices, operatories, servers, workstations, and facility access are managed.

Technical safeguards: access controls, audit controls, authentication, integrity protections, and transmission security.

This is why HIPAA readiness is not just a firewall question. It is an evidence question. A dental practice needs a practical way to show how patient data is handled across the real systems the office uses every day.

Where dental ePHI usually lives

Before you can ask for better documentation, you need to know what should be in scope. For a dental practice, ePHI may live in more places than one server or one cloud app.

·Practice management systems such as Dentrix, Eaglesoft, Open Dental, or other scheduling, charting, and billing platforms.

·Imaging systems, sensors, panoramic images, CBCT data, DICOM folders, bridge software, and image exports.

·Email, patient communication tools, referral messages, attachments, and portals.

·Claims, payment workflows, eligibility checks, e-services, and other payer-related systems.

·Backups, server shares, workstation folders, cloud storage, vendor support tools, and remote access paths.

A good readiness conversation starts by mapping these systems instead of treating the office as one generic network.

What the NPRM points toward

The practical point is the direction of travel. HHS is pointing toward stronger controls, clearer documentation, and more repeatable evidence. For dental owners, those themes can become a working checklist even before any final rule pressure arrives.

1. Asset inventory and network map. Your IT provider should be able to list the technology assets that affect ePHI and explain, in plain language, how patient data moves through the office.

2. More specific written risk analysis. Readiness should include a documented look at threats, vulnerabilities, system dependencies, and what needs to be prioritized.

3. MFA and stronger access control. Email, remote access, administrator accounts, cloud systems, and vendor access should not depend on weak or shared credentials.

4. Encryption and transmission security. Patient data should be protected when it is stored and when it moves, with exceptions handled deliberately and documented.

5. Vulnerability scanning and testing. Your practice should have a repeatable process for finding and addressing exposed systems, missing patches, configuration issues, and avoidable technical risk.

6. Network segmentation. Clinical systems, guest Wi-Fi, staff devices, vendor access, servers, and backups should not all live in one flat dependency chain.

7. Backup and recovery evidence. The important question is not whether a backup product says it succeeded. It is whether your PMS, imaging, and critical files can be restored in a way your practice can prove.

8. Incident response documentation. When something happens, the team should know who calls IT, who contacts the PMS vendor, who contacts the imaging vendor, who handles backup recovery, and who coordinates legal or insurance questions.

What your IT provider should be able to show

You do not need to become a cybersecurity engineer to ask better questions. You need practical evidence. Use these questions in your next IT review or vendor conversation.

1. Can you show us our dental technology asset inventory? It should include servers, workstations, laptops, network equipment, backup systems, cloud services, imaging systems, and remote access tools that can affect ePHI.

2. Can you show us a simple network and data-flow map? This does not need to be beautiful. It needs to explain where patient data lives and how it moves between PMS, imaging, email, claims, backups, and vendors.

3. When was our risk analysis last reviewed? Ask what changed since the last review, which risks were prioritized, and which items still need attention.

4. Where is MFA active today? Ask specifically about email, remote access, admin accounts, cloud portals, vendor access, and any account that can reach sensitive systems.

5. Do all users have unique logins? Shared logins make accountability and access removal harder, especially when staff leave or roles change.

6. Can we see backup restore evidence? Ask for proof that PMS data, imaging data, documents, and server data can be restored, not just a screenshot that a backup job ran.

7. How is vendor remote access controlled? Dental practices often rely on PMS, imaging, sensor, billing, and hardware vendors. Each remote access path should be known and managed.

8. Do we have an incident contact sheet? At minimum, your team should know who to call for IT, PMS, imaging, backup, insurance, legal, and leadership decisions.

Download the free 5-question scorecard →

Use this as a readiness roadmap

A dental practice does not need to solve every control in one meeting. The better approach is to turn the NPRM themes into an evidence roadmap: identify the highest-impact systems, close obvious access gaps, document the backup and recovery path, and make the practice less dependent on assumptions.

For many offices, the first useful step is a short Dental IT Checkup focused on evidence: what is known, what is documented, what is being monitored, and what still depends on memory, habit, or vendor promises.

Want help reviewing your evidence?

REZ Cyber helps dental practices connect HIPAA Security Rule readiness to the systems that actually keep the office moving: PMS, imaging, email, claims, backups, staff accounts, vendor access, and recovery planning.

Get a Free Dental IT Checkup →

Frequently asked questions

Is the HIPAA Security Rule NPRM final?

As of May 7, 2026, the cybersecurity update is proposed, not final. That does not make it irrelevant. It is useful because it shows where HHS is pointing: stronger controls, clearer documentation, and more evidence around ePHI protection.

What should a dental practice ask its IT provider for first?

Start with four pieces of evidence: an asset inventory, a simple network or data-flow map, MFA coverage, and backup restore evidence for PMS, imaging, and critical files. Those four items quickly reveal whether the practice has a managed readiness process or scattered assumptions.

Where does dental ePHI live?

Dental ePHI can live in PMS records, imaging systems, CBCT or DICOM files, emails and attachments, claims workflows, patient communication tools, server folders, cloud platforms, backups, exports, and vendor support systems.

Does the NPRM make MFA a finalized new HIPAA mandate?

No. The NPRM proposes MFA with limited exceptions, but that is different from a finalized rule. Still, MFA is one of the most practical readiness controls for email, remote access, administrator accounts, cloud tools, and vendor access.

Does a Dental IT Checkup replace legal HIPAA advice?

No. A Dental IT Checkup is an operational and technical readiness review. It can help organize evidence, identify IT gaps, and support better conversations with counsel or compliance advisors, but it is not legal advice and it is not a HIPAA compliance certification.

Bottom line

The HIPAA NPRM is not just a regulatory headline. For dental practices, it is a useful prompt to ask for evidence before the pressure arrives: What systems hold patient data, how are they protected, who can access them, and can the practice recover when something fails?

REZ Cyber is a Westchester-based, dental-focused cybersecurity and IT partner serving practices across the New York metro area. We help dental practices keep chairs full and data protected.