Southwest Networks - Managed IT Services & Cybersecurity
Compliance · Cybersecurity · Network Security · 6 min read

HIPAA Security Rule Overhaul: What Healthcare and Dental Practices Must Do Before Enforcement Hits

By Matt Disher ·
A practice manager in scrubs reviewing a compliance checklist on a tablet at the front desk, concerned expression on their face, multiple doctors and staff around them not sure what to do.

HIPAA Security Rule Overhaul: What Healthcare and Dental Practices Must Do Before Enforcement Hits

For the first time since 2013, HHS has proposed sweeping changes to the HIPAA Security Rule — and if your medical or dental practice has been treating security as an annual checkbox exercise, the compliance gap you’ve built up over the last decade is about to become a very expensive problem.

According to HIPAA Journal, the updated rule moves multi-factor authentication (MFA) and encryption from “addressable” options to hard requirements, mandates annual security risk assessments, and introduces network segmentation obligations that most practice managers have never had to think about. HHS aimed to finalize these updates by May 2026, with a compliance timeline that leaves little room for the slow, reactive approach that’s been the industry norm.

What the Old Framework Actually Told Us About the New One

The most revealing part of this update isn’t what HHS is adding — it’s what the change exposes about what was always supposed to be there.

Matt Disher, president of Southwest Networks and a CISSP- and HCISPP-certified cybersecurity expert, said the plain truth is that the old “addressable” language gave practices a fig leaf they shouldn’t have had. “Unfortunately the rules don’t update as fast as the attackers do,” Matt told our team, “so things that should be mandatory now due to the attackers finding vulnerabilities don’t get discussed as quickly as they should.”

Think about what that means in practice: a medical office could have been technically HIPAA-compliant for the last 12 years without encrypting patient records on their systems. Encryption has been a cybersecurity baseline for well over a decade. Attackers figured that out long before regulators caught up.

The HHS HIPAA breach portal is a sobering read — it lists hundreds of healthcare breaches reported every year, many of them affecting small practices that assumed their software vendor’s compliance covered them. It doesn’t.

The Gap Between Compliance and Security — and Why It’s Dangerous

Here’s the thing that mainstream coverage of this story almost always misses: compliance and cybersecurity are not the same thing, and confusing them is one of the most expensive mistakes a healthcare practice can make.

In Matt’s view, this distinction is critical. “Compliance and cyber security are 2 different things,” he said. “Being compliant does not in itself make you secure. The same is true that being secure doesn’t make you compliant.”

This plays out in a specific, recurring way with healthcare clients. A practice completes its annual HIPAA review — or hands it off to their EMR vendor and assumes that covers them — and then operates for another 12 months without asking whether their actual technical environment is defensible. When something goes wrong, the audit reveals that the risk assessment was either incomplete, generic, or based on a fundamental misunderstanding of what OCR actually requires.

Matt is direct about how that plays out: “Those risk assessments are very specific in what they require and there is no grey area to the answers — you are either following the requirement 100% or you are not doing it at all.”

The “my EMR vendor is HIPAA compliant so I am too” assumption deserves particular attention. Your EMR vendor being compliant means their software meets certain standards. It says nothing about how your network is configured, who has access to what, whether your staff workstations are encrypted, or whether your office Wi-Fi is properly segmented. Those are your obligations, not your vendor’s.

Network Segmentation: What It Actually Means for a Medical Office

Network segmentation is getting attention in the new rule, but it’s one of those terms that glazes over most practice managers’ eyes. Here’s what it actually means inside a typical medical or dental office.

Right now, many practices run everything on the same network — front-desk computers, clinical workstations, imaging equipment, printers, even the guest Wi-Fi that patients connect to in the waiting room. If any one of those devices gets compromised, an attacker can move laterally across the entire network. Patient records, billing systems, insurance portals — all of it is reachable once they’re in the door.

Segmentation means separating those devices onto distinct networks with controlled access between them. Printers on one segment. Clinical systems on another. Administrative systems on a third. If something gets infected on the printer network, the blast radius stays contained there — it can’t reach your ePHI.

Matt describes the goal simply: “The amount of damage can be limited and in theory easier to clean up.” That’s not a theoretical benefit. It’s the difference between a contained incident that costs you a few hours and a full-practice shutdown that costs you weeks, plus whatever OCR decides to do about it afterward.

The NIST Cybersecurity Framework has long treated network segmentation as a foundational control, and CISA echoes this in its guidance for critical sectors. Healthcare is now catching up at the regulatory level to what security professionals have been recommending for years.

FAQ

Does my EMR vendor’s HIPAA compliance cover my practice’s obligations?

No — and this is one of the most common and costly misconceptions in healthcare IT. Your EMR vendor’s compliance certifications apply to their software and infrastructure. Your obligations under HIPAA cover your entire environment: how your network is configured, who has access to patient data, whether your workstations are encrypted, how your staff handles credentials, and whether your risk assessment is complete and accurate. Vendor compliance does not transfer to your practice.

What’s the real enforcement risk — isn’t it true that most practices never actually get fined?

Matt addresses this directly, and it’s worth hearing clearly:

“Most doctors don’t know anyone who has been fined. Because of this they are slow to implement as they don’t see it as a threat to the practice. I have also been told multiple times by potential clients, if they do get caught they will just close the practice and retire early. At that point I move on and choose not to work with that practice as it is just going to be an argument. Those doctors also don’t understand that the fine falls on them, so they will have no retirement possibly.” — Matt Disher, CISSP, HCISPP

HIPAA fines under the updated rule can reach $1.5 million per violation category per year. OCR enforcement actions have increased meaningfully in recent years, and the new rule’s stricter requirements — combined with mandatory annual assessments — give auditors more surface area to find gaps. The “I’ll deal with it if it happens” posture is a bet on outcomes that are getting harder to count on.

What does a risk assessment that would hold up under an OCR audit actually look like?

It’s specific, documented, and covers every system that touches ePHI. It’s not a vendor checklist or a self-reported questionnaire. It addresses technical, physical, and administrative safeguards — individually, with evidence. And it gets updated when your environment changes, not just on a calendar anniversary. If your current risk assessment is a PDF you got from your billing software vendor, it will not hold up.

Does being more secure automatically mean we’re more compliant?

No. Security and compliance are related but distinct. You can have excellent technical controls and still fail an OCR audit because your documentation is incomplete, your workforce training logs are missing, or your business associate agreements aren’t current. Both sides of the equation require deliberate attention. The new rule raises the technical floor, but the administrative and documentation requirements don’t go away.

What to Do in the Next 30 Days

The compliance clock is running. Here’s where to focus right now:

Get a real risk assessment — not a checklist. If your last risk assessment was completed by your EMR vendor or a form on a website, get a qualified third party to walk through your actual environment. Know where your ePHI lives, who has access to it, and whether your controls are documented and enforceable.

Treat MFA as non-negotiable starting today. The rule makes it mandatory. More importantly, it’s one of the most effective single controls you can implement. Every system that touches patient data needs MFA. If you’re not sure whether yours does, that’s the first answer to get.

Audit your encryption posture. Are the devices in your office — workstations, laptops, portable drives — encrypted? Is ePHI encrypted at rest and in transit? These are no longer optional considerations.

Ask your IT provider specifically about network segmentation. Not “are we secure?” Ask: “Is our clinical network separated from our administrative network and guest Wi-Fi?” If your provider can’t answer that clearly, that’s a problem worth solving before OCR asks the same question.

Don’t wait for enforcement pressure to take this seriously. The practices that will struggle under the new rule are the ones that wait for a breach or a fine to prompt action. The ones that will be fine are the ones that treat security as ongoing operations, not a once-a-year event.

If you’re not sure where your practice stands, a structured assessment is the right starting point. Schedule a discovery call with our team and we’ll help you figure out where the real gaps are before they become compliance violations.

Ready to Protect Your Business?

Schedule a free consultation with our team. No obligation, no pressure — just a clear picture of where you stand.

Or take the free IT security assessment first — see exactly where you stand in minutes.