Houston, TX · Built for orthodontic practices
← Back to Blog
Compliance · 12 min read

HIPAA in 2026: What Houston orthodontic practices actually need to know.

The 2026 Security Rule changes, the enforcement actions that should worry you, and the operational playbook for getting compliant — without the consultant-speak.

By Steve Miranda · Founder, Trigon Heights · Published May 1, 2026

TL;DR — What changed, what's coming, and what to do about it

If you only have ninety seconds, here are the four things every Houston orthodontic practice owner should walk away knowing right now:

  1. OCR is auditing risk analysis failures aggressively. In 2025 alone, OCR closed 21 HIPAA enforcement actions, with the majority targeting practices that failed to conduct or update their Security Risk Analysis. The penalties range from $5,000 to over $1 million. Risk analysis isn't a binder you fill out once in 2019 and forget — and OCR has stopped pretending otherwise.
  2. The proposed 2026 Security Rule rewrite is the biggest HIPAA update since 2013. OCR's own regulatory agenda lists May 2026 as the target finalization date. If finalized as proposed, the rule will eliminate the long-standing distinction between "required" and "addressable" safeguards — making things like multi-factor authentication, encryption at rest, and annual vendor verification mandatory. Practices have ~240 days from final publication to comply.
  3. Solo practices are getting fined. The myth that "OCR only cares about hospitals" is wrong, and the data proves it. Gums Dental Care, a solo Maryland dental practice, was fined $70,000 in October 2024 for ignoring records access requests. Family Dental Care of Chicago paid $30,000. Paradise Family Dental paid $25,000. The fine schedule does not adjust for practice size.
  4. Most ortho practices have at least three of the five most-cited compliance gaps. Missing or expired Business Associate Agreements. Outdated Security Risk Analysis. Unencrypted text messaging from staff phones. Shared workstation logins. Lack of documented training. If any of these sound familiar, you don't have a problem in the future — you have a problem right now.

The rest of this article walks through each of these in detail, with specific actions tailored to orthodontic operations. If you'd rather just talk through it, book a free Bill Audit and HIPAA gap review — no pitch, no cost, just an honest conversation.

Part 1: The 2026 Security Rule update — what's actually changing

Where the rule stands today (April 2026)

On December 27, 2024, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) published a Notice of Proposed Rulemaking (NPRM) to substantially modify the HIPAA Security Rule. The NPRM was the first significant overhaul of the Security Rule since 2013. It landed in the Federal Register on January 6, 2025, opening a 60-day public comment period that closed on March 7, 2025. Roughly 5,000 public comments were submitted.

As of this writing, OCR's official regulatory agenda still lists May 2026 as the target finalization date. That timeline could shift. Federal agencies routinely extend rulemaking deadlines, and the proposed rule has drawn sharp pushback from major industry groups including the College of Healthcare Information Management Executives (CHIME) and a coalition of more than 100 hospital systems. They argue the cost burden — HHS estimates first-year compliance costs at roughly $9 billion industry-wide — is unreasonable for smaller practices.

But here's the practical reality for an orthodontic practice owner: the direction of travel is clear regardless of whether this specific rule finalizes in May, August, or 2027. OCR has been signaling these changes for years, and the underlying enforcement priorities are already being acted on through existing rule interpretations.

The five changes that matter most for ortho practices

If the proposed rule finalizes substantially as written, here are the changes that will hit a typical 6-12 person orthodontic practice hardest:

1. The end of "addressable" as a loophole. Today, the Security Rule has two categories of safeguards: "required" and "addressable." In theory, "addressable" meant a practice could document why a particular safeguard wasn't reasonable for their environment and implement an alternative. In practice, "addressable" became a way for practices to skip safeguards entirely. The NPRM eliminates this distinction. Every safeguard becomes required, with only narrow, specifically defined exceptions.

2. Mandatory multi-factor authentication on all systems containing ePHI. This is currently addressable. Under the proposed rule, it would be required for every system that touches protected health information. That includes your practice management system, your imaging server, your email if it contains patient data, your patient portal, and any cloud applications. No carve-outs for small practices.

3. Encryption at rest and in transit, with limited exceptions. Today, encryption is addressable. Under the proposed rule, it becomes required across the board. For an orthodontic practice, this means: encrypted backups, encrypted email when transmitting ePHI, encrypted laptops, encrypted mobile devices, encrypted imaging server storage, and encrypted PMS databases.

4. Annual written verification from business associates. Currently, you sign a Business Associate Agreement (BAA) and trust that the vendor is doing their part. Under the proposed rule, business associates would be required to provide annual written verification — certified by a subject matter expert — that required technical safeguards are deployed. If your practice has 15 vendors with BAAs (typical for a multi-PMS, multi-imaging-system orthodontic practice), that's 15 annual verifications you would need to collect, review, and file every year.

5. Annual compliance audits. The proposed rule would require formal compliance audits at least once every 12 months, with documented findings and corrective action plans. For most practices that have been running informal self-reviews, this formalizes the process and creates written records OCR can request during an investigation.

Timeline math, if you want to plan

If the rule finalizes on schedule in May 2026:

That's not a lot of runway for what's being asked, especially for a 6-12 person practice without dedicated IT staff. The practices that wait for the final rule to start preparing will be scrambling. The practices that start now will have time.

Part 2: The enforcement actions that should keep you up at night

The most dangerous mental model an orthodontic practice owner can have is "OCR doesn't really go after small practices." The 2024 and 2025 enforcement record proves this assumption wrong, and I want to walk through the specific cases so you can see the patterns.

The Gums Dental Care case: $70,000 for ignoring records requests

Gums Dental Care, a solo Maryland dental practice, was hit with a $70,000 civil monetary penalty in October 2024. The case is instructive because the underlying violation — failing to respond to records access requests — is something most practices wouldn't think of as a HIPAA emergency.

Here's what happened. A patient submitted written requests in April and June of 2019 for her own records and her children's records. The practice didn't respond. The patient filed a complaint with OCR in May 2019. OCR reached out to provide technical assistance. The practice ignored OCR's outreach. The patient filed a second complaint in August 2019. OCR opened a formal investigation and issued a data request letter in September 2019. The practice didn't respond. OCR followed up twice by phone, then by certified mail. Still no response. By the time the practice finally provided records in May 2022, three full years had passed since the original request.

The lesson isn't just "respond to records requests." It's that OCR escalates dramatically when practices ignore them. A $70,000 penalty for a solo dental practice is not abstract — that's a real number that comes out of real cash flow.

The pattern: risk analysis failures dominate 2025 enforcement

Of the 21 enforcement actions OCR closed in 2025, the majority cited inadequate or outdated Security Risk Analysis as a contributing factor. A few specific cases:

The Risk Analysis Initiative — a dedicated OCR enforcement program — has produced enforcement actions across practice sizes. The pattern is consistent: a practice files an SRA in one year, doesn't update it, and faces enforcement years later when something goes wrong. OCR treats the original SRA as evidence the practice knew about the obligation, which elevates the violation from "did not know" to "reasonable cause" or higher.

For an orthodontic practice, the operational triggers that should require an SRA update include:

Most orthodontic practices have at least one of these triggers in any given year. Most haven't updated their SRA accordingly.

What 2026 enforcement will look like

OCR Senior Advisor for Cybersecurity Nick Heesters released guidance in early 2026 making clear that the agency is formally expanding its enforcement initiative beyond risk analysis to include risk management — what organizations actually do about the risks they identify. This matters because it raises the bar from "we did an SRA" to "we did an SRA and acted on it."

The enforcement direction is straightforward: practices that can demonstrate ongoing, documented, frameworks-aligned (NIST CSF 2.0, NIST SP 800-66, HHS 405(d)) risk management programs will be in dramatically better shape during any OCR investigation than those who can't.

Part 3: The five compliance gaps in nearly every orthodontic practice

After a decade running IT for nearly 100 orthodontic practices, I can tell you the five compliance gaps you'll find in nearly any unaudited practice. These aren't theoretical — they're patterns I've seen repeated across practices in Texas, Georgia, North Carolina, and beyond.

Gap 1: Missing or expired Business Associate Agreements

Every vendor that creates, receives, maintains, or transmits ePHI on your behalf is a business associate under HIPAA, and a signed BAA is required. The most common gap I see is one of two failure modes: either the practice has BAA templates unsigned on file (a template is not an executed agreement), or the practice has a BAA from years ago that doesn't reflect current vendor relationships.

A typical orthodontic practice has BAA obligations with all of the following:

The Raleigh Orthopaedic Clinic case is the textbook precedent here: OCR levied a $750,000 settlement against a practice that provided PHI to a vendor without a signed BAA. The violation didn't require a breach. The missing BAA itself was the basis for the enforcement action.

Action: Inventory every vendor that touches patient data. Verify BAA status for each. Execute agreements before any further ePHI is shared with vendors that lack them.

Gap 2: Outdated Security Risk Analysis

I covered this above, but worth repeating: an SRA that hasn't been updated since 2021 isn't a compliance program. It's evidence that the practice knew about the obligation and didn't maintain it. OCR's enforcement framework treats this as elevated culpability.

Action: If your last SRA is more than 18 months old, or predates a major systems change, schedule an updated analysis. The HHS Security Risk Assessment Tool is free and serviceable for small practices. For orthodontic environments with complex imaging and PMS configurations, a partner who understands the vertical will produce a more defensible result.

Gap 3: Unencrypted text messaging from staff phones

This is the most pervasive daily HIPAA violation in dental and orthodontic practices, and the one most practice owners don't recognize as a violation at all.

Every time a staff member texts a patient appointment information, treatment details, insurance updates, or any identifying information from a personal iPhone using standard SMS — that is an unauthorized disclosure of ePHI. Standard SMS is not end-to-end encrypted in a way that satisfies the HIPAA Security Rule. WhatsApp, Facebook Messenger, and personal Gmail or Outlook accounts (without specific HIPAA-compliant configuration and a BAA) all fail the same test.

OCR has issued penalties in cases where staff used personal devices for patient communication without a documented mobile device policy. The Security Rule explicitly requires that ePHI transmitted over open networks be encrypted (45 CFR §164.312(e)(2)(ii)).

Action: Implement a HIPAA-compliant patient messaging platform with a signed BAA. Document a policy prohibiting clinical communication via personal device texting. Train staff and obtain acknowledgment.

Gap 4: Shared workstation logins

The "everyone uses the same password" approach remains common in dental and orthodontic offices, especially at front desks where multiple staff rotate through the same computer during the day. This violates HIPAA's access control and audit trail requirements (45 CFR §164.312(a)(2)(i)) and makes individual audit logging impossible. OCR has cited shared passwords as a direct violation in enforcement actions.

Under the proposed 2026 mandatory MFA requirement, shared logins become doubly problematic — they undermine the entire purpose of multi-factor authentication.

Action: Each staff member needs a unique login. Configure your PMS, imaging system, email, and any other ePHI-containing system for individual user accounts with appropriate role-based permissions.

Gap 5: Inadequate workforce training

HIPAA requires training at onboarding, at least annually thereafter, and whenever new systems or policies are introduced. The training must be documented with attendance records, topics covered, and dates.

The most common failure modes I see: training was done in 2022 and never repeated, training was done verbally without documentation, or training covered "general HIPAA" without addressing the specific orthodontic environment (imaging, multi-location, treatment planning workflows, lab interactions).

Action: Implement structured annual training with documented attendance. Refresh whenever you bring in new systems. Keep records for at least six years.

Part 4: The 2026 compliance playbook for an orthodontic practice

Here's what I recommend a typical 6-12 person Houston orthodontic practice do over the next 12 months to get ahead of both current enforcement and the coming Security Rule update.

This quarter (Q2 2026)

  1. Run a vendor inventory and BAA audit. List every vendor that touches patient data. Verify executed BAAs. Address gaps within 30 days.
  2. Schedule a Security Risk Analysis update if your last one is more than 18 months old. The HHS SRA Tool is free; an experienced partner will produce a more defensible result.
  3. Replace personal-device texting with a HIPAA-compliant messaging platform. Multiple options exist; prioritize one that integrates with your PMS.
  4. Audit user accounts on all ePHI-containing systems. Every active user gets a unique login. Disable shared accounts.

Next quarter (Q3 2026)

  1. Deploy multi-factor authentication on every system containing ePHI. This is moving from addressable to mandatory; better to be ahead than behind.
  2. Encrypt all backups and confirm encryption at rest for imaging server storage. Verify backups are tested and restorable.
  3. Document your current technical safeguards in a Written Information Security Program. Most practices have safeguards in place but no documented record of them. The proposed rule formalizes this.

Q4 2026 / Q1 2027

  1. Run a tabletop incident response exercise. Document the plan, walk your staff through it, and refine. The proposed rule expects documented incident response procedures.
  2. Refresh annual training and document attendance. Roll into 2027 with current records.
  3. Annual compliance audit. This is the one that becomes formal under the proposed rule. Even if the rule doesn't finalize on schedule, having an annual audit on the books is defensive posture you'll never regret.

What this costs, honestly

A typical 6-12 person orthodontic practice can complete this entire program in twelve months for somewhere between $4,000 and $12,000 of total professional services investment, depending on existing infrastructure and how much remediation is needed. That's spread across the year as project work — not a single line item.

Compare that to the $30,000-$70,000 typical settlement amounts for solo dental practices, plus breach response costs ($3-5 per affected individual for notification, plus credit monitoring, plus forensic investigation typically $50,000-$500,000+, plus business disruption), plus the $10.93 million average healthcare data breach cost reported by the Ponemon Institute. The math is straightforward: compliance is the cheaper option by an order of magnitude.

Part 5: How an IT partner like Trigon Heights fits into this

I want to be honest about scope. HIPAA compliance is not solved by any single vendor — including us. A defensible compliance program requires alignment across:

What an orthodontic-specialty IT partner like Trigon Heights handles is the IT infrastructure and vendor coordination — the technical safeguards, the documentation we own, the operational implementation of MFA and encryption and backups, the BAA management, and the written records that prove your program is real.

What we don't do — and what no IT vendor should claim to do — is the legal interpretation of the rules, the clinical workflow decisions about treatment planning and imaging, or the practice-side decisions about staff training and policies. Those need a HIPAA attorney, your clinical leadership, and your practice manager respectively.

The right relationship is one where your IT partner handles their part rigorously and coordinates with the others. That's what we're built to do for orthodontic practices in Houston.

What to do next

If you've read this far, you have one of three responses:

1. "We're already in good shape on most of this." Great. The next thing worth doing is a formal gap assessment to verify that. We do these as part of our standard onboarding, but you can also have your existing IT partner walk you through a documented review.

2. "We have some of these gaps but I'm not sure which." This is where most practices are. The fastest way to find out is a structured assessment — pick a partner who's done this in orthodontic environments specifically (the gotchas are different from a general medical practice).

3. "We have most of these gaps and I don't know where to start." That's a very common honest answer, and it's not a crisis as long as you start. Pick one item from this article — the Q2 list — and address it this week. Then the next one. Twelve months from now, you'll be in a fundamentally different position than the practices around you that are still saying "we'll get to it."

If you'd like to talk it through with someone who's done this for nearly 100 orthodontic practices, book a free Bill Audit and HIPAA gap conversation. No pitch. Just an honest read on where you stand.

About the author

Steve Miranda is the founder of Trigon Heights, a Houston-based managed IT firm built specifically for orthodontic practices. Steve spent 23 years in IT, including 10 in healthcare and 3 at Microsoft, and most recently built and ran the IT function at a HIPAA-compliant scheduling service supporting nearly 100 orthodontic practices nationwide. Trigon Heights is HIPAA-aligned and offers free Bill Audits and HIPAA gap reviews to Houston-area orthodontic practices.

Sources and further reading

This article is based on primary sources including the HHS Office for Civil Rights regulatory agenda, the HIPAA Security Rule NPRM published in the Federal Register on January 6, 2025 (Docket ID HHS-OCR-0945-AA22), and OCR's Resolution Agreements page at hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/. Specific case figures and 2025 enforcement totals were cross-referenced with HIPAA Journal, Medcurity, and the OCR enforcement portal as of April 2026.

For practice owners who want to go deeper:

Trigon Heights is not a law firm and this article is not legal advice. Consult a qualified healthcare attorney for legal interpretation of HIPAA requirements for your specific practice.

Free, no obligation

Want a free HIPAA gap conversation?

30-minute discovery call with a free Bill Audit included. We'll walk through where your practice stands on the five gaps in this article — no pitch, no cost, just an honest read on where you are.

Book the conversation →
SM
About the author

Steve Miranda

Founder of Trigon Heights, a Houston-based managed IT firm built specifically for orthodontic practices. Steve spent 23 years in IT, including 10 in healthcare and 3 at Microsoft, and most recently built and ran the IT function at a HIPAA-compliant scheduling service supporting nearly 100 orthodontic practices nationwide.

Continue reading

More from the Trigon Heights blog.

May 5 · Industry · 8 min

AAO 2026 Synthesis: The three tech decisions every practice owner should make this quarter

Our IT-operational read on AAO 2026 announcements — what's worth pursuing now, what's marketing.

PUBLISHING SOON →
May 12 · Compliance · 6 min

What a real HIPAA Risk Assessment actually looks like — and why yours probably isn't one

The difference between a templated assessment and a defensible one. Specific question to ask your current vendor.

PUBLISHING SOON →
May 19 · Strategy · 7 min

The workstation in your practice with the most HIPAA exposure isn't the one you think

Most "endpoint security" focuses on the doctor's laptop. Your highest exposure lives at the front desk.

PUBLISHING SOON →
T
Trigon Heights
Typically replies instantly