Free Assessment →

HIPAA Landing

2026 HIPAA Security Rule Update — Action Required View official update →

Your Practice Has 180 Days
to Comply With New
HIPAA Requirements.

The 2026 HIPAA Security Rule update makes annual penetration testing and vulnerability scanning mandatory for every dental practice, medical clinic, chiropractor, and healthcare provider in the United States. Most small practices are not prepared.

Check My Compliance — Free → See the Checklist
$50K+
minimum HIPAA fine per violation
180
days to achieve compliance from rule effective date
1 in 3
small healthcare practices hit by a breach last year
Who Is Affected

If You Handle Patient Data,
HIPAA Applies to You.

Any provider that creates, stores, or transmits protected health information (PHI) is a covered entity under HIPAA. The 2026 update applies to all of them — regardless of practice size.

🦷

Dental Practices

X-ray records, patient charts, insurance data, and billing information all qualify as PHI. Most dental practices store years of patient records with minimal security controls.

Highest Risk
🏥

Medical Clinics

General practice, urgent care, and specialty clinics handling diagnosis records, prescriptions, and patient histories.

High Risk
🧘

Chiropractors

Treatment records, insurance billing, and referral documentation all fall under HIPAA — including small single-provider practices.

High Risk
🏃

Physical Therapists

Rehabilitation records, treatment plans, and progress notes are PHI subject to the same requirements as any other covered entity.

High Risk
🧠

Mental Health Providers

Therapy notes and mental health records carry some of the highest sensitivity under HIPAA — and attract significant breach penalties.

Highest Risk
👁️

Optometrists

Vision records, prescription history, and insurance claims all qualify as PHI subject to HIPAA Security Rule requirements.

Medium Risk
⚠️

Practice size does not matter. The 2026 HIPAA Security Rule update applies to solo practitioners, small group practices, and large health systems equally. There is no small business exemption.

What Changed

The 2026 HIPAA Security Rule Update — What Your Practice Now Must Do.

The Department of Health and Human Services finalized significant updates to the HIPAA Security Rule. These are mandatory requirements — not recommendations. href="https://www.hhs.gov/hipaa/for-professionals/security/index.html" target="_blank" rel="noopener" style="color:#38A169;font-weight:700;text-decoration:none;"> View the official HHS update →

01
🔍

Annual Penetration Testing

Practices must now conduct and document a professional penetration test at least once per year. This was previously recommended — it is now mandatory.

New Requirement
02
🛡️

Vulnerability Scanning

Regular vulnerability scans of all systems that store or transmit PHI are now required — not just recommended. Frequency must be documented and justified.

New Requirement
03
📋

Annual Policy Review

All security policies and procedures must be reviewed and updated at least annually — with documented evidence that the review took place.

Strengthened
04
🔐

Encryption Requirements

Encryption of PHI at rest and in transit is now explicitly required. The previous "addressable" standard has been tightened significantly.

Strengthened
05
👥

Multi-Factor Authentication

MFA is now required for all systems accessing PHI — including practice management software, email, and remote access tools used by staff.

New Requirement
06

Incident Response Planning

A written, tested incident response plan is required — including specific procedures for breach detection, containment, and patient notification.

Strengthened

Not sure if you're compliant? Most small practices aren't. Our free assessment tells you exactly where you stand against every one of these requirements.

Check My Compliance — Free →
Self Assessment

Is Your Practice HIPAA Compliant?
Check These 12 Requirements.

Work through this checklist honestly. Every item marked "No" or "Not Sure" is a potential HIPAA violation — and a fine waiting to happen.

Technical Safeguards
Encryption All devices storing PHI use full-disk encryption.
Multi-Factor Authentication MFA is enabled on all systems that access patient data.
Automatic Logoff Workstations automatically lock after a period of inactivity.
Penetration Testing A professional pen test has been conducted within the last 12 months.
Administrative Safeguards
Written Security Policy (WISP) Your practice has a documented written information security plan.
Annual Policy Review Security policies have been reviewed and updated within the last 12 months.
Staff Training All staff have received HIPAA security awareness training within the last year.
Incident Response Plan A written breach response plan exists and has been tested.
Physical & Network Safeguards
Network Security Patient data is on a separate network from guest Wi-Fi and general office use.
Backup & Recovery PHI is backed up regularly and recovery has been tested within the last 6 months.
Business Associate Agreements BAAs are signed with all vendors who have access to PHI.
Vulnerability Scanning Regular vulnerability scans are conducted and documented on all systems storing PHI.
0
Yes
0
No
0
Not Sure
Answer the questions above to see your compliance score.
Pricing

Two Ways to Get Compliant.
Both Start With a Free Assessment.

Not sure which is right for your practice? The free assessment will tell you exactly what you need — and what you don't.

One-Time Assessment
$1,500 – $2,500
flat fee

A complete HIPAA compliance assessment with written report and remediation roadmap. Ideal for practices that want to understand their current posture before committing to ongoing services.

  • Full HIPAA gap analysis
  • Written assessment report
  • Remediation roadmap
  • Prioritized action list
  • 2026 rule alignment check
  • Executive summary for practice owner
Book Assessment →

Free discovery call included

Most Comprehensive
Professional Plan
$999
per month — no long-term contract

Ongoing HIPAA compliance management plus complete cybersecurity protection. Everything your practice needs to stay compliant, secure, and ahead of the next update.

  • Everything in the one-time assessment
  • Annual penetration testing (required)
  • Monthly vulnerability scanning
  • HIPAA compliance management
  • Written security policy (WISP)
  • Staff phishing training
  • 24/7 threat monitoring
  • Incident response plan
  • Priority support response
  • Annual policy review & update
Get Started →

Free onboarding assessment included

Not sure which option is right? Most practices start with the one-time assessment to understand exactly where they stand — then move to the monthly plan for ongoing compliance management and protection. Book your free discovery call and we'll recommend the right fit for your practice.

Book Free Discovery Call →
The Clock Is Running

Don't Wait for a Breach
or a Fine to Find Out You Weren't Compliant.

The 2026 HIPAA Security Rule update is in effect now. Practices have 180 days to comply. A free two-hour assessment will tell you exactly where your practice stands against every new requirement — in plain English, with a clear action plan. No commitment required.

Book My Free HIPAA Assessment → Call (401) 594-6290
Free — no credit card
Rhode Island based
Written report in 48 hours
Former ISSO experience
No long-term commitment
James Aptt — AGT Founder
James Aptt

Former ISSO · DoD Cybersecurity Engineer · BS Cybersecurity (95 avg, top of class) · CompTIA Security+ · Multiple RMF Certificates

Privacy Policy - Terms and Conditions - Cookies Policy

Update cookies preferences