Dental practices in Maryland don't need more HIPAA theory in 2026 — they need clarity on what specifically changed, what deadlines are real, and where regulators are focusing their attention. The biggest practical shift this year isn't a brand-new HIPAA statute aimed at dentistry. It's a compliance deadline that forces many providers to revisit patient notices and record-handling assumptions, plus a continued — and increasingly technical — enforcement posture around Security Rule fundamentals like risk analysis, patching, and vendor oversight.
The “Real” 2026 HIPAA Deadline Most Practices Can't Ignore: Notice of Privacy Practices Changes Tied to 42 CFR Part 2
A key HIPAA-related compliance date landed on February 16, 2026. HHS has stated that remaining modifications to the HIPAA Notice of Privacy Practices (NPP) requirements must be complied with by that date. The driver: in 2024, HHS finalized major updates to the federal confidentiality rules for Substance Use Disorder (SUD) patient records under 42 CFR Part 2, aligning several Part 2 concepts more closely with HIPAA and adding HIPAA-like enforcement mechanisms and breach notification alignment.
Compliance Deadline: February 16, 2026
This deadline has passed as of the publish date of this article. If your practice has not yet reviewed its NPP language and vendor contracts for Part 2 alignment, this should be your first priority.
“We're a Dental Practice — Does Part 2 Matter to Us?”
Often, not directly. Most dental practices are not “Part 2 programs.” But this matters anyway for three reasons:
Your NPP language may need updating
Depending on how you receive, use, or integrate SUD-related information — through medical history, referrals, hospital affiliations, integrated care, or patient portal uploads — your notice may be out of compliance.
HHS explicitly connected the 2026 date with NPP changes
The Part 2 alignment effort drove this deadline. Even practices that are not Part 2 programs may have NPP language that needs revisiting.
OCR is now enforcing Part 2 civilly
As of February 16, 2026, OCR stood up civil enforcement mechanisms around Part 2, increasing scrutiny across the entire ecosystem where SUD information flows.
What to Do in a Dental Practice (Practical Interpretation)
- Confirm whether you ever receive Part 2-covered records — from an SUD program, via referral loops, hospital systems, or patient uploads into portals.
- If you do, confirm your NPP and internal privacy procedures address that category appropriately and reflect the updated notice expectations.
- Confirm your breach response process and vendor contracts can handle "special categories" of information without confusion, because Part 2 now explicitly aligns breach notification to HIPAA-style expectations.
2026 Enforcement Reality: OCR Continues to Hammer the Security Rule Basics
Even when regulation text doesn't change overnight, enforcement expectations do. In 2026, HHS/OCR messaging continues to emphasize that Security Rule compliance is not “paper compliance” — you must demonstrate operational control over your environment. A January 2026 OCR cybersecurity newsletter is blunt on one point that hits dental practices hard: unpatched software and legacy systems are a risk-analysis issue.
OCR states that risk analysis must consider risks to ePHI from unpatched software, and it highlights vulnerability scanning, asset inventory, and monitoring authoritative vulnerability sources as expected behaviors — not optional best practices.
Why This Is Especially Relevant to Dentistry
Dental practices commonly run a mix of systems that creates the classic failure modes OCR cares about:
Dental practice management systems (PMS) and imaging platforms
Often running outdated OS or application versions due to vendor compatibility constraints
Vendor-managed imaging sensors and acquisition PCs
Frequently "can't be upgraded" — creating isolated but connected risk points
Patient communication tools (SMS, email, reminders)
Often third-party SaaS with inconsistent BAA coverage and audit logging
Remote access used by IT and vendors
A common foothold for attackers when not protected with MFA and least-privilege access
OCR's Core Message in 2026:
You're expected to know what you have, know what's vulnerable, and be able to show what you did about it. If you can't answer those questions, your risk analysis isn't defensible — regardless of what your policy documents say.
The Proposed HIPAA Security Rule Overhaul Is Still Proposed — But Plan As If the Floor Is Rising
HHS issued a Notice of Proposed Rulemaking (NPRM) to strengthen the HIPAA Security Rule in late 2024, specifically to better address cybersecurity threats. Even though it's not yet final, the proposal is useful because it telegraphs where compliance expectations are heading: more explicit technical controls, more frequent verification, and less ambiguity about “addressable” vs. “required” safeguards.
For Dental Practices: Align With the Direction of Travel
- Treat inventories, data-flow mapping, and testing cadence as must-haves, not nice-to-haves.
- Expect more scrutiny of vendor oversight and documented proof of safeguards.
- Build incident response and restoration capabilities that are measurable and rehearsed.
If the rule is finalized later, organizations already operating this way won't be scrambling.
Maryland-Specific Overlay: State Privacy Law Creates Obligations Beyond HIPAA
Maryland passed the Maryland Online Data Privacy Act, effective October 1, 2025, with enforcement authority assigned to the Maryland Office of the Attorney General. HIPAA is not always the end of the story. Depending on how your practice uses websites, advertising pixels, online forms, and consumer-facing tools, state privacy frameworks can impose requirements that feel “HIPAA-adjacent” but are not satisfied solely by being HIPAA-covered.
Two Lenses to Apply to Your Website and Online Intake Stack
- • Patient portals and messaging
- • Online check-in and intake forms
- • Third-party reminders (SMS/email)
- • EHR/PMS integrations
- • Website analytics and tracking pixels
- • Targeted advertising platforms
- • Online appointment booking tools
- • Sensitive data handling disclosures
High-Impact Changes to Implement in 2026
Update and Operationalize Your Privacy Notice Posture
Even if you conclude Part 2 doesn't apply to your practice directly, document the analysis and update NPP language where required. Your front desk shouldn't be improvising answers to privacy questions. Your NPP and procedures should clearly cover:
- Patient portal communications and messaging
- Third-party reminders (SMS/email)
- How you handle record requests (patients, parents/guardians, spouses, attorneys)
- How you handle patient-supplied records and external medical history
- Any special categories you receive, including SUD-related information if applicable
Treat Patching and Legacy Systems as a Compliance Control
OCR explicitly connects unpatched software to the Security Rule risk analysis requirement. This isn't optional — it's the basis for enforcement actions. Dental-specific actions that reduce real risk:
- Identify every workstation that touches imaging or charting and set a patch SLA (example: critical updates within 14 days unless documented exception).
- For "can't patch" imaging PCs, isolate them: VLAN segmentation, restricted outbound access, no email/web browsing, application allow-listing where feasible.
- Require vendors to document support boundaries and security requirements, tied to Business Associate Agreements where appropriate.
Make Your Risk Analysis Defensible — and Usable
OCR enforcement repeatedly circles back to whether a risk analysis exists, is accurate, and drives risk management. A dental practice risk analysis should not be generic. It should specifically account for:
- Imaging workstations and acquisition computers
- Remote access pathways (IT staff + vendors)
- Patient communication tools (SMS/email platforms)
- Backups — including immutable and offline strategies
- User access in operatory rooms (shared logins are still common and hard to defend)
Vendor Management: You Will Be Judged by Your Vendors' Behavior
A large percentage of dental incidents involve a vendor foothold — remote access, unmanaged endpoints, weak authentication, or exposed services. Baseline 2026 expectations should include:
- A vendor inventory documenting who touches ePHI, who can access systems, and what tools they use
- BAAs in place where required
- Security expectations written into contracts: MFA, logging, breach notification timelines, least privilege, patching boundaries
Incident Response and Ransomware Readiness Must Be Rehearsed, Not Theoretical
In dentistry, downtime hits production immediately. Your plan must answer these questions before a crisis — not during one:
- How do we keep seeing patients if the PMS/EHR is down?
- What is our restoration order: domain/email → PMS → imaging → file shares → phones?
- Who calls patients, who talks to law enforcement/insurer, who handles media inquiries?
- How do we prove what happened (logging) and what we did about it (documentation)?
A 30–60 Day Implementation Plan You Can Actually Execute
Establish Your 2026 Compliance Baseline
- Confirm whether Part 2 records are in scope for your practice; document the conclusion.
- Review NPP language and update if required.
- Create or update your asset inventory: every device and system that creates, receives, or transmits ePHI.
Security Rule Hardening for Dentistry's Weak Spots
- Patch posture: define SLAs; document exceptions; isolate legacy imaging devices.
- MFA: enforce for email, remote access, and any cloud PMS/portal admin logins.
- Backups: validate restore — not just backup success.
Turn Documentation Into Evidence
- Update policies to match what you actually do — not boilerplate templates.
- Run a tabletop incident exercise using a ransomware scenario.
- Confirm vendor access controls and BAAs; remove unnecessary access.
Bottom Line for Maryland Dental Practices in 2026
A real compliance deadline exists
NPP-related modifications were tied to February 16, 2026, and Part 2 alignment drove that requirement. If you haven't reviewed your NPP language, do it now.
Security Rule expectations keep getting more technical
OCR is explicitly framing patching, asset inventory, and vulnerability management as core compliance behavior — not optional best practice.
Maryland's privacy landscape is not HIPAA-only anymore
Your website and consumer-facing tooling deserve a dedicated review for state privacy exposure alongside your HIPAA obligations.
Need Help Getting Your Practice into Compliance?
New Vertical Technologies works with dental practices across Maryland on HIPAA-aligned IT programs — from risk analysis and patching to vendor management and incident response planning.