COMPLIANCE ALERT: The 240-day window to meet the new HIPAA Security Rule starts at final rule publication — expected May 2026.
Orthodontic Practice Alert — May 2026

The HIPAA Rules
Just Changed.
Is Your Practice Ready?

The biggest HIPAA overhaul in 20 years just dropped. Every safeguard is now fully mandatory — no exceptions, no workarounds, no documentation escape hatches.

No MFA? Violation. No encryption? Violation. No annual pen test? Violation. The penalty cap: $1.9 million per year, per category.

What changed — and what it means for your practice specifically
All 6 new mandatory requirements in plain English
A 90-day compliance roadmap you can act on immediately
A 10-point self-assessment to find your gaps today
Guidance for Dolphin, Ortho2, Orthotrac, Cloud 9 & GreyFinch
DR
PM
DO
OD

Trusted by orthodontic practices nationwide

Free — Instant Access

Get the 2026 HIPAA
Compliance Guide

Written for orthodontic practices. Plain English. No fluff.

No spam. No sales pitch. Unsubscribe anytime.

HIPAA Security Rule 2026 Whitepaper
$0M
Avg. Healthcare Breach Cost (2025)
0 Days
To Comply After Final Rule
0%
Of OCR Penalties Cite Risk Analysis Failure
$0M
Max Annual Penalty Per Category
Why This Matters Now

Most Ortho Practices Are Already
Out of Compliance. They Just Don't Know It.

The old rule let you document your way out of expensive controls. That's over.

The Old Rule

Safeguards were split into "Required" and "Addressable." If a control was too expensive or complex, you could write a memo explaining why you skipped it and stay compliant. Encryption? Addressable. Network segmentation? Addressable. Most smaller practices used this loophole freely.

That loophole is gone

The New Rule (2026)

Every safeguard is now mandatory. No exceptions. No documentation workarounds. And the new rule adds requirements that didn't exist before: mandatory annual penetration testing, biannual vulnerability scanning, network segmentation, and a 72-hour system recovery requirement.

Effective late 2026

Here's what most practices miss: Your ePHI lives across more systems than you think — Dolphin Imaging, Ortho2 Edge, Orthotrac, Cloud 9, GreyFinch, imaging workstations, cloud backups, staff email, remote access. Every single one is now a mandatory compliance checkpoint.

240 days sounds like runway. It isn't. Full MFA deployment, encryption, network segmentation, penetration testing, and incident response planning takes 6–9 months. Practices that wait for the final rule will miss the deadline.

What's Now Required

6 Mandatory Safeguards.
Zero Exceptions.

All formerly "addressable." All now required by law. The free guide breaks down exactly what each one means for your practice environment.

01

Multi-Factor Authentication

Technical Safeguard

Every system touching ePHI must require MFA — your PMS, imaging systems, cloud backups, email, and remote access. No exceptions. No shared passwords.

02

Full ePHI Encryption

Technical Safeguard

AES-256 encryption required on servers, cloud storage, backup drives, email, and portable devices. Unencrypted backups are a violation from day one.

03

Annual Penetration Testing

Testing Safeguard

A qualified third party must attempt to breach your network every 12 months. Results must be documented. Remediation must happen. This is brand new for most ortho practices.

04

Biannual Vulnerability Scanning

Testing Safeguard

Full vulnerability scans every six months — separate from pen testing. Findings must be remediated on a defined timeline. Both are required independently.

05

Network Segmentation

Technical Safeguard

Patient data systems must be isolated from general business systems, staff internet, and guest Wi-Fi. Network mapping and ePHI flow documentation are required.

06

Incident Response + 72-Hr Recovery

Administrative Safeguard

A written, tested incident response plan. Critical systems must be recoverable within 72 hours. Annual testing with documented results. Not optional.

Also required: Annual risk analysis + formal compliance audit. 76% of OCR penalties in 2025 cited risk analysis failure as a primary violation. The free guide includes a step-by-step framework.

The Cost of Inaction

Non-Compliance Isn't a Risk.
It's a Certainty.

OCR penalties are assessed per violation, per year — across every control you failed to implement.

Violation TierPer ViolationAnnual Cap
Unknowing (corrected)$100 – $63K$31,987
Reasonable cause$1,280 – $63K$127,951
Willful neglect (corrected)$12,794 – $63K$383,853
Willful neglect (not corrected)$63,973$1,919,173

Immediate Breach Costs

Forensic investigation & containment ($50K–$200K)
Mandatory patient breach notification letters
Credit monitoring for all affected patients
Legal counsel through OCR investigation
System rebuild and data recovery

Long-Term Fallout

OCR civil monetary penalties & settlement
State attorney general action
Patient attrition from reputational damage
Staff productivity loss during recovery
Cyber insurance premium hikes or cancellation

Healthcare has been the most expensive industry for data breaches 14 years running. The 2025 U.S. average: $10.22 million per breach. Ransomware actors target smaller practices because they're less defended — and more likely to pay fast.

Quick Self-Assessment

Can You Answer Yes
to These 10 Questions?

Answer No or Unsure to more than two? Your practice needs immediate attention.

Technical Controls

All staff require MFA to access any system containing patient records
All patient data is encrypted at rest and in transit
Patient data systems are isolated from general office and guest Wi-Fi
A third-party penetration test has been completed in the past 12 months
A vulnerability scan has been completed in the past 6 months

Administrative Controls

A formal risk analysis has been completed and reviewed by leadership
A written incident response plan exists and has been tested
All BAAs are current for every vendor touching patient data
All staff have completed HIPAA security training in the past 12 months
Critical systems can be restored within 72 hours — and this has been tested

The free guide includes a detailed version of this checklist with remediation guidance — specific to ortho practice software.

Why Impact360

An IT Partner Built
Specifically for Ortho Practices

Most IT companies serve "healthcare" broadly. They'll show up. They'll try. But generalist IT and orthodontic IT are not the same thing.

Impact360 has spent decades focused on orthodontic practices. That means we know your software — Dolphin Imaging, Orthotrac, Ortho2 Edge, Cloud 9, GreyFinch — before we ever walk in the door. When IT is set up without that context, you don't just have a tech problem. You have a patient care problem.

We arrive already knowing your environment. Not learning it on your time.

Orthodontic-Specific Expertise

Decades of focus on ortho practices means we know your platforms, integrations, compliance requirements, and failure points before we ever walk in the door.

Compliance Is Our Floor

HIPAA is the legal minimum. We build well above it — because your patients' trust is passed on to us.

Prevention Is the Real Service

The value we provide is what never happens — the breach that was blocked, the failure caught before it cascaded.

240-Day Window — Starting Now

Don't Let the Deadline
Find Your Practice First

The guide is free. It's written for orthodontic practices. It gives you a clear picture of exactly where you stand — before the OCR does.

Download it now. Read it this week. Know your gaps before they become violations.

Free — Instant Access

Get the 2026 HIPAA
Compliance Guide

Written for orthodontic practices. Plain English. No fluff.

No spam. No sales pitch. Unsubscribe anytime.

615-821-0000 impact360.com/connectResponse within 1 business day