Legacy Core™

Regulatory context

Medical & Dental Practices

Covered entities and business associates handling electronic protected health information

Binding framework

HIPAA Security Rule (45 CFR Part 164)

HIPAA applies to every covered medical and dental practice — there is no small-practice exemption. A proposed federal Security Rule update (December 2024) would strengthen requirements if finalized; cite proposed changes separately from current law.

Key obligations (summary)

  • Written risk analysis and risk management program
  • Administrative, physical, and technical safeguards for ePHI
  • Workforce access controls and security awareness
  • Breach notification to HHS OCR and affected individuals when required

How Legacy Core fits

Legacy Core credentials readiness against NIST CSF 2.0 and CIS Controls v8. It does not attest to HIPAA compliance, BA agreements, or OCR audit readiness.

Do not claim

  • · Proposed 2025 HIPAA Security Rule changes are current law
  • · Legacy Core credential means HIPAA compliance

Primary sources

Confidence: HIGH. Last reviewed 2026-07-13.

Boundary

What a Legacy Core credential does not attest to

A Trust Badge documents demonstrated readiness against a dated Standards Release (assessment basis: NIST CSF 2.0 and CIS Controls v8). It is not a substitute for industry-specific legal or regulatory obligations.

  • FTC Safeguards Rule or WISP compliance (CPAs / tax preparers)
  • HIPAA compliance or OCR audit readiness (medical / dental)
  • ABA or State Bar ethics sign-off (attorneys)
  • SEC Regulation S-P compliance (investment advisers)
  • NAIC Insurance Data Security Model Law (including in California — not adopted)
  • CCPA cybersecurity audit certification (threshold-gated regulation)
  • Cyber insurance approval or claim guarantee
  • Penetration test, SOC 2, CMMC, or government endorsement

Legacy Core is aligned with NIST CSF 2.0 and CIS Controls v8. Legacy Core is not affiliated with, endorsed by, or accredited by NIST, CIS, or any government agency. Tracking a framework does not constitute a determination of legal or regulatory compliance.

Industry-specific obligations by vertical: Regulatory context guides

Medical & Dental Practices — Regulatory Context | Legacy Core | Legacy Core