Medical & Dental Practices
Covered entities and business associates handling electronic protected health information
Binding framework
HIPAA Security Rule (45 CFR Part 164)
HIPAA applies to every covered medical and dental practice — there is no small-practice exemption. A proposed federal Security Rule update (December 2024) would strengthen requirements if finalized; cite proposed changes separately from current law.
Key obligations (summary)
- Written risk analysis and risk management program
- Administrative, physical, and technical safeguards for ePHI
- Workforce access controls and security awareness
- Breach notification to HHS OCR and affected individuals when required
How Legacy Core fits
Legacy Core credentials readiness against NIST CSF 2.0 and CIS Controls v8. It does not attest to HIPAA compliance, BA agreements, or OCR audit readiness.
Do not claim
- · Proposed 2025 HIPAA Security Rule changes are current law
- · Legacy Core credential means HIPAA compliance
Primary sources
Confidence: HIGH. Last reviewed 2026-07-13.