2026 HIPAA FAQs

HIPAA PRIVACY RULE & 42 CFR PART 2

Question: What does SUD mean?

Answer:
SUD stands for Substance Use Disorder. It is a medical term used to describe a condition in which the use of alcohol or drugs leads to clinically significant impairment, distress, or health risks. SUD can range from mild to severe and includes disorders related to substances such as alcohol, prescription medications, or illicit drugs.

---

Question: Why is SUD discussed in HIPAA compliance materials?

Answer:
Information related to Substance Use Disorder may be subject to additional federal privacy protections beyond standard HIPAA rules. Certain SUD-related records are protected under 42 CFR Part 2, which imposes stricter confidentiality requirements on the disclosure and use of this information when it is created or maintained by a federally assisted substance use disorder treatment program.

---

Question: Is SUD information handled differently than other health information under HIPAA?

Answer: Sometimes.

Most SUD-related information in a dental record is protected under HIPAA in the same way as other protected health information (PHI). However, certain SUD records are subject to additional confidentiality protections under 42 CFR Part 2. When Part 2 applies, it can impose stricter limits on how that information may be used or disclosed, even in situations where HIPAA would otherwise allow disclosure. In those cases, the more restrictive rule must be followed.

---

Question: Are dental practices subject to 42 CFR Part 2?

Answer:  Yes
Dental practices are required to comply with the HIPAA Privacy Rule as updated in 2026, including alignment with 42 CFR Part 2. Although most dental offices are not substance use disorder treatment programs, SUD-related information may still be present in dental records and must be protected in accordance with applicable privacy requirements.

---

Question: Can a dental practice document SUD-related information in the patient record?

Answer: Yes

Dental practices may document information necessary for treatment, safety, and continuity of care. However, practices should ensure that disclosures and uses of SUD-related information comply with HIPAA and, where applicable, any additional confidentiality requirements imposed by law.

---

Question: Why is updating the Notice of Privacy Practices required?

Answer:
The Notice of Privacy Practices is intended to accurately inform patients of their rights and how their information is handled. When federal privacy requirements change, an outdated NPP may no longer reflect current law. Failure to update the NPP can result in patients being misinformed about their rights and may place the practice out of compliance with HIPAA.

---

Question: Is updating the Notice of Privacy Practices optional?

Answer: No

Updating the NPP is not optional when regulatory changes affect privacy rights or disclosures. Covered entities are required under HIPAA to maintain and distribute a notice that is accurate, current, and compliant with federal law.

---

Question: When must the updated Notice of Privacy Practices be in place?

Answer: February 16, 2026
Dental practices must update their Notice of Privacy Practices by the effective date of the applicable HIPAA changes. For the current HIPAA Privacy Rule updates aligned with 42 CFR Part 2, the compliance deadline is February 16, 2026.

---

Question: What types of changes trigger the need to update the NPP?

Answer:
An NPP must be updated when changes affect:

• Patient rights regarding access to records
• Privacy protections for certain sensitive information
• How information may be used or disclosed
• Any required statements mandated by updated federal regulations

When these elements change, the NPP must be revised to reflect the updated requirements.

---

Question: Once updated, what must a dental practice do with the new NPP?

Answer:
After updating the NPP, dental practices must:

• Make the revised notice available to patients
• Post the updated NPP as required (e.g., in the office and on the website, if applicable)
• Ensure staff are trained on the updated privacy requirements reflected in the notice

---

SECURITY RULE:

Question: How does cybersecurity tie into the HIPAA 2026 update?

Answer:
The HIPAA 2026 update reinforces expectations around safeguarding ePHI, improving transparency, and reducing preventable breaches. Regulators have made it clear that cybersecurity failures—particularly those involving basic access controls and authentication—are a major focus of enforcement actions. Dental practices are expected to demonstrate that reasonable and appropriate safeguards, including MFA where applicable, are in place.

HIPAA does not allow a “do nothing” approach to cybersecurity. Practices must assess risks, implement safeguards such as MFA where appropriate, document decisions, and train staff. Failure to do so is a common factor in enforcement actions following data breaches.

---

Question: Does HIPAA require dental practices to address cybersecurity risks?

Answer: Yes

HIPAA requires covered entities, including dental practices, to implement administrative, physical, and technical safeguards to protect electronic protected health information (ePHI). This includes identifying and addressing cybersecurity risks such as unauthorized access, ransomware, phishing, and malware.

---

Question: Is Multi-Factor Authentication (MFA) required under HIPAA?

Answer:
HIPAA does not mandate a specific technology by name; however, HIPAA does require covered entities to implement reasonable and appropriate access controls to protect ePHI. Federal enforcement guidance increasingly identifies Multi-Factor Authentication (MFA) as a key safeguard for meeting these requirements, particularly for systems accessible remotely or through the internet.

---

Question: Why is MFA strongly emphasized in current HIPAA guidance?

Answer:
Federal regulators have consistently stated that many healthcare breaches could have been prevented through basic security controls, including MFA. As cyber threats continue to increase, the failure to implement MFA where appropriate may be viewed as an unreasonable security practice, especially when ePHI is accessed through cloud-based systems, remote logins, or email.

---

Question: Is MFA considered “addressable” or “required” under HIPAA?

Answer:
MFA falls under HIPAA’s addressable technical safeguards, meaning practices must assess whether MFA is reasonable and appropriate for their environment. If a practice chooses not to implement MFA, it must document the risk assessment and implement an equivalent alternative safeguard. Simply choosing not to use MFA without documentation is not compliant.

---

Question: What systems in a dental practice should typically use MFA?

Answer:
MFA should be implemented where ePHI is accessed electronically, particularly for:

• Practice management software
• Cloud-based EHR systems
• Email systems that transmit or store ePHI
• Remote access, VPNs, and administrative logins
• Backup and storage systems containing ePHI

---

Question: Does HIPAA require a risk assessment related to cybersecurity?

Answer: Yes

HIPAA requires covered entities to conduct a security risk analysis to identify potential risks and vulnerabilities to ePHI. Cybersecurity threats, including phishing, malware, and unauthorized access, must be evaluated as part of this analysis and addressed through appropriate safeguards.

---

Question: Are staff required to be trained on cybersecurity and phishing risks?

Answer: Yes

HIPAA requires workforce training on policies and procedures related to safeguarding ePHI. This includes training staff to recognize and respond to common cyber threats such as phishing emails, malicious links, and unauthorized access attempts.

---

GENERAL ACCESS RIGHT

Do individuals have a HIPAA right to inspect and obtain copies of their health records?

Answer: Yes

The HIPAA Privacy Rule gives individuals a legal, enforceable right to inspect and obtain copies of PHI about themselves maintained in a covered entity’s designated record set. This includes directing copies to a third party

---

TIMELINESS & EXTENSIONS

How long does a covered entity have to respond to an access request?

Answer: Covered entities must respond within the 30-day timeframe for responding to a patient’s request for access to records is an outer legal limit, not a standard response time.

This means:

• Dental practices are expected to respond sooner whenever possible.

• The 30 days represents the maximum amount of time allowed under HIPAA, not a default waiting period.

OCR has repeatedly stated that covered entities should not routinely use the full 30 days if records are readily available.

---

What the Practice Must Do Within 30 Days

Within 30 calendar days, the practice must:

• Provide access to the requested records OR

• Issue a written notice invoking a one-time extension (if applicable)

Failure to do either is a HIPAA violation and one of the largest causes of OCR complaints. 

---

PARENTAL ACCESS & MINORS

Can a parent access their minor child’s health records under HIPAA?

Answer: Generally, yes.

HIPAA considers a parent the personal representative of their minor child when the parent has legal authority to make healthcare decisions, and therefore the parent can access the child’s PHI

---

Are there exceptions where a parent is not the minor’s personal representative?

Answer: Yes

HIPAA identifies three exceptions where parents are not personal representatives for certain PHI:

1. When state law allows the minor to consent to care without parental consent.

2. When a court or court-appointed person has authority over the minor’s healthcare.

3. When the parent agrees to a confidential relationship between the minor and provider.
   In these cases, the parent may not automatically have access to that portion of records under HIPAA.
   

---

Does state law affect parental access rights under HIPAA?

Answer: Yes

HIPAA defers to state or other applicable law on parental authority. If state law gives minors access rights or limits parental access, that law governs even if HIPAA might otherwise allow access.

---

At what age does a child stop being considered a minor for HIPAA purposes?

Answer:
HIPAA does not set a specific national age, such as 18, for when a child is no longer considered a minor. Instead, HIPAA defers to state law to determine the age of majority and when a parent has legal authority to act as a personal representative. In some situations, state law allows minors to control access to certain health information before age 18.

---

DISCLOSURES TO FAMILY & CAREGIVERS

Can a provider discuss a patient’s care with family or friends?

Answer: Yes

The federal Office for Civil Rights (OCR) FAQ on HHS.gov explicitly says:

• Covered entities may share information that is directly relevant to the involvement of family, friends, or other persons in the patient’s care or payment for health care.
• The Rule does not require a written authorization for these limited disclosures.
• If the patient is present, the provider may ask permission, provide an opportunity to object (and there is no objection), or reasonably infer from circumstances that the patient does not object.
• If the patient is absent or incapacitated, PHI may be shared in the exercise of professional judgment if that is in the patient’s best interest.

 

---

When is PHI disclosure to a family member allowed without the patient present?

Answer: If the patient is incapacitated or in an emergency, a provider may share PHI with a family member when the provider determines, using professional judgment, that the disclosure is in the individual’s best interest.

---

CHARGES AND FEES

Can a covered entity charge for providing copies of records?

Answer: Yes

Covered entities may impose reasonable, cost-based fees for copying and supplying records. These fees may include:

• Costs of copies (labor & supplies) or
  

• For electronic copies of electronic records, practices may charge a flat fee not to exceed $6.50, provided the fee covers only:

  Labor for copying

  Supplies (if applicable)

  The $6.50 option is voluntary, not mandatory. Practices may instead calculate actual costs, but many choose the flat fee to simplify compliance.

  But they may not charge for retrieval, preparation, or verification of records

---

Can a dental practice withhold records due to unpaid fees?

Answer:
A dental practice may not withhold or delay records because a patient has an unpaid treatment balance or other outstanding charges. However, a practice may require payment of its HIPAA-permitted, cost-based records processing fee before releasing copies, provided the fee is reasonable, communicated in advance, and limited to allowable copying costs.

---

PERSONAL REPRESENTATIVES

Who qualifies as a personal representative under HIPAA?

Answer: An individual’s personal representative is someone authorized under state or other applicable law to make healthcare decisions on behalf of the individual, such as a legal guardian or parent (when authorized).

---

Do personal representatives have the same right of access as the individual?

Answer: Yes

Personal representatives generally have the same rights to inspect and obtain copies of PHI as the individual would have.

---

RESEARCH & SPECIAL CATEGORIES

Are research records included in the right of access?

Answer: With few exceptions, the Privacy Rule permits access to research records maintained in a designated record set, including results, unless a regulatory exception applies.

---

Does HIPAA require oral information to be provided upon request?

Answer: Yes

If health information exists in oral form and is part of the designated record set, HIPAA requires that individuals be given access to that information orally upon request. This requirement applies to access only and does not obligate providers to interpret, explain, or create new information.

---

BUSINESS ASSOCIATES

Must business associates provide access directly?

Answer: No

The Privacy Rule governs covered entities — not business associates — but a covered entity must ensure its business associate agreement includes access obligations and respond within the 30-day timeframe.

---

ADDITIONAL PRACTICE NOTES

Does dental practice software count as a designated record set?

Answer: Yes

Any records used to make treatment decisions, including EHRs or digital imaging, are part of the designated record set and must be accessible upon request.

---

Question: What is considered a HIPAA breach?

Answer:
A HIPAA breach is the impermissible use or disclosure of protected health information (PHI) that compromises the security or privacy of the information. Breaches may involve paper records, electronic records (ePHI), or oral disclosures and can result from loss, theft, hacking, unauthorized access, or human error.

---

Question: What should a dental practice do immediately after discovering a potential breach?

Answer:
A dental practice should act promptly to:

• Secure the information and stop further unauthorized access or disclosure
• Preserve evidence related to the incident
• Begin an internal investigation to determine what occurred, what information was involved, and who was affected

Immediate action is critical to limit harm and meet HIPAA reporting obligations.

---

Question: Is every impermissible disclosure considered a reportable breach?

Answer: No

After an impermissible use or disclosure occurs, the practice must conduct a risk assessment to determine whether the incident qualifies as a reportable breach. The assessment evaluates the probability that PHI was compromised based on specific factors defined by HIPAA.

---

Question: What factors must be evaluated in a HIPAA breach risk assessment?

Answer:
The risk assessment must consider:

• The nature and extent of the PHI involved
• The unauthorized person who used or received the information
• Whether the PHI was actually acquired or viewed
• The extent to which the risk to the PHI has been mitigated

If the assessment determines there is more than a low probability that PHI was compromised, the incident is considered a breach.

---

Question: How long does a dental practice have to notify patients of a breach?

Answer:

45 CFR § 164.404(b) – HIPAA Breach Notification Rule

“A covered entity shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.”

---

Question: When must a breach be reported to the Office for Civil Rights (OCR)?

Answer:

• If the breach affects 500 or more individuals, OCR must be notified without unreasonable delay and no later than 60 days from discovery.
• If the breach affects fewer than 500 individuals, the practice must log the breach and submit it to OCR no later than 60 days after the end of the calendar year in which the breach occurred.

---

Question: Are dental practices required to notify the media after a breach?

Answer:
Media notification is required only if the breach involves 500 or more individuals in a single state or jurisdiction. This notification must occur without unreasonable delay and no later than 60 days from discovery.

---

Question: What information must be included in a breach notification to patients?

Answer:
Breach notifications must include:

• A brief description of what happened
• The types of PHI involved
• Steps individuals should take to protect themselves
• What the practice is doing to investigate, mitigate harm, and prevent future breaches
• Contact information for questions or additional information

---

Question: Does HIPAA require documentation of breach investigations?

Answer: Yes

Dental practices must document breach investigations, including risk assessments, decisions made, notifications issued, and corrective actions taken. Documentation is critical for demonstrating compliance during audits or investigations.

---

Question: Are staff required to be trained on breach response procedures?

Answer: Yes

HIPAA requires workforce members to be trained on policies and procedures related to safeguarding PHI, including how to recognize and report potential breaches. Staff awareness and timely reporting are essential components of breach prevention and response.

---

Question: How does breach response tie into the HIPAA 2026 update?

Answer:
The HIPAA 2026 update reinforces expectations around transparency, accountability, and timely response to privacy incidents. OCR continues to emphasize that delayed action, inadequate risk assessments, and poor documentation following a breach are common compliance failures.

---

HELPFUL LINKS (for staff and patients)

HHS HIPAA Right of Access Guidance (primary source):  https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html

HHS Personal Representatives & Minors FAQ:
https://www.hhs.gov/hipaa/for-professionals/faq/personal-representatives-and-minors/index.html

HHS Disclosure to Family & Friends:
https://www.hhs.gov/hipaa/for-professionals/faq/disclosures-to-family-and-friends/index.html

HIPAA Security Rule NPRM                                                    https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html

HHS Breach Notification:                                                            https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source

Prepared by: Dental Practice Resources
Source: U.S. Department of Health & Human Services (HHS) HIPAA guidance & FAQs