SOCHQ Pro+ · For medical & dental practices
A plain-language guide for medical and dental practices — what HIPAA's Security Rule requires, what's about to change, and how a small office meets it without hiring a security team.
This is practical guidance, not legal advice. HIPAA compliance depends on your specific practice, and parts of what's below are still proposed, not final. Verify with a qualified compliance professional or attorney before making decisions.
Your practice is a target. Not because anyone has a grudge — because you hold exactly what attackers want (patient records, insurance data, the ability to halt your operations) and, statistically, you're less defended than a hospital. Healthcare is one of the most-attacked industries on earth, and the breaches that make headlines are the big systems. The ones that quietly end small practices don't.
Here's the good news this guide is built on: you do not need an enterprise budget or an IT department to be genuinely compliant and genuinely safe. You need to understand what's actually required, in plain English, and do it in the right order. Let's do that.
Two things are converging.
First, attacks on small practices keep climbing — ransomware that locks your scheduling and records until you pay, phishing that steals a login, business-email compromise that reroutes a payment.
Second, the rules are about to get much stricter. In late December 2024, the federal government proposed the most significant overhaul of the HIPAA Security Rule in over a decade. As of 2026 it is still proposed — not yet final, and it could change or be delayed — but the direction is unmistakable, and even regulators' more cautious voices agree: the safeguards in it are simply what good security looks like today. Waiting for the final rule to act is the wrong move.
The most important shift in the proposal: it would eliminate the old distinction between "required" and "addressable" safeguards. For years, many practices treated "addressable" as "optional." That era is ending. Nearly everything would become mandatory.
There's also a fight worth knowing about, because it's exactly your situation: major healthcare organizations have asked the government to withdraw the proposal, arguing that small and mid-sized providers can't absorb the cost — the government's own estimate runs into the billions in the first year. They're not wrong that enterprise-grade compliance has historically meant enterprise-grade bills. That's the problem this guide — and SOCHQ — exists to solve.
Before any tool or checklist, there is one foundational requirement that already exists today and that the proposed rule only strengthens: the Security Risk Analysis (SRA).
An SRA is a documented assessment of where electronic protected health information (ePHI) lives in your practice, what could go wrong, and how you're addressing each risk. It is the single most-cited failure in federal enforcement actions — practices fined after a breach are very often found to have never done one, or never updated it.
Think of it as the map everything else is built from. You can't protect data you haven't located, and you can't prove compliance you haven't documented. The proposed rule would require this annually, tied to a current inventory of your systems. If your last risk analysis was years ago — or never — this is step one.
Here's what the proposed rule would require, translated for a small office:
That list can look overwhelming. It isn't, once it's sequenced — and most of it is configuration and process, not expensive hardware.
This is the objection, and it's a fair one. Historically, the tools that do the above — continuous monitoring, asset inventory, vulnerability management, an actual security operations center watching for trouble — were priced for hospitals and large firms. A four-person dental office was told to buy enterprise software, hire a consultant, or hope for the best.
That's the gap worth naming plainly: enterprise-grade security has not meant enterprise-priced security for a while now — the market just hadn't caught up for small providers. The same monitoring and threat detection that protects a hospital can run for a small practice at a fraction of the cost, because the technology scales down even when the old pricing models didn't.
The expensive path is the breach you didn't prevent: the ransom, the downtime, the federal penalties, the patients who leave. Affordable, proactive security is dramatically cheaper than any one of those.
A realistic, prioritized order for a small practice:
Do those six and you've addressed the core of both today's rules and tomorrow's proposed ones.
SOCHQ Pro+ exists for exactly this practice: real, enterprise-grade security operations — continuous monitoring, asset visibility, threat detection, and the documentation trail compliance requires — priced and simplified for a small office without an IT team. It's built by people who run security operations centers for a living, scaled down with intention. The protection a hospital has, for a practice that can't staff a hospital's security department.
It doesn't replace your compliance officer or your attorney, and it won't write your SRA for you — but it handles the watching, the visibility, and much of the technical heavy lifting that the proposed rule would otherwise put on your already-full plate.
Again: this is guidance, not legal advice, and key requirements above are proposed and not yet final. Confirm specifics for your practice with a qualified HIPAA compliance professional or attorney.
Want a fast read on where your practice stands? Take the free SOCHQ HIPAA Security Risk Assessment — a 10-question starting point that flags your biggest gaps and what to prioritize. It's a starting point, not a substitute for a full SRA.
— The SOCHQ Pro+ team
Free, private, 2 minutes — and you'll leave with a prioritized action plan.
Free HIPAA assessment