Informational material, not legal advice. Consult US counsel or a qualified compliance professional for your specific situation. Information date: 2026-06-14.
US small businesses that hold sensitive data must meet a security baseline set by their regime: HIPAA for healthcare (dental and medical spas), the FTC Safeguards Rule for accounting and tax firms, plus breach-notification laws in all 50 states. The core controls are the same - MFA, encryption, access control, backup, an incident-response plan, and regular testing.
Owners get stuck on the wrong question. They ask “am I HIPAA compliant?” when the first question is “which rule even applies to me?” - and the answer is decided by the data you hold, not by your size or whether you think of yourself as a tech company. This guide maps the three regimes that actually bind US dental practices, medical spas, and accounting firms, then turns each obligation into a concrete action and a piece of proof you can show.
1. Which rules apply to my business?
Start with the data, not the regulation. The type of sensitive information you hold decides which framework binds you, and many small practices fall under two at once.
Patient health data triggers HIPAA. A dental practice or medical spa that creates, stores, or transmits electronic protected health information (ePHI) and bills electronically is a “covered entity” under the HIPAA Security Rule, enforced by the HHS Office for Civil Rights. There is no small-business exemption - a solo dentist carries the same baseline obligation as a hospital, sized to a smaller risk.
Customer financial data triggers the FTC Safeguards Rule. An accounting, bookkeeping, or tax-prep firm is a “non-banking financial institution” under the Gramm-Leach-Bliley Act, and the FTC Safeguards Rule has required a full information security program since June 2023. The IRS reinforces this for tax professionals through Publication 4557.
Personal data of any kind triggers state law. All 50 states have breach-notification statutes, and several - New York’s SHIELD Act, California’s CCPA, Virginia’s VCDPA - also impose affirmative security duties. These apply on top of HIPAA or FTC obligations, not instead of them.
The practical relief: the controls underneath all three regimes overlap heavily. Build the baseline once and you satisfy most of what each regulator wants.
2. What the rules require: documentation
Document first, because that is what an investigator asks for before anything else. Compliance is provable only on paper, and both HIPAA and the FTC Safeguards Rule name specific documents you must hold.
A written security program (WISP). Both regimes require a written plan describing what data you hold, how you protect it, and who is responsible. The FTC Safeguards Rule mandates a Written Information Security Program; IRS Publication 4557 requires the same of every paid tax preparer. For a small firm it can be a few honest pages, as long as it matches reality.
A risk analysis. The HIPAA Security Rule requires a documented, periodic risk analysis of where ePHI lives and what threatens it. The FTC Safeguards Rule requires a written risk assessment. This is the foundation document - skip it and every later control is unanchored.
A named person in charge. The FTC Safeguards Rule requires you to designate a single “qualified individual” to run the program; HIPAA requires a security official. In a small practice this is usually the owner or office manager, named in writing.
Vendor contracts. Under HIPAA, every vendor that touches ePHI - your cloud imaging host, your billing service - needs a signed Business Associate Agreement. Under the FTC Safeguards Rule you must oversee service providers by contract. A Business Associate Agreement is the US cousin of a GDPR Article 28 processing agreement: without it, handing data to a vendor is itself a violation.
An incident-response plan and a data inventory. Keep a short, written procedure for who does what when data is exposed, plus an inventory of the systems and data you hold. Both are required, and both are useless if written for the first time during an actual breach.
3. Technical and organizational safeguards
Translate the paperwork into controls that work. The HIPAA Security Rule and the FTC Safeguards Rule both demand safeguards “appropriate to the size and complexity” of your business, and for a small practice the practical baseline comes down to six items.
Multi-factor authentication (MFA) on every business account - email, your practice-management or accounting system, banking, and any cloud portal. MFA is the single control that defeats the majority of stolen-password attacks, and the FTC Safeguards Rule already names it explicitly.
Encryption of data in transit (HTTPS, using the TLS protocol) and at rest (full-disk encryption on laptops, encrypted backups). Under HIPAA, encrypted data that is lost or stolen can qualify for “safe harbor” - a lost encrypted laptop may not even count as a reportable breach.
Backup and recovery on the 3-2-1 rule: three copies, on two types of media, one off-site. This satisfies the “restore availability” requirement and is your only real defense against ransomware.
Access control on the minimum-necessary principle. Give each staff member their own account and only the access their job requires, and disable accounts the day someone leaves. HIPAA’s “minimum necessary” standard makes this a legal requirement, not just hygiene.
Regular testing. The current HIPAA Security Rule requires periodic evaluation of your safeguards; the FTC Safeguards Rule requires either continuous monitoring or annual penetration testing plus twice-yearly vulnerability scans for systems handling customer data. An external vulnerability assessment is the simplest way to meet this and to produce evidence you did.
The word “appropriate” carries weight. A three-person practice is not expected to run an enterprise security operations center. It is expected to size these controls to its risk - and to write down that it made the judgment.
4. Breach notification: the clocks
Know the clock before you need it, because every regime starts counting from the moment you discover the breach, not from when it began. Mixing the deadlines up is the most expensive mistake a small practice makes after an incident.
HIPAA: notify affected individuals and HHS “without unreasonable delay,” and no later than 60 calendar days after discovery. For a breach affecting 500 or more people you must also notify HHS and prominent local media within that window; smaller breaches can be logged and reported to HHS annually, per the HHS Breach Notification Rule.
FTC Safeguards Rule: notify the FTC as soon as possible and no later than 30 days after discovering a breach involving the data of 500 or more consumers. This requirement took effect in May 2024, and the notice is filed through the FTC’s online portal.
State laws: every state sets its own deadline to notify residents and, often, the state attorney general - some as tight as 30 days. When multiple clocks run at once, the shortest one governs your timeline.
Build the procedure before the incident. The worst position is a practice discovering, mid-crisis, that it has 30 days under one rule and no written plan for any of them.
5. Penalties and enforcement (2025-2026)
Read enforcement honestly: the headline maximums are not what a small practice typically faces, but the trend line matters. Both regulators have moved toward documented, technical proof rather than good intentions.
HIPAA penalties are tiered by culpability, from roughly a hundred dollars per violation for unknowing lapses up to an annual cap in the low millions for willful neglect, adjusted yearly for inflation by HHS. The non-financial cost is often worse for a small practice: HHS publishes breaches of 500+ records on its public “breach portal,” widely known as the Wall of Shame.
The FTC can pursue civil penalties exceeding $50,000 per violation under the FTC Act - the figure is inflation-adjusted each year - and FTC actions can reach the principals of a firm personally, not just the business.
The 2025 direction is the part owners should watch. In January 2025 HHS published a proposed overhaul of the HIPAA Security Rule - its first major update in over two decades - that would remove the “addressable” category and make MFA, encryption of ePHI, annual penetration testing, six-monthly vulnerability scans, an asset inventory, and a written, tested incident-response plan mandatory, with no small-practice carve-out. As of mid-2026 that rule remains proposed, not final: HHS’s target window passed without publication, and more than 100 hospital systems and provider groups have asked the agency to withdraw it. Treat the proposed controls as the direction of travel, not yet the law - but note that almost all of them are already best practice and already implied by the current rule.
For a small firm the takeaway is calm but specific. The recurring failures regulators actually penalize are missing a risk analysis, having no incident-response plan, lacking vendor agreements, and being unable to prove safeguards exist - all of which are cheap to fix in advance.
6. Do I also need to worry about GDPR?
Skip GDPR unless you actually reach into the EU. The EU’s General Data Protection Regulation binds you only if you offer goods or services to, or monitor the behavior of, people in the EU (GDPR Article 3). A US dental practice, med spa, or CPA firm serving US clients almost never meets that test.
Check it once and move on. If you run an online store that ships to the EU, or market to EU residents, the GDPR analysis is worth a separate look - start with our GDPR definition. For everyone else, HIPAA, FTC, and state law are the whole picture.
7. Data security by industry
Apply the same baseline differently depending on the data you hold. The regime changes the paperwork, and the vertical changes where the risk concentrates.
Dental practices. Imaging and records systems hold ePHI under HIPAA, and the highest-value targets are your X-ray and practice-management data. Backups of imaging and tight access control on the practice-management system matter most. See our guide to dental practice cybersecurity and the dental security service.
Accounting and tax firms. You sit squarely under the FTC Safeguards Rule and IRS Publication 4557, and you often hold the most concentrated financial data of anyone your clients deal with. A real WISP and a designated qualified individual are the non-negotiables. See accounting firm cybersecurity and the accounting security service.
Medical spas. Before-and-after photos and treatment records are ePHI under HIPAA, and they double as a reputational liability if exposed. Posting patient images to social media needs separate, documented consent. See aesthetic practice cybersecurity and the aesthetic security service.
8. Where to start: the data-security minimum
Work the list below if you do only one thing after reading this. Each obligation is reduced to a concrete action, the proof an investigator expects, and the regime it answers to.
| Obligation | Concrete action | Proof | Regime |
|---|---|---|---|
| Risk analysis | Document where sensitive data lives and what threatens it | Written risk analysis | HIPAA, FTC |
| Written security program (WISP) | Write the plan; keep it current | The WISP document | FTC, IRS 4557 |
| Qualified individual / security official | Name one person in writing | Designation on file | HIPAA, FTC |
| Vendor agreements | Sign a BAA (health) or oversight clause (financial) with each vendor | Signed BAA / contract | HIPAA, FTC |
| Incident-response plan | Write the 30/60-day notification steps | The plan document | HIPAA, FTC, state |
| MFA | Turn it on for every account | Config screenshot | HIPAA, FTC |
| Encryption (TLS, disks) | HTTPS plus full-disk and backup encryption | Settings, certificate | HIPAA, FTC |
| Backup 3-2-1 | Three copies, two media, one off-site | Backup policy and logs | HIPAA, FTC |
| Access control | Individual accounts, minimum-necessary rights | Account and access list | HIPAA, FTC |
| Regular testing | Commission an external vulnerability assessment | Assessment report | HIPAA, FTC |
Order matters: start with the risk analysis and MFA, because they anchor everything else and stop the most attacks per hour spent. The external assessment closes the list and produces the “we test our safeguards” evidence both regulators want. A free PreScan is the fastest way to see your external exposure before an attacker or an investigator does; for the full scope and what each engagement includes, see our pricing and services.
FAQ
Does HIPAA apply to a solo dentist?
Yes. HIPAA has no size exemption. A solo dental practice that transmits any claim, eligibility, or benefit information electronically is a covered entity and must meet the HIPAA Security Rule in full. Scale your safeguards to your risk, but the obligation itself does not depend on headcount.
Do accountants really fall under the FTC Safeguards Rule?
Most do. The FTC Safeguards Rule covers non-banking financial institutions, and the FTC treats tax preparers, CPAs, and bookkeeping firms that handle customer financial data as covered. Full compliance has been mandatory since June 2023, including a written security program and a designated qualified individual.
What is a WISP?
A WISP is a Written Information Security Program - the documented plan describing how you protect customer data, who is responsible, and how you respond to incidents. The FTC Safeguards Rule requires one for financial firms, and IRS Publication 4557 requires one for every paid tax preparer.
How fast must I report a data breach?
It depends on the regime. HIPAA gives you up to 60 days to notify affected individuals and HHS. The FTC Safeguards Rule requires notifying the FTC within 30 days for breaches affecting 500 or more consumers. State laws add their own clocks, some shorter - so the tightest deadline wins.
Do I need a penetration test to be compliant?
Not always by name, but regular testing of your safeguards is expected. The current HIPAA Security Rule requires periodic evaluation, and the 2025 proposed update would make annual penetration testing and six-monthly vulnerability scans explicit. An external vulnerability assessment is the simplest way to produce that proof.
Related guides
- External vulnerability assessment - the external testing that evidences HIPAA and the FTC Safeguards Rule
Adjacent guides:
Not sure whether your technical safeguards would satisfy HIPAA or the FTC Safeguards Rule? Book a free PreScan - we’ll show you what an attacker sees about your practice within 24 hours, before a regulator or an attacker finds it first.