Rules about privacy and data security are being enforced, and chiropractic offices are feeling the impact. Regulators are no longer just looking at big hospitals or tech companies. Now, small and medium practices are expected to follow the same privacy, security, and data breach rules as any other health care group.
Recent legislation and real-world data breaches make one thing clear: privacy compliance is no longer optional.
California’s Privacy Laws Signal What’s Coming Next
California ended its 2025 lawmaking session with 14 new privacy and AI-related laws, showing a national trend toward more openness, giving people more control, and making organizations answer for their actions. Even though these laws apply only to California, they give a good idea of what rules might come to other states.
AB 656 – Easier Account Deletion
This law requires companies to make account cancellation simple and ensure that deleting an account fully deletes personal data. The broader message for health care providers is clear: organizations must know where data is stored, how long it is retained, and how it is removed when no longer needed. For chiropractors, this includes EHRs, patient communication tools, cloud storage, and marketing platforms.
AB 566 – “Opt Me Out” by Default
Starting January 1, 2027, internet browsers must provide a simple way for users to stop their personal data from being sold or shared with a single click. Regulators now prefer easy-to-use privacy controls instead of hidden rules or complicated steps.
Advertisement
SB 361 – Stronger Oversight of Data Brokers
This law requires data brokers to be more open about what they do, including telling people if they share sensitive data with the government, police, or AI companies. For chiropractic offices, this means it is important to know what information your vendors can see and who they might share it with. (Botero, 2026)
Vendor Breaches Still Create Practice Liability
Recent data breach alerts involving ChiroTouch and TriZetto Provider Solutions (TPS) underscore an important point: even if a vendor causes a data breach, the practice still must notify patients and report it to the government.
The breach exposed patient names, insurance information, birthdates, Social Security numbers, and more. Even though the problem has been fixed, clinics affected by the issue must inform their patients and report to the Office for Civil Rights on time. Not doing this can lead to serious punishment.
This is a powerful reminder that vendor risk is compliance risk. (Alder, 2026)
What Chiropractors Should Do Now
To reduce privacy and security exposure, practices should: (Smartbase Solutions, 2024)
- Know where patient data is stored and who has access
- Vet vendors for HIPAA and security compliance
- Maintain a documented breach response plan
- Train staff on privacy and cybersecurity responsibilities
- Act quickly when breach notifications are received
Privacy rules are getting stricter, not easier. Chiropractors who act now can protect their patients, their offices, and their reputations before these rules make the news. Learn more about HIPAA and EHR security by downloading this whitepaper from ChiroArmor. It walks you through the steps to protect your patient data, your clinic, and your reputation.
__
Dr. Ray Foxworth, DC, FICC, is the visionary behind ChiroHealthUSA, serving as its esteemed founder and CEO. With over 39 years of dedicated service in chiropractic care, Dr. Foxworth has navigated the complexities of billing, coding, documentation, and compliance firsthand. His rich experience includes roles as the former Staff Chiropractor at the G.V. Sonny Montgomery VA Medical Center and past chairman of the Chiropractic Summit and Mississippi Department of Health.
Dr. Foxworth is deeply committed to advancing the chiropractic profession, which is evident through his leadership roles. He is an at-large board member of the Chiropractic Future Strategic Plan and holds an executive board position with the Foundation for Chiropractic Progress.
