...

Ekim IT Solutions

Schedule a Fit Call
Blog / How to Complete a HIPAA Risk Assessment for a Dental Office
All Dental

How to Complete a HIPAA Risk Assessment for a Dental Office

How to complete a HIPAA risk assessment for a dental office - checklist to dental practice workflow diagram

A HIPAA Security Risk Assessment is not optional and is not a one-time task. HIPAA requires every dental practice to conduct one annually and update it whenever significant changes occur to systems, staff, or vendors. It is the first document OCR requests during any HIPAA audit or investigation, and a practice that cannot produce a current one has no compliance defense regardless of how secure its actual systems are.

Here is how the process works, who is responsible for each part, and what your practice needs to do with the results.

The Most Common HIPAA Finding in Dental Practices

Missing or outdated Security Risk Assessments are the most common HIPAA finding in dental practices and the most common trigger for corrective action plans.

A dental practice that cannot produce a current, documented Security Risk Assessment during an OCR investigation has no compliance defense regardless of how secure its actual systems are. The assessment must exist, be current, and be available for review. Secure systems without documentation is still a HIPAA violation.

What a HIPAA Security Risk Assessment Covers

A HIPAA Security Risk Assessment identifies every threat to the confidentiality, integrity, and availability of electronic protected health information in your practice across three domains.

Physical Risks

Who has physical access to patient data and how is it secured

  • Who has physical access to servers and workstations
  • Whether devices are locked when unattended
  • Whether the server room is physically secured
  • How storage areas containing patient data are controlled
Technical Risks

Whether systems are configured to protect patient data

  • Whether workstations are encrypted
  • Whether MFA is enabled on all accounts with patient data access
  • Whether backups are running and verified
  • Whether the network is segmented to prevent unauthorized access
  • Whether software patches are current
Administrative Risks

Whether policies, training, and agreements are documented

  • Whether HIPAA policies are written and distributed
  • Whether all staff have completed HIPAA training with documented records
  • Whether Business Associate Agreements are signed with all vendors handling patient data
Need the technical portions of your HIPAA Security Risk Assessment completed and documented? Find out in 15 minutes if we are the right fit.
Schedule a Discovery Call →

Who Completes What

Your IT Provider Completes

The technical assessment

  • Encryption status on all workstations and servers
  • MFA configuration across all accounts with patient data access
  • Backup verification and recovery testing
  • Network security and segmentation review
  • Access controls and user permission audit
  • Patch management status across all systems
  • Audit logging configuration and review
The Practice Owner Completes

The administrative and physical assessment

  • Staff training records and HIPAA training completion documentation
  • Written HIPAA policies and distribution records
  • Physical security of workstations and storage areas
  • Vendor BAA status for all vendors handling patient data
  • Designated HIPAA Privacy Officer documentation
The Combined Output

Both components are combined into a single documented Security Risk Assessment that identifies findings, assigns risk levels, and outlines remediation steps for each gap. Neither component alone satisfies the HIPAA requirement. Both must exist, be current, and reference the same assessment period.

Is Your Practice HIPAA Risk Assessment Ready?

Check every item your practice currently has in place. Unchecked items are gaps that OCR would identify during an investigation. Every gap needs a remediation plan before your next audit.

Items confirmed
0 / 6
Technical

A completed, documented Security Risk Assessment exists from the past 12 months

This is the first document OCR requests. Without it there is no compliance defense, regardless of how secure your actual systems are.

Technical

All workstations and servers are encrypted

Unencrypted devices containing patient data are a direct HIPAA Security Rule violation. Your IT provider must confirm and document encryption status on every machine.

Technical

Multi-factor authentication is enabled on all accounts with patient data access

MFA is a required access control under the HIPAA Security Rule. This includes practice management software, email, and any cloud platforms that store or access PHI.

Administrative

All staff have documented, up-to-date HIPAA training on file

Undocumented training is treated the same as no training during an OCR investigation. Training records must be current and retrievable on request.

Administrative

Signed Business Associate Agreements are on file for every vendor that handles patient data

Missing BAAs are a standalone HIPAA violation. This includes your PMS vendor, imaging software, patient communication platform, IT provider, and any cloud storage used for patient records.

Technical

Data backups are tested and verified on a documented schedule

Untested backups do not satisfy HIPAA Security Rule data backup and recovery requirements. Backup verification must be documented, not assumed.

How Often the Assessment Must Be Updated

Required Update Triggers

Annually at minimum. HIPAA requires the Security Risk Assessment to be reviewed and updated at minimum once per year.

Adding new locations. Each new location introduces new physical, technical, and administrative risks that must be assessed.

Changing practice management software. A new PMS changes how patient data is stored, accessed, and transmitted.

Onboarding a new vendor that handles patient data. Every new vendor with PHI access requires a BAA and a risk profile update.

Significant staff changes. Role changes, departures of key personnel with PHI access, or new hires in administrative roles.

Any security incident. A breach, ransomware event, or unauthorized access triggers a mandatory reassessment.

What to Do With the Findings

1

Assign a risk level to each finding

Each identified gap must be rated High, Medium, or Low based on the likelihood and impact of a breach. OCR expects risk levels, not just a list of issues.

2

Create a remediation plan for each gap

Each finding needs a documented remediation plan. The fix does not have to happen immediately. It must be planned, documented, and tracked.

3

Assign a responsible party to each item

Every remediation item needs an owner. OCR does not expect perfection. They expect good-faith documentation of identified risks and a plan to address them.

The Most Common Compliance Mistake

Treating the risk assessment as a one-time project. A dental practice that completed a thorough assessment in 2022 and has not updated it since is non-compliant in 2026 regardless of how thorough the original assessment was. The assessment must be current, not just complete.

Frequently Asked Questions

The technical portion completed by your IT provider typically takes two to four hours for a single-location practice. The administrative and physical assessment completed by the practice owner takes an additional one to three hours. Compiling the findings and remediation plan adds time depending on how many gaps are identified. Plan for a half-day total for a first-time assessment at a single location.
Not necessarily. A dental-specific IT provider handles the technical portions and can guide the practice through the administrative and physical components. For practices with complex setups, multiple locations, or a recent breach, a dedicated HIPAA consultant adds value. For most single-location practices, a dental IT provider with strong HIPAA expertise is sufficient.
A missing or outdated Security Risk Assessment is an automatic compliance finding. OCR will typically require a corrective action plan that includes completing a current assessment within a defined timeline. Financial penalties depend on how long the practice has been operating without a current assessment and whether other compliance gaps are discovered during the same investigation.
Ekim IT Solutions completes the technical portion of the Security Risk Assessment as part of our standard managed IT service for every dental practice we manage. That includes documenting encryption status, MFA configuration, backup verification, network security architecture, access control settings, and patch management status. We provide this documentation in a format ready for inclusion in the practice's combined risk assessment report.
Has your dental practice completed a HIPAA Security Risk Assessment this year and can you produce the documentation if OCR asks?

Ekim IT Solutions works exclusively with dental practices. We serve New England and New York with on-site support and dental practices nationwide with remote support. We complete the technical portions of HIPAA Security Risk Assessments for dental practices and provide the documentation your practice needs to demonstrate compliance when it counts.

The SRA is the first document OCR requests. Find out if yours is current, complete, and ready to produce on short notice.
Complete your HIPAA risk assessment →

Related Posts

Dental cybersecurity in 2026 - what every practice needs to protect patient data and stay HIPAA compliant
All Dental

Dental Cybersecurity in 2026: What Every Practice Needs

Illustration showing a dental office building connecting to a checklist and IT icon representing common IT mistakes that cost new dental practices time and money
All Dental

Common IT Mistakes New Dental Practices Make

Dentrix Enterprise system requirements for 2026 covering server and workstation specifications for DSOs and multi-location dental groups.
All Dental

Dentrix Enterprise System Requirements in 2026