- New England's Only Dental-Specific IT Provider
- (207) 333-2206
Blog / What Is a HIPAA Risk Assessment for Dental Practices
What Is a HIPAA Risk Assessment for Dental Practices
-
Ezra Angelo
- • February 24, 2026
A HIPAA risk assessment is not a checkbox. It is a legal requirement, and it is the single most commonly cited deficiency in OCR enforcement actions against dental practices. Most dental offices have either never completed one or completed one years ago and never updated it.
Understanding what a risk assessment actually involves and why it matters is the first step toward having one that would hold up under scrutiny. Here is what it is, what it covers, and how dental practices should approach it.
The risk analysis requirement is the most cited deficiency in OCR HIPAA enforcement actions.
Practices that experience a breach and cannot produce a current, documented risk assessment face significantly higher fines, because the lack of a risk assessment is itself a violation, separate from the breach that triggered the investigation.
What a HIPAA Risk Assessment Is
A HIPAA Security Risk Assessment, sometimes called an SRA, is a structured review of how your practice creates, receives, stores, and transmits electronic protected health information. The HIPAA Security Rule requires every covered entity to conduct one under 45 CFR 164.308(a)(1)(ii)(A).
The purpose of the assessment is to identify where ePHI could be at risk of unauthorized access, alteration, or destruction. It looks at both technical vulnerabilities and human factors. The output is a documented record of what risks exist, how serious they are, and what your practice plans to do to address them.
Regulatory basis: 45 CFR 164.308(a)(1)(ii)(A), HIPAA Security Rule
What a Risk Assessment Covers in a Dental Practice
01
Scope definition
The assessment begins by identifying every system, device, application, and vendor that creates, receives, stores, or transmits ePHI. In a dental office this typically includes the practice management system, imaging software, email, cloud backup, any mobile devices used by staff, and all business associates with data access.
02
Threat identification
The assessment identifies potential threats to ePHI. For dental practices, the most common threats are ransomware, phishing attacks, unauthorized staff access, hardware loss or theft, software vulnerabilities from unpatched systems, and third-party vendor breaches.
03
Vulnerability assessment
Vulnerabilities are the weaknesses in your systems or practices that could allow a threat to succeed. Common vulnerabilities in dental offices include shared login credentials, unencrypted devices, outdated software without security patches, missing Multi-Factor Authentication, and incomplete backup coverage.
04
Likelihood and impact rating
Each identified risk is evaluated for how likely it is to occur and how damaging it would be if it did. This produces a risk score that helps prioritize remediation. A high-likelihood, high-impact risk such as unencrypted laptops used to access patient records needs immediate attention. A low-likelihood risk may be acceptable to monitor without immediate action.
05
Documentation of findings and remediation plan
The completed assessment must be documented. This documentation needs to show what was evaluated, what risks were found, how they were rated, and what the practice plans to do to address them. This document is what OCR will ask to see during an investigation.
Ekim IT Solutions supports the technical side of HIPAA compliance for dental practices across all 50 states. Find out in 15 minutes if we are the right fit for your practice.
Schedule a Fit Call → Maintenance requirement
Your risk assessment must be updated when:
01
A year has passed
Annual review is the minimum standard under the Security Rule. A risk assessment completed once and never revisited does not satisfy the requirement.
02
Your systems change
New software, a new location, or new cloud tools all require an update. Any change to how ePHI is created, stored, or transmitted is a triggering event.
03
An incident occurs
Any breach or suspected breach triggers immediate reassessment. OCR will expect to see how the incident changed your risk posture and what you did to address it.
04
You add a new vendor
Every new ePHI access point is a new risk that must be documented. A new IT provider, billing service, or cloud backup relationship requires a BAA and an SRA update.
The HHS SRA Tool
What it is
A free starting point from HHS
HHS and the Office of the National Coordinator for Health IT offer a free Security Risk Assessment tool designed for small and medium-sized healthcare practices. The tool walks through 166 questions covering administrative, physical, and technical safeguards. It is a reasonable starting point for practices that have never completed an assessment.
Its limitations
Not sufficient on its own
The tool does not tell you how to fix what it finds, does not monitor your practice between assessments, and does not integrate with policy management or training records. For a dental practice that wants a compliance program that would hold up under OCR scrutiny, the free tool alone is typically not sufficient.
Frequently Asked Questions
At minimum, annually. The Security Rule does not specify a frequency, but OCR guidance and industry consensus is that practices should conduct and document a risk assessment every 12 months and update it whenever significant changes occur to systems, staff, or vendors.
The absence of a documented risk assessment is itself a HIPAA violation. If OCR investigates a complaint or breach and finds no current risk assessment on file, the practice faces penalties for the missing assessment in addition to any other violations found. Multiple fines can stack quickly.
Yes, but with limitations. The HHS SRA tool helps practices identify some vulnerabilities. However, a self-conducted assessment may miss technical gaps that require IT expertise to identify, such as network vulnerabilities, unencrypted data paths, or misconfigured backup systems. Many practices use a combination of the free tool and professional IT support to produce a more complete assessment.
Yes. Ekim IT Solutions conducts HIPAA Security Risk Assessments for dental practices as part of our compliance support services. We serve practices across all 50 states remotely and provide on-site support in New England and New York. A risk assessment with Ekim produces documented findings, a prioritized remediation plan, and the documentation your practice needs to demonstrate compliance.
Can you pull up your last risk assessment right now?
Ekim IT Solutions works exclusively with dental practices. We serve New England and New York with on-site support and dental practices nationwide with remote support. We provide the technical documentation your Security Risk Analysis requires so your practice is covered when it counts.
If you cannot locate it or it has not been updated in over a year, you are already out of compliance.
Get your SRA sorted → -
- • February 24, 2026
