What Is a HIPAA Risk Assessment for Dental Practices

• Ezra Angelo
• • February 24, 2026
Share:

A HIPAA risk assessment is not a checkbox. It is a legal requirement, and it is the single most commonly cited deficiency in OCR enforcement actions against dental practices. Most dental offices have either never completed one or completed one years ago and never updated it.

Understanding what a risk assessment actually involves and why it matters is the first step toward having one that would hold up under scrutiny. Here is what it is, what it covers, and how dental practices should approach it.

What a HIPAA Risk Assessment Is

A HIPAA Security Risk Assessment, sometimes called an SRA, is a structured review of how your practice creates, receives, stores, and transmits electronic protected health information. The HIPAA Security Rule requires every covered entity to conduct one under 45 CFR 164.308(a)(1)(ii)(A).

The purpose of the assessment is to identify where ePHI could be at risk of unauthorized access, alteration, or destruction. It looks at both technical vulnerabilities and human factors. The output is a documented record of what risks exist, how serious they are, and what your practice plans to do to address them.

What a Risk Assessment Covers in a Dental Practice

Scope definition

The assessment begins by identifying every system, device, application, and vendor that creates, receives, stores, or transmits ePHI. In a dental office, this typically includes the practice management system, imaging software, email, cloud backup, any mobile devices used by staff, and all business associates with data access.

Threat identification

The assessment identifies potential threats to ePHI. For dental practices, the most common threats are ransomware, phishing attacks, unauthorized staff access, hardware loss or theft, software vulnerabilities from unpatched systems, and third-party vendor breaches.

Vulnerability assessment

Vulnerabilities are the weaknesses in your systems or practices that could allow a threat to succeed. Common vulnerabilities in dental offices include shared login credentials, unencrypted devices, outdated software without security patches, missing Multi-Factor Authentication, and incomplete backup coverage.

Likelihood and impact rating

Each identified risk is evaluated for how likely it is to occur and how damaging it would be if it did. This produces a risk score that helps prioritize remediation. A high-likelihood, high-impact risk such as unencrypted laptops used to access patient records needs immediate attention. A low-likelihood risk may be acceptable to monitor without immediate action.

Documentation of findings and remediation plan

The completed assessment must be documented. This documentation needs to show what was evaluated, what risks were found, how they were rated, and what the practice plans to do to address them. This document is what OCR will ask to see during an investigation.

The HHS SRA Tool

HHS and the Office of the National Coordinator for Health IT offer a free Security Risk Assessment tool designed for small and medium-sized healthcare practices. The tool walks through 166 questions covering administrative, physical, and technical safeguards. It is a reasonable starting point for practices that have never completed an assessment.

The tool has limitations. It does not tell you how to fix what it finds, it does not monitor your practice between assessments, and it does not integrate with policy management or training records. For a dental practice that wants a compliance program that would hold up under OCR scrutiny, the free tool alone is typically not sufficient.

Frequently Asked Questions

How often does a dental practice need a HIPAA risk assessment?

At minimum, annually. The Security Rule does not specify a frequency, but OCR guidance and industry consensus is that practices should conduct and document a risk assessment every 12 months and update it whenever significant changes occur to systems, staff, or vendors.

What happens if a dental practice skips the risk assessment?

The absence of a documented risk assessment is itself a HIPAA violation. If OCR investigates a complaint or breach and finds no current risk assessment on file, the practice faces penalties for the missing assessment in addition to any other violations found. Multiple fines can stack quickly.

Can a dental practice do the risk assessment itself?

Yes, but with limitations. The HHS SRA tool helps practices identify some vulnerabilities. However, a self-conducted assessment may miss technical gaps that require IT expertise to identify, such as network vulnerabilities, unencrypted data paths, or misconfigured backup systems. Many practices use a combination of the free tool and professional IT support to produce a more complete assessment.

Does Ekim conduct HIPAA risk assessments for dental practices?

Yes. Ekim IT Solutions conducts HIPAA Security Risk Assessments for dental practices as part of our compliance support services. We serve practices across all 50 states remotely and provide on-site support in New England and New York. A risk assessment with Ekim produces documented findings, a prioritized remediation plan, and the documentation your practice needs to demonstrate compliance.

Is your risk assessment current and documented?

Ekim IT Solutions works exclusively with dental practices. We serve New England and New York with on-site support and dental practices nationwide with remote support. Security, compliance, and everything in between so you can focus on patients.

Schedule a Fit Call: Find out in 15 minutes if we are the right fit for your practice.

• Ezra Angelo
• • February 24, 2026
Share: