A HIPAA security risk assessment for dental practices is a structured review of how your practice creates, receives, stores, and transmits electronic protected health information (ePHI) — and where that information could be exposed. It is required for every covered entity under the HIPAA Security Rule (45 CFR 164.308(a)(1)(ii)(A)), and there is no small-practice exemption.
Here is the part that catches dentists out: a missing or undocumented SRA is the number-one cited deficiency in OCR enforcement actions.When a complaint or breach brings OCR to your door, the risk analysis is the first thing they ask to see — and "we use a HIPAA-compliant software" is not an answer. The duty is yours, not your vendor's.
A checklist is not a risk assessment
The 6-step SRA process
You can run this yourself or with a partner, but the structure is the same:
Inventory every system and where ePHI lives
List every system, device, application, and vendor that creates, receives, stores, or transmits electronic protected health information: your practice management software (Dentrix, Eaglesoft, Open Dental), imaging/X-ray systems, the server or cloud where they live, workstations, laptops, tablets, phones, the cloud backup, email, and any billing or claims service. You can't assess what you haven't inventoried.
Map the data flows
Trace how ePHI moves — from intake forms to the PMS, to imaging, to claims/billing, to backups, to any specialist or lab you share records with. Each hop is a place data can be exposed.
Identify threats and vulnerabilities
For each system, list realistic threats (ransomware, lost/stolen laptop, phishing, a vendor breach, a disgruntled employee) and the vulnerabilities that enable them (no MFA, shared logins, unencrypted devices, missing patches, no offsite backup).
Rate likelihood and impact
Score each risk by how likely it is and how bad it would be. This is what turns a checklist into a risk assessment — it tells you what to fix first.
Review current safeguards
Document the administrative, technical, and physical safeguards already in place — access controls, encryption, backups, logging, BAAs, physical security of the server and workstations — and where they fall short.
Document, remediate, and date it
Produce a written, dated record of the risks found, their severity, and your remediation plan (a risk-management plan). OCR requires the SRA to be written — a verbal or in-someone's-head assessment doesn't count.
The gaps the SRA finds most often in dental offices
Across small practices, the same handful of issues surface again and again:
- Shared logins to the practice management system — HIPAA requires unique user IDs and breaks the audit trail
- Unencrypted laptops, tablets, and phones holding ePHI — a lost device becomes a reportable breach
- No Business Associate Agreement with the PMS vendor, cloud backup, IT company, or billing service
- Backups that run but are never test-restored — or aren't offsite/immutable
- No MFA on email or the practice management system
- Treating a vendor's 'HIPAA-compliant' product as if it satisfies your SRA duty (it doesn't)
How often do we have to do it?
OCR guidance and industry consensus: conduct and document the SRA at least every 12 months, and update it whenever something significant changes — a new practice management system, a new location, a merger, new vendors, or a security incident. The proposed 2026 Security Rule updates push further toward annual technical testing (vulnerability scans) and tighter documentation, so an annual, evidenced cadence is the safe posture.
SRA vs. "being HIPAA compliant"
The SRA is the foundation the rest of HIPAA compliance is built on — it tells you which safeguards you actually need. Completing it doesn't make you "done"; it produces a remediation plan you then have to execute (MFA, encryption, BAAs, training, backups). But without it, everything else is guesswork — and legally, its absence is the cited violation.
The 6-Question SRA Self-Check
If you can't answer "yes" — with documentation — to each of these, you have an SRA gap.
- 1Have we completed a written, dated SRA in the past 12 months?
- 2Does it inventory every system and vendor that touches ePHI?
- 3Did we rate each risk by likelihood and impact (not just a yes/no checklist)?
- 4Do we have a documented remediation / risk-management plan for the gaps?
- 5Do we have signed BAAs with every vendor that handles ePHI?
- 6Did we re-run the SRA after our last major change (new PMS, new location, new vendor)?
The bottom line
The security risk assessment isn't paperwork for its own sake — it's the one document that tells you where your practice is actually exposed, and the first one OCR will ask for. Run it properly, write it down, date it, and act on what it finds. A typical single-location practice can complete a defensible SRA and its remediation plan in a few weeks with the right help.
See how we support practices on our cybersecurity for healthcare practices page, or read the 7 threats hitting dental practices.
Related reading: the HIPAA risk analysis OCR actually wants and what HIPAA requires from your vendors (BAAs).
Free HIPAA Risk-Analysis Worksheet — run your SRA step by step.
A fillable worksheet that walks the inventory, threat-rating, and remediation steps OCR expects, with the evidence checklist auditors ask for.
Get the free worksheetFree HIPAA Risk-Readiness Assessment
We help your dental practice run a defensible SRA and fix what it finds — no jargon, no obligation. Start with a free 30-minute assessment.
Get Free Assessment