Introduction

A HIPAA risk assessment is not optional, not a checkbox, and not something to do once every few years. For dental practices, it is a required, recurring process that reduces breach likelihood, strengthens audit defensibility, and protects patient trust. This guide explains how to assess HIPAA risk the right way using an approach aligned with federal expectations and practical dental workflows.

What Is a HIPAA Risk Assessment?

A HIPAA risk assessment (also referred to as a HIPAA Security Risk Analysis) is a systematic evaluation of risks to electronic protected health information (ePHI) across your organization. Under the HIPAA Security Rule, covered entities must identify where ePHI is created, received, maintained, or transmitted, evaluate threats and vulnerabilities, assess likelihood and impact, implement safeguards, and document the process.

The risk analysis requirement is defined in 45 CFR §164.308(a)(1)(ii)(A).

Why Dental Practices Face Elevated HIPAA Risk

Dental offices often have concentrated risk due to limited IT resources, high reliance on vendors, and a mix of legacy and cloud systems. Common exposure points include front-desk phishing, shared workstations, remote access, and imaging software.

For current breach trends and reporting data, review the HHS OCR breach reporting tool.

What Many HIPAA Risk Assessments Get Wrong

• Using a generic template without practice-specific analysis
• Failing to inventory all systems and workflows that touch ePHI
• Ignoring vendor and Business Associate risks
• Scoring risk without documenting rationale or evidence
• Not producing a remediation plan with owners and timelines
• Not updating the assessment after technology or workflow changes

How to Perform a HIPAA Risk Assessment the Right Way

Step 1: Inventory All Locations Where ePHI Exists

Document every location where ePHI is created, received, maintained, or transmitted. This includes systems, devices, storage locations, and vendor platforms.

• Practice management and EHR systems
• Imaging systems (digital X-rays, CBCT, intraoral scanners)
• Email systems, patient portals, texting solutions
• Workstations, laptops, tablets, mobile devices
• Cloud backups, file storage, and disaster recovery platforms
• Billing, claims, and clearinghouse integrations
• Remote access tools and managed IT platforms

Step 2: Identify Threats and Vulnerabilities

Identify realistic threats and the vulnerabilities that enable them. Use evidence from your environment, vendor documentation, and observed staff workflows.

• Phishing and credential theft
• Ransomware and malware infection
• Unpatched systems and unsupported operating systems
• Weak passwords, shared accounts, missing MFA
• Lost or stolen devices without encryption
• Misconfigured cloud storage or backups
• Over-permissioned user access to ePHI

Step 3: Assess Likelihood and Impact

For each risk, document likelihood and impact. Impact should account for patient privacy harm, operational downtime, financial losses, and regulatory consequences. Your scoring should be consistent and justified with clear reasoning.

• Likelihood: Rare, possible, likely
• Impact: Low, moderate, high
• Risk level: Based on likelihood × impact with documented rationale

Step 4: Evaluate Existing Safeguards

Document the safeguards you currently have across administrative, physical, and technical controls, and identify gaps. HHS provides an overview of the HIPAA Security Rule safeguards at: HHS HIPAA Security Rule.

Administrative Safeguards

• Security management process and policies
• Workforce training and sanctions
• Access authorization and termination procedures
• Incident response and breach notification process
• Business Associate management and oversight

Physical Safeguards

• Facility access controls
• Workstation use and security
• Device and media controls (disposal, re-use, inventory)

Technical Safeguards

• Unique user IDs and role-based access
• Multi-factor authentication (MFA) where feasible
• Encryption for data at rest and in transit
• Audit logging and monitoring
• Secure backups and tested restore procedures

Step 5: Determine Residual Risk and Decide on Treatment

After accounting for existing safeguards, document residual risk. For each item, choose a treatment approach: remediate, reduce, transfer (vendor controls/insurance), or accept (with documented rationale).

Step 6: Build a Risk Management Plan

Convert findings into a tracked remediation plan. Your plan should identify the action, owner, deadline, and completion evidence.

• Prioritize high-risk items first (credential security, backups, patching, remote access)
• Assign a specific owner for each task
• Set realistic but firm deadlines
• Document proof of completion (screenshots, policy updates, vendor confirmations)

Step 7: Document the Assessment for Audit Defensibility

Maintain a complete record of your risk analysis methodology, evidence, findings, and remediation status. OCR describes risk analysis as an ongoing process. See: OCR Risk Analysis Guidance.

• Scope and ePHI inventory
• Methodology and scoring model
• Risk register with rationale
• Safeguards review and gaps
• Remediation plan and status tracking
• Review cadence and change triggers

How Often Should a Dental Practice Perform a HIPAA Risk Assessment?

• At least annually
• After material changes (new EHR, new imaging, cloud migration, new vendor)
• After security incidents, near-misses, or ransomware events
• When expanding locations or adding new workforce roles

DIY vs Third-Party HIPAA Risk Assessments

DIY Risk Assessments

• Lower upfront cost
• Higher chance of incomplete scope and weak documentation
• Often lacks technical validation and vendor risk analysis

Third-Party Risk Assessments

• Objective methodology and stronger defensibility
• Practice-specific findings and prioritized remediation
• Better alignment with OCR expectations

Frequently Asked Questions

Is a HIPAA risk assessment required for dental practices?

Yes. Covered entities must conduct an accurate and thorough risk analysis of risks to ePHI under 45 CFR §164.308(a)(1)(ii)(A).

Is a HIPAA checklist enough?

No. A checklist may help track controls, but a risk assessment must identify ePHI locations, evaluate threats and vulnerabilities, assess likelihood and impact, and document risk decisions and remediation.

Can my IT provider perform the HIPAA risk assessment?

An IT provider can assist, but the dental practice remains responsible. The output should be defensible, specific to your environment, and supported by documentation and a remediation plan.

What happens if a dental practice skips the risk assessment?

Skipping risk analysis increases compliance exposure and is commonly cited in OCR investigations and settlements, especially after breaches. Review breach trends at the HHS OCR breach reporting tool.

Conclusion

A proper HIPAA risk assessment for a dental practice is a repeatable process: inventory ePHI, identify threats and vulnerabilities, score likelihood and impact, document safeguards, determine residual risk, and execute a remediation plan. Doing it right improves operational resilience, reduces breach risk, and strengthens audit defensibility.