HIPAA Security Risk Analysis: Complete Guide for Dental Practices (2026)

What Is a HIPAA Security Risk Analysis?

A Security Risk Analysis (SRA) is a formal assessment required under 45 CFR § 164.308(a)(1)(ii)(A) of the HIPAA Security Rule. It identifies potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI) in your practice.

The SRA is not a checklist you can fill out in an afternoon. It's a documented process that must assess every system, device, and process in your practice that creates, receives, maintains, or transmits ePHI.

Unlike some HIPAA requirements that allow for flexibility in implementation, the SRA is mandatory — there is no exception, no alternative, and no workaround. Practices that claim they're 'too small' to need one are wrong. OCR has fined solo practitioners for missing SRAs.

What Your SRA Must Cover in 2026

The 2026 Security Rule Final Rule significantly expanded what a compliant SRA must document. Your SRA must now include:

• Scope definition: Every system, application, device, and physical location where ePHI exists or flows — including cloud systems, mobile devices, and any system accessed remotely.
• Threat identification: All realistic threats to ePHI confidentiality, integrity, and availability — including ransomware, phishing, insider threats, and physical theft.
• Vulnerability assessment: Current weaknesses in your technical, physical, and administrative controls that could allow a threat to succeed.
• Current control analysis: What safeguards you currently have in place and how effective they are against identified threats.
• Likelihood and impact ratings: A documented assessment of how likely each threat/vulnerability combination is and what the impact would be if it occurred.
• Risk level determination: An overall risk rating for each identified risk — typically High, Medium, or Low.
• MFA status (new 2026): Explicit documentation of which systems have MFA enabled and which do not, with a remediation timeline for any gaps.
• Encryption coverage (new 2026): Documentation of encryption status for all ePHI at rest and in transit across every identified system.
• Penetration testing results (new 2026): Annual penetration testing results must be incorporated into the SRA, with identified vulnerabilities and remediation status.
• Vulnerability scan results (new 2026): Biannual vulnerability scan results with remediation tracking.
• Network asset inventory (new 2026): A complete inventory of all devices that connect to your network or access ePHI — workstations, tablets, printers, X-ray machines with network connections, etc.

Who Can Complete Your SRA?

HHS provides a free SRA Tool available at hhs.gov. Small, simple practices with limited technology can use this tool and complete a basic SRA independently. However, the tool does not cover the 2026 additions (penetration testing, vulnerability scans, network asset inventory) and requires significant technical knowledge to complete accurately.

For practices with 5+ employees, any cloud-based systems, remote access capabilities, or multiple locations, OCR recommends using a qualified compliance vendor. The 2026 rule changes make it increasingly difficult for non-technical practice owners to complete a compliant SRA without expert assistance.

Important distinction: completing an SRA is not the same as remediating the risks it identifies. An SRA tells you what's wrong. A compliance program tells you how to fix it.

The Difference Between an SRA and a Risk Management Plan

These two documents are often confused, but they serve different purposes and are both required.

The SRA identifies and prioritizes risks. The Risk Management Plan (required under 45 CFR § 164.308(a)(1)(ii)(B)) documents how you will address those risks — what steps you'll take, who's responsible, and by when.

Having an SRA without a Risk Management Plan is like getting a home inspection that identifies structural issues and then ignoring the report. OCR expects to see both documents — and evidence that you're actually following the Risk Management Plan.

How Often Does Your SRA Need to Be Updated?

The HIPAA Security Rule requires practices to 'periodically' conduct the SRA. OCR interprets 'periodically' as at minimum annually. But certain events trigger an immediate SRA update regardless of when you last did one:

• Adding a new practice management software or switching EHR systems
• Implementing a new patient portal or communication platform
• Adding remote work capabilities or a new office location
• A security incident or breach (even a minor one)
• Significant staff changes, especially in the IT or billing functions
• Adding new medical equipment that connects to your network (digital X-rays, CBCT, intraoral cameras with cloud storage)
• Switching IT or managed services providers

What an OCR Auditor Looks for in Your SRA

Based on published OCR audit findings and settlement documents, here's what auditors specifically evaluate:

• Completeness: Does the SRA cover all locations, systems, and ePHI flows? Partial SRAs are treated as inadequate.
• Currency: When was the SRA completed? Is it updated for current systems and the 2026 rule changes?
• Documentation quality: Is the risk analysis process documented clearly enough to demonstrate it was actually performed? Vague, template-only responses are red flags.
• Risk Management Plan: Is there a corresponding plan that shows identified risks are being addressed?
• Evidence of implementation: Are the security controls described in the SRA actually in place? Auditors cross-reference SRA claims against technical reality.