Dental HIPAA HubGet Compliant →
OCR Audit Priority #1

HIPAA Security Risk Analysis (SRA) Checklist for Dental Practices

2026 Edition — Updated for the HIPAA Security Rule Final Rule

The Security Risk Analysis is the first document OCR auditors request in every HIPAA investigation. A missing or outdated SRA is the #1 cited violation in dental practice audits — and under 2026 enforcement, it triggers Tier 3–4 fines starting at $4,816 per violation. Use this checklist to assess your practice before an auditor does.

43

Checklist items

$4,816+

Minimum fine, missing SRA

#1

OCR audit finding, dental practices

2026 Update: The HIPAA Security Rule Final Rule now requires your SRA to explicitly document MFA status, encryption coverage, annual penetration testing results, and biannual vulnerability scan results. Existing SRAs that predate 2026 are considered incomplete.

ADA Official Partner — Recommended for Dental Practice in your area

Get Your Practice 100% HIPAA Compliant in 2026

Compliancy Group is the only HIPAA solution officially endorsed by the American Dental Association. Their Compliance Coach walks your practice through every requirement — and their Seal of Compliance proves you're audit-ready.

Get ADA-Recommended HIPAA Compliance →

No credit card required to start your audit

1. Administrative Safeguards

8 items
  • Designated a HIPAA Security Officer (name documented)
  • Completed a formal Security Risk Analysis within the last 12 months
  • Documented a Risk Management Plan based on SRA findings
  • Maintained workforce training records (date, attendees, topics covered)
  • Established and documented a Sanction Policy for staff HIPAA violations
  • Reviewed and updated policies for information access management
  • Established procedures for workforce clearance (background checks, access levels)
  • Documented contingency plan including data backup and disaster recovery procedures

2. Physical Safeguards

6 items
  • Implemented facility access controls (locked server rooms, reception barriers)
  • Documented workstation use policies (screen locks, privacy screens)
  • Established workstation security procedures (auto-logout, physical cable locks)
  • Documented device and media disposal procedures (hard drive wiping/shredding)
  • Maintained log of all hardware containing or accessing ePHI
  • Restricted physical access to areas where ePHI is stored or displayed

3. Technical Safeguards

9 items
  • Implemented unique user IDs for every staff member accessing ePHI
  • Enabled Multi-Factor Authentication (MFA) on all ePHI systems — required 2026
  • Established automatic logoff on all workstations and devices
  • Encrypted all ePHI at rest (servers, laptops, backup drives)
  • Encrypted all ePHI in transit (email, patient portals, lab transfers)
  • Implemented audit controls and access logs on all ePHI systems
  • Completed annual penetration testing — new 2026 requirement ($3,000–$8,000)
  • Completed biannual vulnerability scans — new 2026 requirement
  • Documented network asset inventory (all devices that touch ePHI)

4. Business Associate Agreements (BAAs)

8 items
  • Signed BAA with billing company or clearinghouse
  • Signed BAA with IT/managed services provider
  • Signed BAA with cloud storage or EHR vendor
  • Signed BAA with dental imaging or CBCT lab
  • Signed BAA with patient communication platform (reminders, portals)
  • Signed BAA with remote monitoring platform (if applicable)
  • Signed BAA with dental financing company (if applicable)
  • Reviewed all BAAs are current (not expired, not pre-2013 legacy versions)

5. Breach Notification Readiness

6 items
  • Established internal breach identification and escalation procedures
  • Documented 60-day breach notification timeline for patients
  • Identified HHS reporting contact and process for breaches over 500 records
  • Established media notification procedure for large breaches
  • Maintained breach log (including breaches affecting fewer than 500 individuals)
  • Tested breach response plan within the last 12 months

6. Notice of Privacy Practices (NPP)

6 items
  • NPP updated to reflect 2026 HIPAA Security Rule changes
  • NPP posted in waiting room and available at front desk
  • NPP posted on practice website
  • Patient signature obtained and documented at first visit
  • Translated NPP available for non-English-speaking patient populations (if applicable)
  • NPP reviewed by qualified HIPAA counsel within the last 12 months

After Completing Your Checklist

All items checked: Your practice has a strong SRA foundation. Document the completion date and schedule your next review for 12 months from now.

!

1–5 gaps found: Address each gap with a documented remediation plan. Missing BAAs and MFA are the highest-priority items to fix first.

6+ gaps found: Your practice has significant exposure. OCR auditors treat multiple simultaneous gaps as evidence of systemic non-compliance — the threshold for Willful Neglect fines. A managed compliance program can close all gaps within 30 days.

ADA Official Partner — Recommended for Dental Practice in your area

Get Your Practice 100% HIPAA Compliant in 2026

Compliancy Group is the only HIPAA solution officially endorsed by the American Dental Association. Their Compliance Coach walks your practice through every requirement — and their Seal of Compliance proves you're audit-ready.

Get ADA-Recommended HIPAA Compliance →

No credit card required to start your audit

Frequently Asked Questions — HIPAA SRA for Dental Practices

What is a HIPAA Security Risk Analysis (SRA)?

A Security Risk Analysis is a required assessment under the HIPAA Security Rule (45 CFR § 164.308(a)(1)) that identifies potential risks and vulnerabilities to electronic protected health information (ePHI). Every covered dental practice must complete one — and update it whenever there is a significant operational or environmental change.

How often do dental practices need to update their SRA?

The HIPAA Security Rule requires practices to review and update their SRA periodically and when environmental or operational changes occur. OCR recommends at minimum an annual review. Practices that have not conducted an SRA in over 12 months are considered high-risk in OCR audits.

What happens if a dental practice doesn't have an SRA?

Missing or outdated SRAs are the #1 finding in OCR HIPAA audits. Fines start at $4,816 per violation (Tier 3) and reach $14,602+ per violation (Tier 4 — Willful Neglect) if the practice has never conducted one. Under 2026 HIPAA enforcement, a missing SRA is treated as evidence of willful neglect.

Can I complete the SRA myself or do I need a vendor?

Small dental practices can complete a basic SRA using HHS's free SRA Tool. However, for practices with 10+ employees, electronic health records, or cloud-based systems, OCR recommends using a qualified compliance vendor. The ADA's recommended partner, Compliancy Group, includes a guided SRA as part of their compliance platform.

What does the 2026 HIPAA Security Rule add to SRA requirements?

The 2026 HIPAA Security Rule update explicitly requires that the SRA now document: network asset inventory, encryption status of all ePHI systems, MFA deployment status, annual penetration testing results, and biannual vulnerability scan results. Practices whose existing SRA does not cover these areas are considered non-compliant.

Don't Complete Your SRA Alone

The ADA's recommended HIPAA compliance partner guides dental practices through a complete, documented SRA — and maintains it for you year over year.

Start My SRA with Compliancy Group →

ADA's official HIPAA compliance partner