Do Dental Practices Need a HIPAA Risk Assessment? (2026)

And "your practice" includes the solo office with one dentist and a front-desk coordinator. The risk analysis isn't a suggestion or an industry best practice; it is written into the rule as a requirement, and it is the first thing federal investigators ask to see.

In a hurry? The free HIPAA Risk Scorecard shows you where your own practice stands in about three minutes: Check my practice →. If you'd rather understand the why first, read on.

Here is how that plays out, and what to actually do about it.

Start with that solo doctor. He was a gastroenterologist in Ogden, Utah, seeing about 3,000 patients a year. Back in 2013 he reported his own records vendor to OCR for locking him out of his patients' data over a billing dispute. OCR opened a review of that complaint, and the review turned back on him: it found he had never conducted a risk analysis, and that he still had not completed one even after the agency walked him through what was required. The $100,000 settlement and two years of federal monitoring followed. (HHS Resolution Agreement, Steven A. Porter, M.D., 2020.)

He is not a dentist. But to OCR, a solo physician and a solo dentist look identical: a small covered entity holding electronic patient data, answerable to the same baseline. The lesson here isn't "don't report breaches." It's that the one document that would have protected him was the one he never had.

Is your dental practice even covered by HIPAA?

Almost certainly, and the exceptions are narrower than most owners assume.

A dental practice is a HIPAA "covered entity" if it transmits health information electronically in connection with a covered transaction: submitting insurance claims, checking eligibility, sending referrals. That captures essentially every modern office that bills insurance or uses practice-management software. The American Dental Association frames it the same way in its HIPAA 20 Questions guidance for member dentists.

A few specifics worth nailing down:

• "I'm cash-pay, so I'm exempt." Rare in practice. The moment any claim, eligibility check, or referral goes out electronically, the exemption is gone. You can also be bound contractually through a participating-provider agreement with an insurer, even without filing a claim yourself.
• "I'm solo, so this is for bigger groups." A single-location office is held to the same Security Rule standard as a hospital network. A solo dentist is also required to name a HIPAA Privacy Officer and Security Officer, and the only candidate is usually you. Not designating one is itself a documentable violation, with or without a breach.

So the threshold question is settled. The real question is what the rule actually demands once you're in.

What the rule says, and what OCR actually checks first

The HIPAA Security Rule is organized around safeguards, and the very first administrative safeguard is the risk analysis. The text at 45 CFR § 164.308(a)(1)(ii)(A) reads:

Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

Two words in there carry the weight. "Required" means it is not in the flexible "addressable" category that lets you document an alternative. And "accurate and thorough" is the standard OCR measures you against, which is exactly where the Porter practice fell short.

This isn't a dormant rule. OCR has run a standing enforcement initiative around the right of access and around risk analysis, and its investigators consistently report that the absence of a completed risk analysis is the most frequent finding when they open a file. The Porter settlement is one named example of many. So is the broader pattern: when something goes wrong, the first request is "show me your risk analysis," and a missing or thin one converts an incident into a finding.

There is a second, quieter point in the Porter story. He eventually got help, and still didn't produce an adequate analysis. Doing the work badly is treated much like not doing it at all. Which leads to what "the work" actually is.

The hard part isn't running the analysis. It's knowing which gaps you have before OCR does. The free HIPAA Risk Scorecard checks the 10 areas that come up most often in OCR investigations, then you get a short written review and an introduction to a vetted specialist. Three minutes. Check my practice →

What a real dental risk analysis actually covers

A risk analysis is a documented process, not a form you sign. Done properly, it moves through a clear sequence:

This is also why a generic checklist fails the test. A checklist tracks whether you have a policy; a risk analysis evaluates whether that policy actually protects the data in your environment. OCR has said as much, and the practices that get cited often have a binder of policies and no real analysis behind them.

Your three options for getting it done

There are three honest ways to satisfy the requirement. None is wrong; they trade cost against confidence.

Option 1: Do it yourself with the free HHS tool.

• What it is. The federal government, through HHS and the ONC, publishes a free Security Risk Assessment (SRA) Tool that walks you through the questions.
• Who it fits. A very small, very hands-on practice with time and patience.
• The shortfall. It hands you a structure and a questionnaire. It does not tell you where you are actually exposed, it doesn't scan anything, and it doesn't track whether you fixed what you found. The output is only as good as the answers you put in, and most owners don't know what they don't know.
• Verdict. A legitimate starting point and far better than nothing. Treat it as the first draft, not the finished, audit-ready program.

Option 2: Lean on your IT provider or managed-services vendor.

• What it is. Your existing IT company runs or assists with the assessment.
• Who it fits. Practices that already have a capable IT partner and a signed Business Associate Agreement with them.
• The shortfall. IT skill and HIPAA-compliance skill are not the same thing. A vendor can secure your network and still miss the administrative and documentation pieces OCR weighs most heavily. And the practice, not the vendor, stays legally responsible for the result.
• Verdict. Good for the technical layer. Confirm they produce documented, audit-ready output, not just a clean firewall.

Option 3: Bring in a HIPAA compliance specialist.

• What it is. A consultancy or compliance firm conducts the analysis and helps you remediate.
• Who it fits. Owners who want it done right once and defensible if OCR ever calls.
• The shortfall. It costs more than the other two, and quality varies, so the specialist still has to fit a solo-practice budget and workflow. (For the actual numbers, here is what a dental HIPAA risk assessment typically costs.)
• Verdict. The strongest path for defensibility. A specialist assesses your specific environment and recommends a remediation plan; they don't wave a wand and make you "compliant" on their own.

If you're not sure which path fits, that's the normal place to start. The Scorecard surfaces your likely gaps first, so you can tell whether you can reasonably self-serve or whether you need a specialist. Check my practice →

How often, and the paperwork that proves it

The Security Rule treats the risk analysis as ongoing, not one-and-done. The practical standard most compliance professionals and federal programs use: complete a full analysis, then review and update it at least annually and whenever something material changes. A new practice-management system, a move to a new building, a staffing change with new access, or a security incident all reset the clock.

Documentation is not a side task; it is the deliverable. If OCR asks, "we did one" is not an answer. "Here is the dated analysis, the gaps we identified, the remediation we completed, and the annual reviews since" is. Keep it for six years.

What's changing in 2026, and what to do now

You have probably seen headlines about a "2026 HIPAA Security Rule." Here is the accurate status, because a lot of vendor content overstates it.

HHS published a Notice of Proposed Rulemaking in the Federal Register on January 6, 2025, proposing the first major overhaul of the Security Rule in over two decades. The comment period closed in March 2025. As of this writing, OCR has not published a final rule, and industry analysts now expect finalization in late 2026 or early 2027. So the changes below are proposed, not yet law.

If finalized, the overhaul would, among other things, remove much of the "addressable" flexibility and make safeguards like encryption and multi-factor authentication explicitly required, add vulnerability scanning, and compress breach-related timelines. The direction is clearly toward less discretion and more provable, documented controls.

The practical takeaway for a solo practice is simple. The existing rule already requires your risk analysis today, and the proposed changes only raise the bar. So there is no version of the next two years where doing the analysis now is wasted effort. Build it to today's requirement, and lean toward the stricter controls the proposed rule signals.

Recommendation

Treat the risk analysis as the foundation of your HIPAA program, not a box to check before an audit. It is required now, it is the first thing OCR looks for, and a missing or thin one is what turns a bad day into a six-figure settlement. For what that bad day actually looks like, see what happens when a dental practice fails a HIPAA audit and, if a breach is the trigger, what to do in the first 60 days after a breach.

Start by finding out where you actually stand. Most solo practices carry two or three HIPAA gaps they can't see. The free HIPAA Risk Scorecard checks the 10 areas that come up most often in OCR investigations, then sends you a short written review and an introduction to a vetted specialist. It takes about three minutes. Check my practice →

This is general information, not legal advice. Hipsana is not a law firm, a compliance officer, or a healthcare provider. Verify current requirements with HHS or qualified counsel before acting.

About the author

Dolev Arama is the founder of Hipsana, where he runs the HIPAA Risk Scorecard and the short practice risk reviews behind it. He is not an attorney, and Hipsana is a publisher and referral service, not a law firm or a healthcare provider. Its compliance writing starts from primary regulators (HHS, OCR, NIST) and is checked against their current text before anything goes live. More about Hipsana →

Sources

• HHS Office for Civil Rights, Resolution Agreement and press release, Steven A. Porter, M.D. (2020).
• HHS Office for Civil Rights, Resolution Agreement, Elite Dental Associates (2019).
• 45 CFR § 164.308 (eCFR, current).
• HHS, Guidance on Risk Analysis (referencing NIST SP 800-66).
• Federal Register, HHS civil monetary penalty inflation adjustment, effective January 28, 2026.
• Federal Register, HIPAA Security Rule NPRM, January 6, 2025.
• American Dental Association, HIPAA 20 Questions.