HIPAA Risk Analysis for a Dental Practice
5 min read · Last reviewed May 22, 2026
Why a dental practice has to do this at all
The HIPAA Security Rule applies to every covered entity that creates, receives, maintains, or transmits electronic protected health information (ePHI). Dental practices are health care providers under 45 CFR 160.103, and the moment a practice files an electronic claim or sends a digital X-ray through a cloud imaging vendor, it has ePHI in motion.
The Security Rule's first administrative safeguard is the risk analysis at 45 CFR 164.308(a)(1)(ii)(A)(1)(ii)(A)): an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the covered entity. That is the statutory anchor. Nothing about it is specialty-specific, which is exactly why dental practices often delay it: they assume HIPAA is something hospitals worry about.
The U.S. Department of Health and Human Services has explicitly told dental practices otherwise. The HHS Office for Civil Rights publishes specialty-neutral Guidance on Risk Analysis, and the joint HHS/ONC Security Risk Assessment Tool was designed with small dental and medical practices in mind.
Scoping the ePHI inventory
The first move is a written inventory of every system that touches ePHI. For a typical solo or small-group dental practice that usually means:
- Practice management software (Dentrix, Eaglesoft, Open Dental, Curve, Carestream)
- Imaging systems and digital sensors (Dexis, Sirona, Carestream, Planmeca)
- Cloud backup and offsite archive vendors
- E-claims clearinghouse
- Email service and any documents that contain patient names or treatment notes
- Mobile devices used to view schedules or radiographs after hours
- Reception/check-in tablets and kiosks
- Any third party that pulls reports, manages collections, or runs marketing campaigns using patient lists
For each system you write down what ePHI it holds, where the data physically lives, who can access it, how it is backed up, and whether the vendor has signed a Business Associate Agreement under 45 CFR 164.504(e)).
The Security Rule sections you must address
Risk analysis must consider all three safeguard categories in the Security Rule. The OCR guidance walks through them:
- Administrative safeguards at 164.308: workforce training, sanction policy, access management, contingency planning, evaluation.
- Physical safeguards at 164.310: facility access controls, workstation use and security, device and media controls.
- Technical safeguards at 164.312: access control, audit controls, integrity, person or entity authentication, transmission security.
A dental practice's analysis must address each standard and each implementation specification. For required specifications the practice has to implement them; for addressable ones the practice has to implement, document an equivalent alternative, or document why the specification is not reasonable and appropriate. The decision and reasoning must be written down — OCR's audit protocol asks for that documentation directly.
Dental-specific threat scenarios worth analyzing
Generic SRA templates miss the workflows that actually create risk in a dental office. Examples worth thinking through:
- Treatment-room workstations with unlocked screens visible to the patient and the next patient walking in
- Intraoral cameras and digital sensors that cache images locally before sync
- A shared "front-desk" Windows login that no one ever changes when staff turn over
- Mobile phone photos of treatment plans, retainers, or X-rays texted to a lab
- Imaging-vendor cloud accounts that auto-provisioned without a signed BAA at install
- Hygienist laptops or tablets carried between rooms with no full-disk encryption
- USB sticks used to ferry panoramic films to a specialist or referring orthodontist
- After-hours emergency access from personal devices, with no MFA on the practice-management VPN
- Marketing automation tools that pull "patients due for recall" reports
For each of those, the risk analysis asks: what is the threat, what is the likelihood, what is the impact, what is the current safeguard, and what is the residual risk after that safeguard? OCR has called out the lack of this kind of specificity in its enforcement summaries (see the Enforcement Highlights page, which lists Resolution Agreements where "no enterprise-wide risk analysis" was a core finding).
How NIST frames the same work
NIST SP 800-66 Revision 2, Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide for Regulated Entities, walks through risk analysis using the NIST SP 800-30 framework: identify threat sources, threat events, vulnerabilities, predisposing conditions, likelihood, impact, and resulting risk. A small dental practice does not need a full enterprise treatment, but its written analysis should map cleanly back to those concepts so the documentation reads like a deliberate, defensible exercise rather than a checklist.
What "done" looks like
A defensible dental SRA package usually includes:
- The dated ePHI inventory and scope statement
- The threat-and-vulnerability list with likelihood and impact ratings
- A safeguard inventory mapped to each Security Rule standard
- A risk register with residual risks and a remediation plan
- A written record of addressable-specification decisions
- Sign-off by the dentist owner or designated Security Official under 164.308(a)(2)(2))
- A re-evaluation cadence per 164.308(a)(8)(8))
That documentation is the asset OCR asks to see when an audit request lands. It is also the artifact the practice can hand to a payer requesting evidence of a current HIPAA Security Risk Analysis.
Where D3rx fits
D3rx SRA Binder Studio is a documentation aid for exactly this workflow. It walks a small practice through the Security Rule one specification at a time, asks for evidence in plain English, and assembles the resulting binder so the practice can review, edit, and adopt it. It does not certify a practice or guarantee an audit outcome. The practice remains responsible for the substance of every answer.
Next steps
See where your practice currently stands with the free 5-question readiness check, or review the full workflow and pricing on the main SRA page.
Where do you stand on your SRA today?
Five quick questions, no signup. You'll see which Security Rule sections your practice already has covered and which ones still need work.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, the Code of Federal Regulations, and NIST.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- 45 CFR 160.103https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-A/section-160.103
- 45 CFR 164.308(a)(1)(ii)(A)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308#p-164.308(a
- Guidance on Risk Analysishttps://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html
- Security Risk Assessment Toolhttps://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool
- 45 CFR 164.504(e)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.504#p-164.504(e
- 164.308https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308
- 164.310https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.310
- 164.312https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312
- audit protocolhttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html
- Enforcement Highlights pagehttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html
- SP 800-66 Revision 2https://csrc.nist.gov/pubs/sp/800/66/r2/final
- SP 800-30https://csrc.nist.gov/pubs/sp/800/30/r1/final
Sources verified as of May 22, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
HIPAA Risk Analysis for a Primary Care Practice
5 min readFoundationsHow Often Should a Practice Conduct a HIPAA Risk Analysis?
6 min readFoundationsHIPAA Security Rule vs Privacy Rule: A Plain-English Map
5 min readVendors and BAAsBAA Vendor List: Which Vendors a Small Practice Needs to Sign With
5 min readRelated across the archive
- SRAHIPAA Risk Analysis for a Primary Care PracticeWhat a primary care practice owes under 45 CFR 164.308(a)(1)(ii)(A): ePHI scope, threats specific to family medicine and internal medicine workflows, and a Security Rule mapping that holds up to OCR's audit protocol.
- SRAHow Often Should a Practice Conduct a HIPAA Risk Analysis?What 45 CFR 164.308(a)(8) requires for periodic evaluation, what HHS guidance says about cadence, and the practical pattern most small practices land on.
- SRABAA Vendor List: Which Vendors a Small Practice Needs to Sign WithA working list of the vendor categories a small practice typically needs a Business Associate Agreement with under 45 CFR 164.504(e), plus how to handle subcontractor chains.
- SRAHIPAA Security Rule vs Privacy Rule: A Plain-English MapWhat the Security Rule at 45 CFR Part 164 Subpart C does, what the Privacy Rule at Subpart E does, where they overlap, and which rule the SRA actually answers to.
- SRAHIPAA Risk Analysis for a Mental Health PracticeWhat therapists, psychologists, and psychiatry practices need in a HIPAA Security Risk Analysis, including the psychotherapy notes carve-out at 45 CFR 164.501 and 164.508(a)(2).
- GlossarySecurity Risk AnalysisThe accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI required by the HIPAA Security Rule.
- ComplianceAnnual HIPAA Training Curriculum (What to Cover + How to Document)A 2026 annual HIPAA training curriculum for small healthcare practices — eight required modules under 45 CFR 164.530(b) and 45 CFR 164.308(a)(5), with documentation templates.
- RegulationHIPAA Privacy Rule Administrative Requirements (45 CFR 164.530)Designated privacy official, workforce training, safeguards, complaint process, sanctions, mitigation, anti-retaliation, anti-waiver, documentation, and policies and procedures.