Short answer: yes. If your practice creates, receives, stores, or transmits patient health information electronically — which is every modern dental office — federal law requires you to perform and document a Security Risk Analysis. And "we've never actually done one" is the single most common finding when a practice gets investigated.
What a Security Risk Analysis actually is
A Security Risk Analysis (SRA) is a documented, top-to-bottom review of every way electronic protected health information (ePHI) could be exposed in your practice — and what you're doing about each risk. It looks at your servers and workstations, your practice-management and imaging software, your network and Wi-Fi, your backups, your staff's habits, and your vendors.
It is not a product you buy or a checkbox your software vendor ticks. It's an assessment of your specific environment: the computer at the front desk, the server in the closet, the laptop a hygienist takes home, the backup you hope is running.
It's not optional — it's in the law
The HIPAA Security Rule requires a risk analysis as a core implementation specification of the Security Management Process standard (45 CFR § 164.308(a)(1)(ii)(A)). Every "covered entity" — which includes essentially every dental practice that bills or transmits claims electronically — has to do it. So do their business associates (including their IT provider).
The risk analysis is the foundation the rest of HIPAA compliance is built on. You can't write sensible security policies until you know what your actual risks are.
How often do you have to do it?
HIPAA doesn't print a calendar date. What it requires is that your analysis stays current — that you review and update it periodically and whenever something material changes: a new server, a move, a new piece of software, a security incident. In practice, that means most well-run practices treat it as an annual exercise, with updates in between when things change.
A risk analysis you did once in 2019 and filed away is, for compliance purposes, not much better than never having done one.
Three myths that get practices fined
"Our practice-management software is HIPAA-compliant, so we're covered." Software being capable of compliance is not the same as your practice being compliant. Dentrix or Eaglesoft can be configured securely and still sit on an unencrypted workstation with a shared password. The SRA is about your environment, not the software's certificate.
"We're too small to be a target." Small practices are targeted precisely because they're under-defended. Automated ransomware doesn't check the size of your patient list before it encrypts your server.
"Our IT guy handles security." Maybe — but can they produce the documented risk analysis? If a breach happens and the HHS Office for Civil Rights asks for your SRA, "our IT guy said it was fine" is not a document.
What it costs to skip it
The failure to conduct an accurate, thorough risk analysis is one of the most frequently cited issues in HIPAA enforcement actions. Settlements for small healthcare providers routinely land in the tens of thousands of dollars and up — and that's before the cost of breach notification, lost patient trust, and the days your schedule is frozen while you recover.