By Dr. Lorne Lavine

HIPAA has changed the way that dental practices need to operate. Not only do dentist need to be current on the latest technology and IT systems, but they must also ensure that they incorporate technologies in a HIPAA compliant manner.

While we’ve looked at things from a technical standpoint in the past, most offices who have gone through the process of HIPAA compliance realize that there are many administrative parts of HIPAA as well. In fact, more than 50% of all HIPAA rules and regulations are administrative in nature.

While we will examine many of these in the coming months, there is one critical component that should be talked about first, as most HIPAA auditors will ask for this the minute they walk through the door: a copy of your most recent risk analysis.

What is a risk analysis and why is it important? Well, HIPAA section 164.308(a)(1)(ii)(A) is quite clear, and it states, “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” This is a required section, you must do this. Another section, 164.316(b)(2)(iii), says you must update it periodically.

So, easy, right? Wrong! Because the people that put together HIPAA were purposely vague about the details. They understood that a risk analysis in a dental office is much different than one in a multi-location hospital, so they left it up to the covered entity (you) to figure out the details.

I would recommend that the following constitute a risk analysis:

1. Determine where vulnerabilities exist.

3. Determine what threats your network faces.

4. Determine where you are at risk.

5. Collect data.

6. Identify and Document Threats and Vulnerabilities

7. Assess Your Current Security Measures

8. Determine the Likelihood of Threat Occurrence

9. Determine the Level of Risk

10. Finalize Documentation

There are many ways to do a risk analysis. We offer a free one on our website at, there are HIPAA professionals who can assist you to do similar assessments either remotely or onsite.

As far as the frequency, that is also up for debate. I recommend doing a risk analysis yearly, but if there haven’t been any significant changes to your practice, you can argue that every 2-3 years is also appropriate.

Originally published with Dental Products Report.





Dr. Lorne Lavine, a former periodontist, is known as the leading authority on technology in the dental practice. Founder of The Digital Dentist, he has extensive hands-on experience with most practice management software, image management software, digital cameras, intraoral cameras, computers, networks, and digital radiography systems. Dr. Lavine has over 30 years invested in the dental and dental technology fields.


View Lorne’s full bio