If you own or manage a small dental practice in Houston, the Texas Medical Center, Sugar Land, Katy, The Woodlands, or anywhere across the greater metro, the HIPAA Security Rule requires you to have a written Risk Analysis on file. Not a template. Not a checklist your software vendor printed for you. A site-specific written analysis of the actual risks to electronic protected health information in your practice.
This is the most consistently enforced HIPAA requirement against small healthcare practices, and dental practices are not exempt. OCR's published resolution agreements include a $70,000 civil money penalty against Gums Dental Care in October 2024, three separate dental practice settlements announced in September 2022, and a $10,000 dental practice settlement in October 2019. Each of those practices had compliance software in place. The Risk Analysis was missing or inadequate.
The regulation is short. 45 CFR 164.308(a)(1)(ii)(A) requires you to "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate."
HHS published official Risk Analysis guidance that breaks the requirement into nine elements. Every Risk Analysis OCR will accept must address all nine. Here they are with the practical translation for a dental practice in Houston.
You must identify every form of ePHI your practice creates, receives, maintains, or transmits. For a typical Houston dental practice, this means your practice management system (Dentrix, Eaglesoft, Open Dental, Curve), your imaging system (Dexis, CareStream, Sirona), your tablet-based patient intake, your appointment-reminder system, your email server, your billing system, the laptops your associate dentist takes home, and any cloud backup. Every place ePHI lives or moves through is in scope.
HHS requires you to identify where ePHI is stored, received, maintained, or transmitted. Acceptable methods include reviewing existing projects, conducting interviews, reviewing documentation, and other data gathering techniques. The data must be documented. A populated software template is not data collection. Sitting down with your office manager and walking through every point in the patient journey where data is captured, stored, or sent is data collection.
Threats include intentional bad actors (ransomware, hackers, disgruntled former employees), accidental human errors (sending records to the wrong fax number), and environmental events (Houston is a hurricane evacuation zone, and Hurricane Harvey flooded clinics that had paper charts and on-premise servers in 2017). Vulnerabilities include unpatched software, weak passwords, unencrypted laptops, lack of multi-factor authentication, and missing physical access controls.
You must document what you actually have in place. This means writing down whether your practice management system enforces unique user logins, whether audit logs are enabled and reviewed, whether your imaging tablets auto-lock, whether the patient WiFi is segmented from the clinical network, and whether your backups are encrypted. Many practices discover during this step that their existing measures are not configured the way they assumed.
For each threat-vulnerability pair, you assign a probability. Houston-specific factors here include weather events, the metro's high turnover in dental support staff, and the prevalence of phishing campaigns targeting healthcare practices in the Texas Medical Center area.
You assess what would happen if the threat actually triggered the vulnerability. A ransomware event that locks your practice management system on a Tuesday morning has a different operational and financial impact than a single misplaced paper chart.
You assign risk levels based on likelihood and impact. A common method is a low/medium/high matrix with documented criteria. The output is a prioritized list of the actual risks your specific practice faces.
The Security Rule does not require a specific format under 45 CFR 164.316(b)(1), but the documentation must exist. It is the deliverable. If OCR sends a request letter and you cannot produce the document, the Risk Analysis requirement is treated as not met.
The Risk Analysis is not a one-time exercise. HHS requires it to be ongoing. New software, new staff, new physical locations, and new threats trigger updates. Most practices that are doing this right revisit annually at minimum, more often when something material changes.
Dentrix, Eaglesoft, Open Dental, Curve, and the others all advertise HIPAA-aware features. Most include a HIPAA module, training videos, and policy templates. None of them produce a written Risk Analysis that would satisfy the nine HHS elements above. The reasons are structural.
Software cannot interview your office manager about how the front desk actually handles new patient intake. Software cannot walk through your physical office in River Oaks or Memorial City and observe whether the imaging room is visible from the waiting area. Software cannot assess whether the cloud backup vendor your practice uses has a Business Associate Agreement that meets the regulatory standard. Software cannot decide what likelihood to assign to a hurricane evacuation scenario. These are judgment activities. They produce documentation. The documentation is what OCR audits.
If you have practice management software, it is a useful component of your overall HIPAA program. It is not a substitute for the Risk Analysis itself.
Texas has the second-largest population of dental practices in the United States. The Houston metro alone hosts more than 4,000 active dental practices spread across Harris, Fort Bend, Montgomery, Brazoria, and Galveston counties. The combination of practice density, high specialty concentration around the Texas Medical Center, and the prevalence of multi-location group practices makes Houston a region OCR can audit efficiently.
Houston-specific factors that OCR investigators ask about during an audit:
A Risk Analysis that survives an OCR investigation has six characteristics:
If your practice currently has a one-page checklist signed by your software vendor, that is not a Risk Analysis. If you have a 40-page generic document with the practice name swapped in, that is also not a Risk Analysis. Both are common, and both have appeared in OCR resolution agreements as inadequate.
A defensible written Risk Analysis for a single-location small dental practice in Houston typically takes 8 to 15 hours of professional time across discovery interviews, document review, walkthrough, drafting, and review. Multi-location practices scale up from there. Practices that have never conducted one before often discover gaps during the analysis that take additional time to remediate, but those discoveries are the point of the exercise.
North Privacy Advisors offers a flat-fee written Risk Analysis service for single-location practices, scoped to deliver an OCR-defensible document mapped to the nine HHS elements above. The deliverable includes a prioritized risk register, a remediation roadmap, and a documentation package you can produce if OCR sends a request letter.
Does my Texas dental license board require a separate Risk Analysis? No. The Texas State Board of Dental Examiners does not impose a separate Risk Analysis obligation. The federal Security Rule is the operative requirement, and Texas state law adds adjacent privacy obligations rather than a parallel security analysis.
Can my IT vendor do this for me? Most cannot. IT vendors typically conduct a vulnerability scan or a network assessment, which addresses element 4 (assess current security measures) but does not satisfy elements 1, 2, 3, 5, 6, 7, 8, and 9. A network scan is an input to the Risk Analysis, not the Risk Analysis.
How often do I need to redo this? HHS says ongoing. Practical industry guidance is annual review at minimum, with triggered updates when material changes occur (new software, new location, new partner, new staff turnover above a threshold).
What if I have not done one before? You are not unusual, and you are also exposed. The fastest path to compliant status is to commission the analysis, accept what the gaps are, and execute a written remediation plan. OCR treats practices that are actively addressing identified gaps very differently from practices that ignored the requirement entirely.
Learn more about HIPAA consulting for Houston practices or see the flat-fee Risk Analysis service. If you would rather start with a smaller engagement, the $750 Privacy Exposure Review identifies the top three gaps in your current program in a one-page memo, with no retainer commitment.
RELATED RESOURCES
Local Houston-area HIPAA advisory for dental, medical, mental health, and specialty practices. Texas-specific privacy law overlay included.
Written, OCR-defensible Risk Analysis mapped to all nine HHS elements.
Flat-fee, one-page memo identifying your top three privacy compliance risks. No retainer.
Flat-fee engagement. OCR-defensible documentation mapped to all nine HHS elements.
Book a Consultation