How often should a Security Risk Analysis be performed?

HIPAA does not specify an exact frequency, but best practice (and regulatory expectation) is at least annually and whenever significant operational or technical changes occur.