Do I only need to do a risk analysis once?

No. To comply with HIPAA and MU incentive program, you must continue to review, correct or modify, and update security protections at least every year.