HHS Releases Version 3.6 of Security Risk Assessment Tool
A new version of the Security Risk Assessment (SRA) Tool has been released by the HHS Office for Civil Rights and the Assistant Secretary for Technology Policy. (ASTP). The SRA Tool was first released in 2014 to assist small and medium-sized healthcare providers in completing risk assessments to identify risks and vulnerabilities to electronic protected health information (ePHI). The tool walks users through the process of conducting a risk assessment, including threat and vulnerability assessments. The tool is free to use and can be downloaded as a desktop application on Windows devices or as an Excel Workbook, which presents the information in a familiar spreadsheet format.
The risk analysis requirement of the HIPAA Security Rule is one of the most important provisions for security, yet it is also the most commonly identified HIPAA violation in OCR’s data breach investigations and HIPAA compliance audits. Last year, OCR announced a new HIPAA enforcement initiative specifically targeting noncompliance with this provision and has already imposed 10 financial penalties on regulated entities under this enforcement initiative. When OCR launches an investigation of a data breach, which it does for all breaches affecting 500 or more individuals, regulated entities will be required to provide evidence that an accurate and comprehensive risk analysis has been conducted.
The SRA tool has received several updates over the years, with the latest release – version 3.6 – including enhancements and improvements based on user feedback from previous versions and the latest cybersecurity guidance.
The latest version of the SRA Tool includes the following enhancements:
- A new “reviewed-by” confirmation button that records approvals and dates for audit tracking
- An updated risk scale to align with National Institute of Standards and Technology language, changing ‘medium’ to ‘moderate’
- Enhancements to reports, which include section-specific and updated disclaimers
- Updated library files to mitigate vulnerabilities in previous versions
- Enhancements to content for questions, responses, and education
The tool is useful for small and medium-sized healthcare providers but is not suitable for guiding risk assessments at larger healthcare providers with more complex environments. The healthcare providers likely to benefit most from the tool are small physician practices and providers with limited resources. Small and medium-sized healthcare providers can benefit from using the tool, but they should be aware that the tool does not guarantee compliance with the risk analysis provision of the HIPAA Security Rule, and will not, by itself, address all risks to ePHI.
OCR and ASTP are running webinars on September 15 and September 16, 2025, to explain the updated features and answer any questions providers may have about the SRA Tool.
