HIPAA Times news | Concise, reliable news and insights on HIPAA compliance and regulations

HHS updates HIPAA security risk assessment tool

Written by Farah Amod | Sep 23, 2025 1:03:30 AM

A new version of the SRA Tool aims to improve HIPAA compliance and reduce common risk assessment failures.

 

What happened

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and the Assistant Secretary for Technology Policy (ASTP) have released an updated version (v3.6) of the Security Risk Assessment (SRA) Tool. Designed primarily for small to medium-sized healthcare organizations, the SRA Tool helps providers comply with the HIPAA Security Rule by guiding them through risk assessments.

Security risk assessments are a foundational HIPAA requirement. Yet, OCR continues to find widespread noncompliance, often due to outdated or incomplete assessments. Since launching an enforcement initiative in October 2024, OCR has issued 10 financial penalties related to risk analysis failures, making it the most frequently penalized HIPAA Security Rule violation.

 

Going deeper

The SRA Tool was created to simplify the complex process of assessing security risks in accordance with HIPAA standards. The newly released version includes several enhancements:

  • A section review confirmation button, with timestamps for audit readiness
  • NIST-aligned risk scoring, changing “medium” to “moderate” for consistency
  • Updated library files, improving vulnerability mitigation
  • Refreshed reporting, now including review/approval metadata and custom user inputs
  • Improved usability, with more relevant questions and educational prompts tailored to current cybersecurity trends

These changes try to make the tool more user-friendly and effective in helping providers meet compliance obligations, especially as OCR continues to increase oversight.

 

What was said

OCR has repeatedly pointed to inadequate or missing risk assessments as a persistent issue. In many cases, risk assessments were either not performed at all or were based on outdated asset inventories, weakening their effectiveness. The SRA Tool is positioned as a resource for organizations seeking to avoid enforcement actions and improve their cybersecurity posture.

 

FAQs

Who should use the SRA Tool, and is it mandatory?

The SRA Tool is primarily intended for small to medium-sized healthcare providers and business associates. While not mandatory, it helps fulfill the HIPAA requirement to conduct a security risk assessment.

 

How does version 3.6 differ from previous versions?

Version 3.6 introduces usability improvements, NIST-aligned scoring, updated audit features, and enhanced reporting functions that make it easier to track compliance progress and document review history.

 

What are the most common mistakes organizations make with risk assessments?

Frequent issues include not performing a risk assessment at all, using incomplete or outdated asset inventories, and failing to document reviews or mitigation steps.

 

Can large healthcare organizations also benefit from the SRA Tool?

Yes, while the tool is optimized for smaller providers, larger organizations may still find it useful as a baseline assessment tool or educational resource.
View full post