New Update of Security Risk Assessment Tool Released by HHS

by

The Assistant Secretary for Technology Policy (ASTP) and the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) have introduced the revised version of the Security Risk Assessment (SRA) Tool.

The SRA tool was created to support small to medium-sized healthcare organizations in following the security risk assessment requirements of the HIPAA Security Law. Failure to conduct a HIPAA risk assessment is the most frequently observed HIPAA Security Guideline violation, and OCR presently implements an active enforcement initiative focusing on noncompliance. By investigating data breaches, compliance audits, and complaints, OCR often finds that HIPAA-regulated entities have either been unable to perform a risk assessment or that risk evaluations are erroneous or incomplete. For instance, a risk assessment is performed depending on an unfinished or out-of-date asset inventory.

OCR announced the enforcement initiative in October 2024. At the time, OCR imposed the first penalty on Bryan County Ambulance Authority in Oklahoma. After that, OCR has issued 10 financial penalties concerning failures to perform risk analysis.

The SRA tool is a great resource for small and medium-sized healthcare companies, since it helps them through the process of performing a risk assessment. The new version 3.6 involves several changes to enhance functionality. There is a new assessment confirmation button added and a reviewed-by date for every section, enabling users to affirm that a section was checked and accepted, which will be kept for audit files.

The risk scale was revised to align with the NIST rating. The score of “medium” was changed to “moderate”. Updated library documents will be set up when the new variation is installed, mitigating vulnerabilities that may be found in obsolete versions. The reports were changed with new content material, such as section-specific authorization/analyzed-by details and more information entered by users. There were also enhancements to questions, responses, and education to create an SRA Tool that is more relevant to the changing cybersecurity setting and to boost the ease of use.

OCR and ASTP will be hosting two live webinars on the SRA Tool. Experts will talk about the SRA tool, demonstrate its new features, and enhanced reports. Questions regarding the tool and its new functions will be answered to explain the tool’s new capabilities. September 15, 2025 is the last day of the webinars.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone