Skip to content

HHS Updates Security Risk Assessment Tool to Help With HIPAA Security Rule Compliance


· 5 minute read


· 5 minute read

Security Risk Assessment Tool; Security Risk Assessment Tool v3.4 User Guide (Sept. 5, 2023)


User Guide

HHS has announced an updated version of its interactive Security Risk Assessment (SRA) Tool. The SRA Tool, first developed in 2014, is designed to help health care providers conduct a security risk assessment as required by the HIPAA Security Rule. The SRA Tool presents questions about the user’s organization, with answers that show whether corrective action is necessary to comply with the HIPAA Security Rule. The associated User Guide notes that the target audience for the SRA Tool is small and medium health care providers but observes that health plans and business associates must also conduct risk analyses and implement technical, physical, and administrative safeguards to protect electronic protected health information (ePHI).

The SRA Tool is a software application that can be downloaded from, free of charge, from the agency’s website and run on a user’s computer. The SRA Tool is self-contained; input is stored on the user’s computer for future reference and report generation, but nothing is sent to HHS or elsewhere. The latest version of the SRA Tool includes a new optional remediation report, which provides users with the opportunity to document a plan for improvement, assign responsibilities, and track deadlines. Additionally, there are enhancements such as a glossary page with terms and definitions provided in one place for easy access, and tips embedded in the content to provide more information without leaving the page. Also, there are new references and updated links to the 2023 Health Insurance Cybersecurity Practices, bug fixes, and stability improvements.

EBIA Comment: HHS offers resources to help organizations comply with the security rule, including the SRA Tool, which may help covered entities and business associates to consider the many facets of a risk assessment. Enforcement of the HIPAA Security Rule is a high priority for OCR, as demonstrated by recent settlements and audit protocol. HHS resolution agreements have required covered entities to conduct a risk assessment to identify vulnerabilities and threats to ePHI, and if necessary, diligently implement safeguards and mitigation plans. This version of the SRA Tool highlights the importance of remediating risks identified in a risk assessment by addressing and documenting action steps, assigning responsibilities, and tracking completion dates. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.C (“HIPAA Compliance Audits by OCR”), XX.D (“Resolution Agreements”), XXIX.E (“Developing Your Security Program”), XXIX.F (“Limiting Exposure Through ‘Recognized Security Practices’”), XXX (“Core Security Requirements”), and XXXI.E (“Problems Relating to HIPAA Security”).


Get all the latest tax, accounting, audit, and corporate finance news with Checkpoint Edge. Sign up for a free 7-day trial today.

More answers