Revised HIPAA Security Risk Assessment Tool Now Available

Ebony Brice and Nick Heesters | October 13, 2016

As we mark National Cyber Security Awareness Month, the Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have jointly launched an updated HIPAA Security Risk Assessment (SRA) Tool. The tool’s new features make it even more useful in assisting small and medium-sized health care practices and business associates in complying with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

Health Care Organizations of All Sizes are at Risk of Data Breaches

If you’re a provider in a small or medium-sized practice, or a small business providing assistance to health care providers or plans, you may think data breaches happen only to large organizations. But the reality is that everyone is at risk, regardless of size.

That’s why the HIPAA Security Rule requires all covered entities and business associates to perform a security risk analysis to accurately and thoroughly assess the potential risks and vulnerabilities of all electronic protected health information (ePHI) created, received, maintained, or transmitted. ONC and OCR created the SRA Tool in 2014 to help small and medium-sized practices and small business associates conduct those analyses.

Avoid Becoming another Breach Headline

Take advantage of the latest tool by downloading the updated version of the SRA Tool today. See how the new features can help streamline your security risk analysis process and support your organization’s security compliance.

Be Ready for OCR Inquiries 

Conducting regular security risk analyses, and remediating any vulnerability, is a fundamental requirement of HIPAA Security Rule compliance. In fact, OCR conducts audits of entity compliance focused on this standard. This tool helps HIPAA-regulated entities assess their risks and document that assessment. Learn more about HIPAA Security Rule compliance.

Streamline Your Risk Analysis Activities

The SRA Tool takes you through each HIPAA Security Rule requirement by presenting a series of questions about your organization’s activities. Your “yes” or “no” answer will show you if you need to take corrective action for that particular item.

Resources are included with each question to help you:

  • Understand the context of the question;
  • Consider the potential risks and vulnerabilities for your ePHI if the requirements are not met; and
  • See the actual requirements language of the HIPAA Security Rule.

You can use the tool as your local repository for your answers, comments, and plans. Your answers are stored wherever you store the tool and neither OCR nor ONC can access your answers. You can use the tool as often as you need to reassess your organization’s health information security risks.  We encourage you to conduct risk assessments on an annual basis.

Revised SRA Tool is Easier to Use

In response to user feedback, the updated SRA Tool now features:

  • Compatibility with additional versions of Windows –Windows 8.0, 8.1, and 10;
  • A Save As feature that lets you save your assessment to a different location, or share it with colleagues; and
  • Reporting improvements that upgrade the look and functionality of your PDF reports while giving you more options for what you can include in the report.

A revised User Guide is also available.

Share Your Feedback

As always, we look forward to hearing your feedback. Please send your comments or questions about the SRA Tool to and