Security Risk Assessment

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and its business associates conduct a risk assessment of their healthcare organization. A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk. To learn more about the assessment process and how it benefits your organization, click here, visit the Office for Civil Rights' official guidance.

New! Security Risk Assessment Tool Version 3.0

ONC, in collaboration with the HHS Office for Civil Rights (OCR), developed a new version of the downloadable Security Risk Assessment Tool (SRA Tool) to help guide you through the process.

Download Version 3.0 of the SRA Tool [.msi - 71.8 MB]

Download the XML update file [XML -323 KB]

For details on how to use the tool, download the SRA Tool User Guide [PDF - 2.2 MB]*.

Watch videos on contingency planning and what a risk assessment may involve

Read the HHS Press Release on release of SRA Tool 3.0 in October 2018.

Legacy Version: Security Risk Assessment Tool Version 2.0

Note that you can’t directly transfer data from 2.0 to 3.0, but can upload certain portions (e.g., lists of assets and BAs).  Refer to the SRA Tool User Guide 3.0 for more information.

Download Former SRA Tool 2.0

Download the SRAT 2.0 event files from the April 29 Webinar [ZIP - 4 MB]

Download the SRA Tool 2.0 User Guide [PDF - 4.5 MB]

From 2015: Watch videos on what a risk assessment may involve, and learn how to use the SRA Tool 2.0 by watching the SRA Tool Tutorial video. 

From 2015: learn how to use the SRA Tool 2.0 by watching the SRA Tool Tutorial video.

Download the SRA Tool 2.0 User Guide [PDF - 4.5 MB]

Paper-based version of the SRA 2.0 tool is also available:


*Persons using assistive technology may not be able to fully access information in this file. For assistance, contact ONC at


The Security Risk Assessment Tool at is provided for informational purposes only. Use of this tool is neither required by nor guarantees compliance with federal, state or local laws. Please note that the information presented may not be applicable or appropriate for all health care providers and organizations. The Security Risk Assessment Tool is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks. For more information about the HIPAA Privacy and Security Rules, please visit the HHS Office for Civil Rights Health Information Privacy website.

NOTE: The NIST Standards provided in this tool are for informational purposes only as they may reflect current best practices in information technology and are not required for compliance with the HIPAA Security Rule’s requirements for risk assessment and risk management. This tool is not intended to serve as legal advice or as recommendations based on a provider or professional’s specific circumstances. We encourage providers, and professionals to seek expert advice when evaluating the use of this tool.

Content last reviewed on November 15, 2018
Was this page helpful?