Security Risk Assessment Tool

What is the Security Risk Assessment Tool (SRA Tool)?

The Office of the National Coordinator for Health Information Technology (ONC) recognizes that conducting a risk assessment can be a challenging task. That’s why ONC, in collaboration with the HHS Office for Civil Rights (OCR), developed a downloadable Security Risk Assessment (SRA) Tool to help guide you through the process. The tool is designed to help healthcare providers conduct a security risk assessment as required by the HIPAA Security Rule and the Centers for Medicare and Medicaid Service (CMS) Electronic Health Record (EHR) Incentive Program.

Download Version 3.0 of the SRA Tool [.msi - 71.8 MB]

All information entered into the SRA Tool is stored locally to the users’ computer or tablet. HHS does not receive, collect, view, store or transmit any information entered in the SRA Tool. The results of the assessment are displayed in a report which can be used to determine risks in policies, processes and systems and methods to mitigate weaknesses are provided as the user is performing the assessment. The target audience of this tool is medium and small providers; thus, use of this tool may not be appropriate for larger organizations.

photo

SRA Tool Update

The updated version of the popular Security Risk Assessment (SRA) Tool was released in October 2018 to make it easier to use and apply more broadly to the risks of the confidentiality, integrity, and availability of health information. The tool diagrams HIPAA Security Rule safeguards and provides enhanced functionality to document how your organization implements safeguards to mitigate, or plans to mitigate, identified risks. The new SRA Tool is available for Windows computers and laptops. However, the previous iPad version of the SRA Tool is still available from the Apple App Store (search under “HHS SRA Tool”).

 The tool is now more user friendly, with helpful new features like:

  • Enhanced user interface
  • Modular workflow
  • Custom assessment logic
  • Progress tracker
  • Threats & vulnerabilities rating
  • Detailed reports
  • Business associate and asset tracking
  • Overall improvement of the user experience

Download Version 3.0 of the SRA Tool [.msi - 71.8 MB]

For details on how to use the tool, download the SRA Tool 3.0 User Guide [PDF - 2.2 MB]*.

Need Help?

Please leave any questions, comments, or feedback about the SRA Tool using our Health IT Feedback Form. This includes any trouble in using the tool or problems/bugs with the application itself. Also, please feel free to leave any suggestions on how we could improve the tool in the future.

 

Legacy Version: Security Risk Assessment Tool Version 2.0

Still using the old version of the tool? Download Former SRA Tool 2.0 [.exe - 91.3 MB]. Note that you can’t directly transfer data  from 2.0 to 3.0, but can upload certain portions (e.g., lists of assets and BAs). Refer to the SRA Tool User Guide 2.0 [PDF - 4.5 MB]* for more information.

 

*Persons using assistive technology may not be able to fully access information in this file. For assistance, contact ONC at PrivacyAndSecurity@hhs.gov

Disclaimer

The Security Risk Assessment Tool at HealthIT.gov is provided for informational purposes only. Use of this tool is neither required by nor guarantees compliance with federal, state or local laws. Please note that the information presented may not be applicable or appropriate for all health care providers and organizations. The Security Risk Assessment Tool is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks. For more information about the HIPAA Privacy and Security Rules, please visit the HHS Office for Civil Rights Health Information Privacy website.

NOTE: The NIST Standards provided in this tool are for informational purposes only as they may reflect current best practices in information technology and are not required for compliance with the HIPAA Security Rule’s requirements for risk assessment and risk management. This tool is not intended to serve as legal advice or as recommendations based on a provider or professional’s specific circumstances. We encourage providers, and professionals to seek expert advice when evaluating the use of this tool.

Content last reviewed on November 15, 2018
Was this page helpful?