What is the Security Risk Assessment Tool (SRA Tool)?
The Office of the National Coordinator for Health Information Technology (ONC) recognizes that conducting a risk assessment can be a challenging task. That’s why ONC, in collaboration with the HHS Office for Civil Rights (OCR) and the HHS Office of the General Counsel (OGC), developed an SRA Tool to help guide you through the process. This tool is not required by the HIPAA Security Rule, but is meant to assist providers and professionals as they perform a risk assessment. Please refer to the Security Risk Assessment Tool page for SRA Tool download link.
The SRA Tool takes you through each HIPAA requirement by presenting a question about your organization’s activities. Your “yes” or “no” answer will show you if you need to take corrective action for that particular item. There are a total of 156 questions.
Resources are included with each question to help you:
- Understand the context of the question
- Consider the potential impacts to your PHI if the requirement is not met
- See the actual safeguard language of the HIPAA Security Rule
You can document your answers, comments, and risk remediation plans directly into the SRA Tool. The tool serves as your local repository for the information and does not send your data anywhere else.
Completing a risk assessment requires a time investment. At any time during the risk assessment process, you can pause to view your current results. The results are available in a color-coded graphic view (Windows version only) or in printable PDF and Excel formats.
For details on how to use the tool, download the SRA Tool User Guide [PDF - 4.9 MB].
A paper-based version of the tool is also available:
- Administrative Safeguards [DOCX - 397 KB]*
- Technical Safeguards [DOCX - 312 KB]*
- Physical Safeguards [DOCX - 263 KB]*
*Persons using assistive technology may not be able to fully access information in this file. For assistance, contact ONC at PrivacyAndSecurity@hhs.gov.
The Security Risk Assessment Tool at HealthIT.gov is provided for informational purposes only. Use of this tool is neither required by nor guarantees compliance with federal, state or local laws. Please note that the information presented may not be applicable or appropriate for all health care providers and organizations. The Security Risk Assessment Tool is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks. For more information about the HIPAA Privacy and Security Rules, please visit the HHS Office for Civil Rights Health Information Privacy website.
NOTE: The NIST Standards provided in this tool are for informational purposes only as they may reflect current best practices in information technology and are not required for compliance with the HIPAA Security Rule’s requirements for risk assessment and risk management. This tool is not intended to serve as legal advice or as recommendations based on a provider or professional’s specific circumstances. We encourage providers, and professionals to seek expert advice when evaluating the use of this tool.