In 2011, the US Department of Health and Human Services (DHHS), the federal agency for enforcing HIPAA, issued a Security Risk Assessment (SRA) tool through its Office of Civil Rights (OCR). In 2019, after several updates, OCR offering its newest updated HHS SRA tool, version 3.1. The updated HHS SRA Tool contains several features that the prior tools did not contain.

What is the Updated HHS SRA Tool?

The HHS SRA toolkit is a free, online tool that the federal government claims is designed for use by small to medium sized health care practices (those healthcare provider covered entities with 1-to employees), and their business associates, to help them identify risks and vulnerabilities to ePHI.

The Office for Civil Rights claims that the tool can help these practices conduct a comprehensive, organization-wide risk assessment to identify risks to the confidentiality, integrity, and availability of PHI. The idea is that once the assessment is completed, healthcare organizations can use the information about risks that they have gathered, to improve their defenses against malware, ransomware, and other forms of cyberattack.


The updated HHS SRA Tool, Version 3.1,  was released in October of 2019 to coincide with National Cybersecurity Month, which is also in October. The updated tool includes several user-requested improvements: 

  • Vulnerability and threat validation 
  • Incorporation of NIST Cybersecurity Framework references, as applicable
  • Improved asset and vendor management features. 
  • The ability to flag questions
  • The ability to export Detailed Reports to Excel
  • Fixes for several reported glitches, to improve stability and functionality.
  • Enhanced user interface with modular workflow
  • Modular workflow
  • Custom assessment logic
  • A progress tracker

The tool is free and can be downloaded here. Currently, the tool can only be downloaded for Windows devices and is not available for the Mac OS.

As it has noted with respect to prior versions of the tool, HHS has noted, with this release, that use of the tool does not guarantee compliance with the HIPAA Security Rule risk assessment requirement. HHS further notes that the tool will only help HIPAA-covered entities and their business associates conduct periodic assessments. 

HHS also notes that All information entered into the SRA Tool is stored locally to the users’ computer or tablet. HHS does not receive, collect, view, store or transmit any information entered in the SRA Tool. The results of the assessment are displayed in a report which can be used to determine risks in policies, processes and systems and methods to mitigate weaknesses are provided as the user is performing the assessment.

Need Help with HIPAA?

Let our complete HIPAA solution handle it.