Anyone who has wrestled with the HIPAA Security Rule’s risk‐analysis requirement knows that the government’s free Security Risk Assessment (“SRA”) Tool can be a practical starting point—particularly for resource-constrained practices that cannot justify a commercial governance-risk-and-compliance platform. Developed jointly by the Office for Civil Rights (“OCR”) and the Assistant Secretary for Technology Policy (“ASTP”), the SRA Tool walks the user through the core elements of a 45 C.F.R. § 164.308(a)(1)(ii)(A) risk analysis, prompting self-assessment questions on everything from facility access controls to encryption of data in transit. The output—customized reports that catalogue vulnerabilities, likelihoods, impacts, and recommended remediation—can be invaluable if (or, more accurately, when) OCR knocks on the door.
Today, OCR and ASTP released version 3.6. While the update is incremental, it contains several features that will make life easier for compliance teams, auditors, and, ultimately, regulators reviewing an organization’s risk‐analysis documentation:
- First, Version 3.6 introduces a “reviewed-by” confirmation button. Compliance officers can now record the name of the individual who approved the assessment and the date of sign-off. Given OCR’s expectation that risk analyses be “periodic and updated as needed,” this time-stamping feature could be a lifesaver during an investigation when the agency asks for evidence of ongoing governance.
- Second, the Tool now aligns its likelihood/impact taxonomy more closely with NIST by renaming the middle tier of risk from “medium” to “moderate.” The change is semantic, but it eliminates confusion for organizations that rely on NIST SP 800-30 Rev. 1 or SP 800-53A—documents that likewise use “moderate” as the midpoint on the risk continuum.
- Third, the reporting engine has been fine-tuned. Section-specific details are more granular, and the disclaimers now clarify that the Tool is not a substitute for professional legal advice (music to every lawyer’s ears).
- Fourth, the underlying libraries have been refreshed to address vulnerabilities in outdated components. If you ran a security scan on the prior version, chances are your software composition analysis tool flagged several CVEs; those should now be resolved.
- Finally, OCR and ASTP have tightened the substance of various questions and educational pop-ups. For instance, the encryption module now references the latest FIPS 140-3 standards, and the incident-response section cross-references the 2024 addition to the HIPAA Security Rule that codifies a 72-hour breach notification window for ransomware events.
To help users acclimate, OCR and ASTP will host live demonstrations on September 15 at noon ET and September 16 at 3 p.m. ET. Expect a hands-on tour of the new features, a walkthrough of the refreshed reports, and a Q&A segment that, if history is any guide, will address the perennial question: “Does completing the SRA Tool guarantee compliance?” (Spoiler: it does not, but it is a strong piece of evidence that you are taking risk analysis seriously.)
What should covered entities and business associates do now? Download version 3.6, perform at least a delta assessment against your most recent risk analysis, and memorialize the outcome—preferably invoking that new confirmation button. Remember, OCR’s enforcement posture has not softened. In recent resolution agreements, the agency has continued to cite inadequate or outdated risk analyses as a predicate violation. The updated SRA Tool is not a silver bullet, but it is low-hanging fruit. Grab it, use it, document it, and, if questions remain, consult counsel.
