On September 9, 2025, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR), in coordination with the Assistant Secretary for Technology Policy (ASTP), announced the release of Version 3.6 of the Security Risk Assessment (SRA) Tool. The tool is designed to help healthcare providers and their business associates conduct the risk assessments required by the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
The SRA Tool is a free, downloadable application intended for small and medium-sized organizations. It is available as a desktop application for Windows and as an Excel Workbook version for users who prefer a spreadsheet format or need more flexibility. All data entered into the tool is stored locally on the user’s device. HHS does not collect, view, or transmit any user information.
Version 3.6 includes several updates:
- A new “reviewed-by” confirmation button to record section approvals, including usernames and dates, to support audit tracking
- A revised risk scale that aligns with National Institute of Standards and Technology (NIST) terminology, replacing “medium” with “moderate”
- Updated reports with section-specific details and refreshed disclaimers
- New library files that replace outdated components to reduce vulnerabilities
- Improvements to questions, response options, and educational content to reflect today’s cybersecurity landscape and enhance usability
To support the rollout of Version 3.6, OCR and ASTP are hosting live webinars on September 15 at 12:00 PM ET and September 16 at 3:00 PM ET. These sessions will include demonstrations of new features, walkthroughs of the updated reports, and opportunities for attendees to ask questions.
The SRA Tool remains a resource for organizations seeking to meet HIPAA requirements and improve the protection of electronic protected health information (ePHI). The tool, Excel Workbook, user guide, and links to register for the webinars are available on the ASTP website here.
Compliance Perspective
Issue
The HIPAA Security Rule requires covered entities and their business associates to conduct regular risk assessments as part of their security management process. The updated SRA Tool, released on September 9, 2025, is intended to assist small and medium-sized healthcare providers in meeting this requirement. Version 3.6 includes improvements such as enhanced reporting, updated risk terminology aligned with NIST standards, and a new reviewed-by confirmation feature to support audit readiness. These updates reflect the continued need for organizations to identify and mitigate evolving cybersecurity threats to ePHI, and to document risk assessment activities accurately.
Discussion Points
- Review and update your policies and procedures related to HIPAA compliance and security risk assessments. Ensure they reflect current processes for identifying threats to ePHI and incorporate guidance for using tools such as SRA Tool v3.6. Facilities may wish to review these policies in coordination with an external consultant to ensure alignment with evolving regulatory expectations.
- Provide training on the updated SRA Tool and reinforce the importance of ongoing education related to data security and HIPAA requirements. Med-Net Academy offers the course HIPAA Security Rule Facility Access Controls, which addresses physical security measures, equipment-related risks, and contingency planning. A six-part Data Security series is also available to support broader workforce understanding of HIPAA Security Rule requirements and best practices for protecting ePHI.
- Conduct or update your facility’s security risk assessment using the latest version of the SRA Tool. Utilize the new reviewed-by feature to confirm and document approvals. Consider working with a consultant to help evaluate results, address high-risk areas, and support audit readiness. Periodically audit your assessment process to confirm it is comprehensive, consistent, and in compliance with HIPAA standards.
*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*