The U.S. Department of Health and Human Services (HHS) has released a new and improved version of its Security Risk Assessment (SRA) Tool, designed specifically to support small and medium-sized healthcare practices in complying with the HIPAA Security Rule.

The update—developed by HHS’s Office for Civil Rights (OCR) in collaboration with the Office of the Assistant Secretary for Technology Policy—addresses longstanding usability concerns and includes new features that simplify internal tracking, enhance reporting, and better align with current cybersecurity best practices.

Why This Matters for Your Practice

A comprehensive risk assessment is one of the core requirements under HIPAA—but it also remains the most common area of noncompliance flagged by federal audits. For smaller practices with limited IT support, navigating the complexities of HIPAA can be especially challenging. The free SRA Tool aims to ease that burden.

Key Updates in Version 3.6:

• Audit-Ready Review Tracking: A new “reviewed-by” button with a built-in date stamp for each section helps document internal review and approval—ideal for audit readiness.

• Updated Risk Scoring: The risk scale now uses terminology from the National Institute of Standards and Technology (NIST), changing “medium” to “moderate” for improved consistency.

• Enhanced Reporting Features: Reports now include section-specific approval details and any user-entered information, making documentation clearer and more complete.

• Updated Libraries: Old files are automatically replaced during installation to reduce vulnerabilities and improve system integrity.

• Refined Content and Navigation: The updated tool features clearer questions, revised answer choices, and improved educational materials that reflect today’s threat landscape.

Easy Access and Local Data Storage

The tool is available in two formats:

• A downloadable Windows desktop application

• A Microsoft Excel workbook

Importantly, all data remains local to the user’s device—no information is shared with or transmitted to HHS, ensuring privacy and control for the user.

Download the Tool

Practices can download version 3.6 of the SRA Tool, along with a user guide, directly from the HHS SRA Tool webpage.

Bottom Line: For LACMA members, especially those in small or solo practice, this tool provides a practical, no-cost solution to meet HIPAA’s risk assessment requirement—while also helping prepare for potential audits.

For more resources and cybersecurity support, LACMA members can also attend our Cybersecurity in Healthcare virtual workshop on October 8, 2025. Register here for free CME.