An upgraded version of the Security Risk Assessment (SRA) Tool has been introduced by the Assistant Secretary for Technology Policy (ASTP) and the HHS’ Office for Civil Rights (OCR).
The SRA tool was designed to enable small to medium-sized healthcare organizations to adhere to the security risk assessment requirement of the HIPAA Security Law. The inability to conduct a HIPAA risk assessment is the most frequently observed HIPAA Security Guideline violation, and the OCR currently has an active enforcement initiative aimed at non-compliance. By examining data breaches, complaints, and compliance audits, OCR typically finds that HIPAA-covered entities have either failed to conduct a risk assessment or that their risk assessments are incomplete or inaccurate. For example, a risk assessment is carried out according to a partial or outdated asset inventory.
OCR introduced the enforcement initiative in October 2024. Back then, OCR issued the first penalty on the Oklahoma-based Bryan County Ambulance Authority. From then on, OCR has enforced 10 financial penalties on failures to perform risk analysis. This violation is the most popular cause of security-associated HIPAA civil monetary penalties and negotiations.
The SRA tool is an important product for small and medium-sized healthcare companies, because it helps them with the practice of doing a risk assessment. The most recent SRA tool, version 3.6, consists of a few updates to enhance user friendliness. There is a new assessment verification button included and a reviewed-by date per section, permitting users to verify that a section was evaluated and okayed, which will be stored for audit data.
The risk scale was changed to follow the NIST score. The score of “medium” was altered to “moderate”. Upgraded library data files will be put in when the new model is set up, addressing vulnerabilities that may be present in out-of-date versions. The reports were refreshed with new information, which includes section-specific acceptance/assessed-by details and extra details given by users. There were likewise developments to queries, answers, and education to produce an SRA Tool that is more appropriate to the growing cybersecurity ecosystem and to boost the ease of use.
OCR and ASTP will be conducting two live webinars about the SRA Tool. Professionals will offer an intro to the SRA tool, exhibit the new capabilities, and improve reports. Questions concerning the tool and its new functions will be provided to clarify the program and new capabilities. The webinar will only be available until September 15, 2025.
Image credit: Kiattisak, AdobeStock / logo©ASTP
