Privacy & Information Security Law Blog

The U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) and the Assistant Secretary for Technology Policy (“ASTP”) have released a new version (Version 3.6) of their Security Risk Assessment (“SRA”) Tool, along with an updated SRA Tool User Guide. (Note that on the date of this post, the ASTP website was down due to the federal government shutdown).

HHS developed the SRA tool to help small and medium-sized healthcare providers comply with the requirements of the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule. The tool assists healthcare organizations in identifying and assessing potential risks and vulnerabilities to their electronic protected health information in compliance with the HIPAA Security Rule, and provides education on cybersecurity resources and best practices.

Version 3.6 of the SRA Tool includes the following important new and updated features:

• a new “reviewed-by” confirmation button to record approvals, approval dates and reviewers’ names for audit tracking;
• an updated risk scale replacing the term “medium” with “moderate” for the middle tier of risk, to align with NIST standards;
• improved reporting with section-specific details and updated disclaimers that serve to support audit readiness and legal defensibility;
• updated library files that address vulnerabilities found in older components; and
• improved educational content with revised questions and responses

Although Version 3.6 builds on prior versions of the tool, the new features may necessitate adjustments in how compliance professionals use the tool. Organizations should consider providing training for staff involved in HIPAA risk assessment and reporting.

HIPAA compliance officers are encouraged to download the new tool along with the updated SRA Tool User Guide. Although using the SRA tool can aid in audits and demonstrate an organization's commitment to data security, it should be viewed as only one component of a broader compliance strategy. Regular reviews of policies and procedures, along with ongoing risk management and breach notification planning, are essential to HIPAA compliance.