ONC, OCR Release Security Risk Assessment Tool Version 3.4

September 15, 2023 - The Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) announced the release of version 3.4 of the Security Risk Assessment (SRA) Tool, further enhancing the user experience and helping covered entities navigate risk assessment requirements under the HIPAA Security Rule.

OCR and ONC developed the SRA Tool to help small- and medium-sized healthcare providers identify and assess risks and vulnerabilities to electronic protected health information (ePHI). The tool is a software application that organizations can download at no cost.

“As hacking and ransomware attacks continue to increase within the health care sector, it’s now more important than ever for organizations to improve their cybersecurity,” HHS stated in a press release.

Version 3.4 contains several key updates based on user feedback, including a remediation report, which allows users to track responses to vulnerabilities inside the tool and log remediation efforts. In addition, the tool now contains a glossary and tool tips section, where users can learn more information and easily navigate the tool’s features.

Other improvements include bug fixes, usability improvements, and references to the 2023 edition of the Health Industry Cybersecurity Practices (HICP) publication.

OCR and ONC last updated the SRA Tool in June 2022, when it released the SRA Tool Excel Workbook.

“This alternative version of the SRA Tool takes the same content from the Windows desktop application and presents it in a familiar spreadsheet format. The Excel Workbook contains conditional formatting and formulas to calculate and help identify risk in a similar fashion to the SRA Tool application,” OCR explained at the time.

“This version of the SRA Tool is intended to replace the legacy ‘Paper Version’ and may be a good option for users who do not have access to Microsoft Windows.”

This tool can help smaller organizations identify risk assessment priorities and make a plan for remediation and compliance.

“Use of this tool does not mean that your organization is compliant with the HIPAA Security Rule or other federal, state or local laws and regulations,” OCR and ONC noted. “It does, however, assist organizations with the HIPAA Security Rule requirement to conduct periodic security risk assessments.”

As previously reported, OCR is on track for more than 30,000 complaints in 2023 surrounding potential HIPAA violations. In February, HHS announced new restructuring efforts for OCR, including the formation of three new divisions to help manage its increased volume of HIPAA and HITECH complaints and compliance reviews.

OCR has made it clear that investigating potential HIPAA violations is one of its top priorities. Using the SRA Tool in conjunction with other security and privacy efforts can help covered entities mitigate risk and avoid a lengthy investigation.