ONC, OCR Release Updated Version of HHS Security Risk Assessment (SRA) Tool

June 15, 2022 - The Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) released version 3.3 of the HHS Security Risk Assessment (SRA) Tool.

ONC and OCR developed the SRA Tool to help HIPAA-covered entities navigate risk assessment requirements under the HIPAA Security Rule. The tool is a software application that organizations can download at no cost.

It is important to note that the use of the SRA Tool does not guarantee compliance with HIPAA, but it can help organizations conduct thorough risk assessments and evaluate technical, physical, and administrative safeguards.

The updated tool includes various feature enhancements, including the incorporation of Health Industry Cybersecurity Practices (HICP) references, bug fixes, and file association in Windows. ONC and OCR also released the SRA Tool Excel Workbook.

“This alternative version of the SRA Tool takes the same content from the Windows desktop application and presents it in a familiar spreadsheet format. The Excel Workbook contains conditional formatting and formulas to calculate and help identify risk in a similar fashion to the SRA Tool application,” OCR explained.

“This version of the SRA Tool is intended to replace the legacy ‘Paper Version’ and may be a good option for users who do not have access to Microsoft Windows.”

The SRA Tool’s audience includes mostly medium and small providers, ONC explains on its website. It may not be applicable to larger organizations.

Within the application, organizations can walk through multiple-choice questions, vulnerability assessments, and vendor and asset management.

Risk management is one of four implementation specifications under the “security management process” standard within the HIPAA Security Rule. Risk management and analysis are crucial to compliance, disaster preparedness, and incident prevention.

In other OCR news, the office recently announced plans to produce a pre-recorded video presentation on HITECH recognized security practices, a few months after it issued a request for information (RFI) on the recognized security practices.

In response, industry groups urged HHS to provide clarity, guidance, and best practices on HITECH measures.

The healthcare sector is continually looking for clear and approachable guidance from various government entities on how to navigate compliance and security challenges.