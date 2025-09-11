In a move that underscores the growing urgency around health care cybersecurity, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has released version 3.6 of its Security...

Mintz is a litigation powerhouse and business accelerator serving leaders in life sciences, private equity, sustainable energy, and technology. The world’s most innovative companies trust Mintz to provide expert advice, protect and monetize their IP, negotiate deals, source financing, and solve complex legal challenges. The firm has over 600 attorneys across offices in Boston, Los Angeles, Miami, New York, Washington, DC, San Francisco, San Diego, and Toronto.

In a move that underscores the growing urgency around health care cybersecurity, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has released version 3.6 of its Security Risk Assessment Tool (SRA Tool). The SRA Tool is a free resource designed to help covered entities and business associates conduct HIPAA-compliant security risk assessments. It is particularly focused on small and medium-sized providers and can be a useful tool for any smaller entity subject to HIPAA. Non-provider entities, including business associates, may need to make modifications to the tool to fit their operations and security infrastructure.

This update improves the usability of the tool, including by adding a "reviewed by" feature to allow organizations to track internal approvals of components of the security risk assessment. Corresponding changes to the SRA Tool's report function allow organizations to document their internal review and approvals.

HIPAA covered entities and their business associates should take this as yet another reminder of the importance of conducting a security risk assessment as a critical component of HIPAA compliance and as a risk mitigation strategy. OCR has continued to be laser-focused on the lack of comprehensive security risk assessments in its breach investigations, going so far as to launch its "Risk Analysis Initiative" last fall. Time after time, OCR has highlighted that the organizations that have experienced data breaches failed to conduct (or update) their security risk assessments or failed to remediate issues identified. OCR, in collaboration with the National Institute of Standards and Technology (NIST) and other agencies, has published a number of guidance materials to assist HIPAA regulated entities to understand their obligations under the HIPAA Security Rule, which are compiled here.

Upcoming Webinars

OCR and the Assistant Secretary for Technology Policy (ASTP) will host live webinars on September 15 at noon ET and September 16 at 3pm ET to walk through the new features and answer questions. Recordings of the webinars will be made available for those who cannot attend live. Based on past webinars, attendees will get the most value out of the webinar if they have already downloaded the updated Tool and associated user guide ahead of time.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.