On September 9, 2025, the US Department of Health and Human Services released a new version of the Security Risk Assessment Tool ("SRAT") to assist solo practitioners, small and medium healthcare practices and business associates with their HIPAA Security Rule compliance efforts.
Originally created in 2019, the most recent SRAT (version 3.6) is a downloadable application that guides users through a series of questions regarding the user's practices, threats and risk assessments, and vendor and asset management. The SRAT is a useful tool for healthcare practitioners to identify gaps in their security practice and offers suggestions for corrective actions where applicable.
Among the changes in SRAT Version 3.6 are the following:
- A new assessment confirmation button with a "reviewed-by" date for each section, which allows users to confirm a section has been reviewed and approved, with the approver's username and date of approval saved for audit records.
- Updated risk scale to match the National Institute of Standards and Technology (NIST) scoring, changing the prior score of "medium" to "moderate" within the application, reports, and the Workbook version.
- Updated reports with new content which include updated disclaimers and reports that include section-specific approval/reviewed-by details and additional information entered by users.
- Updated library files that are included when users install the application; these are useful in mitigating potential vulnerabilities in outdated files.
- Content improvements in questions, responses, and education that are designed to make the application and workbook version more user-friendly and relevant in the evolving cybersecurity environment.1
The usefulness of the SRAT to smaller practices is often invaluable, as many are still uncertain as to what actions should be taken to protect their patients' health information and comply with the HIPAA Security Rules. Notably, the SRAT's specific reference to the Health Information Technology for Economic and Clinical Health (HITECH) Act and applicable HIPAA Security Rules, as well as various industry standards related to cybersecurity, including: NIST Special Publications 800-66, 800-53 and 800-53A, NIST Cybersecurity Framework 2.0, Health Industry Cybersecurity Practices (HICP) Technical Volume 1 and Healthcare and Public Health (HPH) Cybersecurity Performance Goals (CPGs), ensures a comprehensive analysis. While the SRAT is a time-consuming activity, it is broken down into seven content-specific sections that can be saved for later completion. Once completed, the SRAT can provide a roadmap for improvement in the practice's security posture while serving as a repository for information and evidence that the mandatory HIPAA Risk Assessment has been completed.
For healthcare practitioners that have not been completing their required annual Security Risk Assessments, utilizing the SRAT is a step in the right direction. Not only does the SRAT assist with HIPAA compliance, but it also helps healthcare practices in identifying current cybersecurity risks and vulnerabilities in the organization.
Footnote
1. Source: Security Risk Assessment Tool v 3.6 User Guide, available at: https://www.healthit.gov/sites/default/files/page/2025-09/SRA_Tool_User_Guide_Version_3_6.pdf.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
