Anyone who has wrestled with the HIPAA Security Rule's
risk‐analysis requirement knows that the government's
free Security Risk Assessment ("SRA") Tool can be a
practical starting point—particularly for
resource-constrained practices that cannot justify a commercial
governance-risk-and-compliance platform. Developed jointly by the
Office for Civil Rights ("OCR") and the Assistant
Secretary for Technology Policy ("ASTP"), the SRA Tool
walks the user through the core elements of a 45 C.F.R. §
164.308(a)(1)(ii)(A) risk analysis, prompting self-assessment
questions on everything from facility access controls to encryption
of data in transit. The output—customized reports that
catalogue vulnerabilities, likelihoods, impacts, and recommended
remediation—can be invaluable if (or, more accurately, when)
OCR knocks on the door.
Today, OCR and ASTP released version 3.6. While the update is
incremental, it contains several features that will make life
easier for compliance teams, auditors, and, ultimately, regulators
reviewing an organization's risk‐analysis
documentation:
- First, Version 3.6 introduces a "reviewed-by" confirmation button. Compliance officers can now record the name of the individual who approved the assessment and the date of sign-off. Given OCR's expectation that risk analyses be "periodic and updated as needed," this time-stamping feature could be a lifesaver during an investigation when the agency asks for evidence of ongoing governance.
- Second, the Tool now aligns its likelihood/impact taxonomy more closely with NIST by renaming the middle tier of risk from "medium" to "moderate." The change is semantic, but it eliminates confusion for organizations that rely on NIST SP 800-30 Rev. 1 or SP 800-53A—documents that likewise use "moderate" as the midpoint on the risk continuum.
- Third, the reporting engine has been fine-tuned. Section-specific details are more granular, and the disclaimers now clarify that the Tool is not a substitute for professional legal advice (music to every lawyer's ears).
- Fourth, the underlying libraries have been refreshed to address vulnerabilities in outdated components. If you ran a security scan on the prior version, chances are your software composition analysis tool flagged several CVEs; those should now be resolved.
- Finally, OCR and ASTP have tightened the substance of various questions and educational pop-ups. For instance, the encryption module now references the latest FIPS 140-3 standards, and the incident-response section cross-references the 2024 addition to the HIPAA Security Rule that codifies a 72-hour breach notification window for ransomware events.
To help users acclimate, OCR and ASTP will host live
demonstrations on September 15 at noon ET and September 16 at 3
p.m. ET. Expect a hands-on tour of the new features, a walkthrough
of the refreshed reports, and a Q&A segment that, if history is
any guide, will address the perennial question: "Does
completing the SRA Tool guarantee compliance?" (Spoiler: it
does not, but it is a strong piece of evidence that you are taking
risk analysis seriously.)
What should covered entities and business associates do now?
Download version 3.6, perform at least a delta assessment against
your most recent risk analysis, and memorialize the
outcome—preferably invoking that new confirmation button.
Remember, OCR's enforcement posture has not softened. In recent
resolution agreements, the agency has continued to cite inadequate
or outdated risk analyses as a predicate violation. The updated SRA
Tool is not a silver bullet, but it is low-hanging fruit. Grab it,
use it, document it, and, if questions remain, consult
counsel.
As always, Foley Hoag's Security, Privacy and the Law team is
available to help you navigate these changes and integrate the new
SRA Tool into a holistic HIPAA compliance program.
To view Foley Hoag's Security, Privacy and The Law Blog please click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
