On November 1, 2024, the U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) and the Assistant Secretary for Technology Policy (“ASTP”) announced the release of a new version of the Security Risk Assessment (“SRA”) Tool. HHS developed the SRA Tool as a resource to assist small and medium-sized healthcare providers in complying with their obligations under the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule.

The SRA Tool is an interactive Microsoft Windows desktop application that HHS makes freely available for download on its website. It is intended to help healthcare organizations identify and assess potential risks and vulnerabilities to electronic protected health information on their systems and provide them with cybersecurity resources and best practices. HHS also released an updated SRA Tool User Guide. HHS notes that the SRA Tool is not designed with large healthcare providers in mind, and as such, may not be appropriate for those organizations.

Key updates to the SRA Tool include:

• new and enhanced guidance and instructions;
• updated references to the NIST Cybersecurity Framework (“CSF”) 2.0 (replacing NIST CSF 1.1);
• references to the Healthcare and Public Health Cybersecurity Performance Goal;
• new content on mitigating organizational threats and vulnerabilities; and
• new content on cybersecurity supply chain risks.

As HHS continues to prioritize cybersecurity enforcement, the SRA Tool and User Guide provide useful insight into how HHS views the HIPAA risk analysis requirement, which is foundational to Security Rule compliance.