In September 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), together with the Assistant Secretary for Technology Policy (ASTP), released version 3.6 of the Security Risk Assessment (SRA) Tool. This tool is designed to help small- and medium-sized health care providers and business associates conduct HIPAA‑compliant risk assessments of their electronic protected health information (ePHI) environments.
While the update isn’t a wholesale redesign, it includes several meaningful enhancements aimed at improving audit readiness, usability, and alignment with standard cybersecurity frameworks. Below are the key changes and practical implications.
Key Enhancements in SRA Tool Version 3.6
Here’s a breakdown of the major updates in 3.6, along with what they mean in practice:
| Feature | What Changed | Why It Matters / How to Use It |
|---|---|---|
| “Reviewed‑By” Confirmation Button & Timestamp | Each section now has a button allowing you to designate who reviewed and approved it, with a date stamp. CMADocs+2Foley Hoag+2 | This helps in documenting governance oversight. During an OCR investigation or audit, you’ll have better evidence that your organization is performing periodic reviews (not a one‑time check). |
| Risk Scale Terminology Updated | The “medium” risk level is renamed “moderate,” aligning with NIST’s standard wording. TechTarget+2Foley Hoag+2 | This alignment enhances clarity and consistency, particularly for organizations that also reference NIST SP 800‑series guidance in their security practices. |
| Enhanced Reporting | The reporting module now includes more granular section‑level details (e.g. approval metadata) and better integration of user‑entered information. CMADocs+2Foley Hoag+2 | More detailed reports help you trace decisions, review history, and make your risk assessment documentation more defensible. |
| Refreshed Library Files / Component Updates | The underlying libraries and code components have been updated to replace potentially vulnerable or outdated elements. CMADocs+3Foley Hoag+3TechTarget+3 | This reduces internal vulnerabilities in the tool itself and improves the security posture of using the tool. |
| Refined Content, Questions & Educational Material | Some questionnaire language, guidance tips, and educational popups have been revised to reflect current cybersecurity trends. Foley Hoag+2The HIPAA Journal+2 | Updated content better helps users understand modern threats (ransomware, supply chain compromise, etc.) and make more informed assessments. |
| Installation Behavior | When installing version 3.6, outdated library files are replaced, reducing the risk that old components linger. CMADocs+1 | Helps ensure users do not run mixed or legacy code pieces that could introduce weaknesses. |
Why These Changes Are Important (Especially Now)
1. OCR Is Paying Increased Attention to Risk Analysis
Risk analysis failures remain one of the most cited deficiencies in OCR investigations. OCR has launched a “Risk Analysis Initiative” targeting entities that inadequately conduct or document their risk assessments. In that environment, using an updated tool that encourages better documentation and governance may reduce exposure.
2. Stronger Audit Readiness
The addition of a “reviewed-by” feature and more detailed reporting means your organization can better show a chain of accountability over time (who reviewed what, when). That’s critical when regulators dig into your risk management practices.
3. Better Alignment with Industry Standards
By aligning terminology with NIST (e.g. “moderate” instead of “medium”), the tool becomes more interoperable with organizations that reference NIST frameworks. This reduces potential confusion or translation errors when cross-referencing multiple standards.
4. Reduced Tool-Based Vulnerabilities
Updating the underlying libraries and components helps ensure that the tool itself doesn’t become a liability (e.g. via software vulnerabilities). It’s a subtle but important security hygiene improvement.
5. More Relevant and Usable Guidance
As cyber threats evolve (e.g. ransomware, supply chain attacks, zero‑day vulnerabilities), the updated questionnaire content means the tool is more likely to prompt relevant risk considerations you might otherwise miss.
Looking Ahead: Broader HIPAA Security Rule Changes
The release of version 3.6 occurs in the broader context of imminent proposed updates to the HIPAA Security Rule itself. In late 2024, OCR published a Notice of Proposed Rulemaking (NPRM) aimed at strengthening cybersecurity requirements (e.g. more prescriptive rules on encryption, multifactor authentication, patching, network segmentation, formal audit processes). HHS.gov+1
These changes mean that even though the SRA Tool 3.6 makes your risk assessment documentation better today, you should keep an eye on how the regulatory baseline evolves. Your risk assessments will need to validate against not just today’s Security Rule, but tomorrow’s as well.
