Skip to main content
CoreFolioHIPAA
Tools

The HHS SRA Tool, honestly reviewed

The free HHS Security Risk Assessment Tool is the most common starting point for small practices doing their first HIPAA risk analysis. Here is an honest look at what it does well and where it falls short.

5-minute read

The HHS Security Risk Assessment (SRA) Tool is free, it comes from the government, and OCR recommends it as a starting point. For small practices doing a HIPAA risk analysis for the first time, it is usually the first thing they find.

This is an honest review. The tool has real strengths and real limitations. Understanding both will help you decide whether it is right for your practice.

What the SRA Tool is

The HHS SRA Tool is a desktop application built by HHS and the Office of the National Coordinator for Health Information Technology (ONC). It is available for download at healthit.gov. The tool is free.

The application walks you through a structured set of questions based on the Security Rule requirements across administrative, physical, and technical safeguards. At the end, it generates a report you can save or print.

The genuine strengths

It is free and official. For a practice with no compliance budget, the SRA Tool is a legitimate starting point. It covers the major Security Rule requirements in a structured format. A practice that works through it thoughtfully is doing better than one that skips the risk analysis entirely.

It provides structure. The tool organizes the Security Rule into manageable sections, assigns questions to each section, and tracks your progress. That structure is valuable for someone approaching HIPAA compliance for the first time.

It produces a report. The output document, while basic, captures your answers in a format you can file. It is date-stamped and shows your responses. That is something.

OCR recognizes it. In its guidance on risk analysis, HHS explicitly points to the SRA Tool as one approach. Using it is not going to raise a flag with investigators the way using a completely informal process might.

The real limitations

Windows only. The SRA Tool is a Windows desktop application. If your practice runs on Macs, or if you work primarily on mobile devices, you will need a Windows machine (physical or virtual) to run it. For many small practices in 2026, this is a genuine barrier.

Not updated for the 2026 proposed rule. The NPRM published in January 2025 proposes significant changes — mandatory MFA, mandatory encryption, annual risk analysis, technology asset inventory requirements. As of this writing, the SRA Tool does not reflect these proposed changes. You can use the tool for the existing 2013 rule, but it will not help you assess your readiness for what is coming.

Proprietary data format. Your answers live inside the application's database. If you need to share your risk analysis with an auditor, an attorney, or a business partner, you export a PDF. But the underlying data is not easily portable. If you lose the application or need to move to another system, you start from scratch.

No branching. The SRA Tool asks the same questions of every practice, regardless of size, specialty, EHR, or whether you use cloud hosting or a local server. A solo behavioral health practice using SimplePractice has different risks than a ten-provider internal medicine group with Epic. The tool does not adapt to your specific environment.

No remediation guidance. After you complete the assessment, the tool shows you which questions you answered in ways that indicate a gap. But it does not tell you what to do about it. The risk management plan — required separately under 45 CFR § 164.308(a)(1)(ii)(B) — is entirely up to you.

No citation tracing. If you want to understand why a specific question exists and what the underlying rule requires, the SRA Tool does not link questions to specific CFR sections. You have to look that up separately.

How OCR investigators actually respond to SRA Tool output

The SRA Tool output is not a safe harbor. Several practices that used the SRA Tool have still ended up in OCR investigations and settlements for risk analysis failures. The issue is usually one of three things:

  • The risk analysis was outdated (the tool was run once and not updated annually)
  • The scope was incomplete (the tool was completed for the EHR but not for email, remote access, or vendor relationships)
  • The risk management plan did not follow (the tool was completed but nothing was done about the gaps it identified)

The tool is a legitimate starting point. It is not an end point.

Who should use the SRA Tool

Use the SRA Tool if:

  • You have no compliance budget and need to start somewhere
  • Your practice runs on Windows and the application installs cleanly
  • You need a first-time baseline more than you need ongoing tracking
  • You are comfortable building your own risk management plan separately

Consider alternatives if:

  • You use Macs or need a web-based tool
  • You want to assess readiness against the proposed 2026 rule (not just the 2013 rule)
  • You want integrated remediation guidance, not just a gap list
  • You want a structured risk management plan output alongside the analysis
  • You need something you can update annually without re-entering all your information

The bottom line

The SRA Tool does what it says. It is free, it covers the major Security Rule requirements, and it produces a report you can file. For a practice that has done no risk analysis at all, using the SRA Tool is a meaningful improvement.

Its limitations — Windows-only, no 2026 rule coverage, no branching, no remediation guidance, proprietary format — are real, and they are worth understanding before you commit to it as your long-term approach.

Sources: HHS/ONC Security Risk Assessment Tool, available at healthit.gov. 45 CFR § 164.308(a)(1)(ii)(A) (risk analysis); 45 CFR § 164.308(a)(1)(ii)(B) (risk management plan); NPRM: 90 Fed. Reg. 898 (Jan. 6, 2025).