The HHS SRA Tool: what it does well and where it falls short

The U.S. Department of Health and Human Services (HHS) Security Risk Assessment (SRA) Tool is free, it comes from the government, and the Office for Civil Rights (OCR) recommends it as a starting point. For small practices doing a HIPAA risk analysis for the first time, it is usually the first thing they find.

The tool has real strengths and real limitations. Understanding both will help you decide whether it is right for your practice.

What the SRA Tool is

The HHS SRA Tool is a desktop application built by HHS and the Office of the National Coordinator for Health Information Technology (ONC). It is available for download at healthit.gov. The tool is free.

The application walks you through a structured set of questions based on the Security Rule requirements across administrative, physical, and technical safeguards. At the end, it generates a report you can save or print.

The genuine strengths

It is free and official. For a practice with no compliance budget, the SRA Tool is a legitimate starting point. It covers the major Security Rule requirements in a structured format. A practice that works through it thoughtfully is doing better than one that skips the risk analysis entirely.

It provides structure. The tool organizes the Security Rule into manageable sections, assigns questions to each section, and tracks your progress. That structure is valuable for someone approaching HIPAA compliance for the first time.

It produces a report. The output document, while basic, captures your answers in a format you can file. It is date-stamped and shows your responses. That is something.

OCR recognizes it. In its guidance on risk analysis, HHS explicitly points to the SRA Tool as one approach. Using it is not going to raise a flag with investigators the way using a completely informal process might.

The real limitations

Windows desktop app or Excel workbook \u2014 nothing else. The interactive SRA Tool is a Windows desktop application. HHS publishes an Excel Workbook version that runs on macOS or Linux with Excel installed and carries the same questions, scoring, and references, but it is a spreadsheet, not the guided wizard. Neither version runs on a phone. For practices that work primarily on Macs or mobile devices, this is a genuine barrier.

Not updated for the 2026 proposed rule. The Notice of Proposed Rulemaking (NPRM) published in January 2025 proposes significant changes — mandatory MFA, mandatory encryption, annual risk analysis, technology asset inventory requirements. As of this writing, the SRA Tool does not reflect these proposed changes. You can use the tool for the existing 2013 rule, but it will not help you assess your readiness for what is coming.

Proprietary data format. Your answers live inside the application's database. If you need to share your risk analysis with an auditor, an attorney, or a business partner, you export a PDF. But the underlying data is not easily portable. If you lose the application or need to move to another system, you start from scratch.

No branching. The SRA Tool asks the same questions of every practice, regardless of size, specialty, electronic health record (EHR), or whether you use cloud hosting or a local server. A solo behavioral health practice using SimplePractice has different risks than a ten-provider internal medicine group with Epic. The tool does not adapt to your specific environment.

No remediation guidance. After you complete the assessment, the tool shows you which questions you answered in ways that indicate a gap. But it does not tell you what to do about it. The risk management plan — required separately under 45 CFR § 164.308(a)(1)(ii)(B) — is entirely up to you.

No citation tracing. If you want to understand why a specific question exists and what the underlying rule requires, the SRA Tool does not link questions to specific CFR sections. You have to look that up separately.

How OCR investigators actually respond to SRA Tool output

The SRA Tool output is not a safe harbor. Several practices that used the SRA Tool have still ended up in OCR investigations and settlements for risk analysis failures. The issue is usually one of three things:

• The risk analysis was outdated (the tool was run once and not updated annually)
• The scope was incomplete (the tool was completed for the EHR but not for email, remote access, or vendor relationships)
• The risk management plan did not follow (the tool was completed but nothing was done about the gaps it identified)

The tool is a legitimate starting point. It is not an end point.

Who should use the SRA Tool

Use the SRA Tool if:

• You have no compliance budget and need to start somewhere
• Your practice runs on Windows and the application installs cleanly
• You need a first-time baseline more than you need ongoing tracking
• You are comfortable building your own risk management plan separately

Consider alternatives if the Windows requirement is a practical barrier for your practice, the static PDF export format does not fit how you file or share documentation, or you need an assessment that covers your readiness against the proposed 2026 Security Rule changes — not only the 2013 rule the SRA Tool reflects.

The bottom line

The SRA Tool does what it says. It is free, it covers the major Security Rule requirements, and it produces a report you can file. For a practice that has done no risk analysis at all, using the SRA Tool is a meaningful improvement.

Its limitations \u2014 desktop-only (Windows app or Excel workbook), no 2026 rule coverage, no branching, no remediation guidance, proprietary format \u2014 are real, and they are worth understanding before you commit to it as your long-term approach.

---

Sources: HHS/ONC Security Risk Assessment Tool, available at healthit.gov. 45 CFR § 164.308(a)(1)(ii)(A) (risk analysis); 45 CFR § 164.308(a)(1)(ii)(B) (risk management plan); NPRM: 90 Fed. Reg. 898 (Jan. 6, 2025).