The U.S. Department of Health and Human Services (HHS) recently released Version 3.6 of its Security Risk Assessment (SRA) Tool, designed to help organizations evaluate and manage risks to protected health information (PHI) as required under the HIPAA Security Rule. The tool is especially helpful for HR teams supporting HIPAA-covered employers, healthcare providers, or business associates, and can serve as evidence of a structured compliance approach during audits or investigations.
What Is the SRA Tool?
The SRA Tool is a free, downloadable program developed by the HHS Office for Civil Rights (OCR) and the Assistant Secretary for Technology Policy (ASTP). It walks users through key elements of a HIPAA security risk assessment including administrative, physical, and technical safeguards while offering guidance, documentation capabilities, and remediation planning tools. It's particularly well suited for small to mid-sized organizations without large internal IT or compliance teams.
What’s New in Version 3.6?
Version 3.6 includes several important enhancements that reflect feedback from prior users and updated best practices in cybersecurity and audit preparedness:
- Reviewed-By Confirmation Button: Users can now formally mark reviews complete and log the approval date, helping with internal audit tracking and compliance documentation.
- Updated Risk Rating Language: The tool now uses "moderate" instead of "medium" to better align with the National Institute of Standards and Technology (NIST) risk terminology.
- Enhanced Reports: Section-specific detail has been added to reporting functions, along with clearer disclaimers to help users interpret findings.
- Refreshed Library Files: Outdated components have been updated to address potential vulnerabilities.
- Improved Content: The underlying questions, educational guidance, and response explanations have been refined for better clarity and usability.
Why HR Should Care
While IT departments often lead security assessments, HR professionals supporting group health plans or working in HIPAA-covered environments should stay informed. HR may be asked to participate in documenting administrative safeguards, policies and procedures, or employee training records. The SRA Tool offers a valuable opportunity to align internal operations with regulatory expectations and demonstrate a proactive stance on HIPAA compliance.
Organizations that fail to conduct regular risk assessments are at increased risk of enforcement actions. With this new version of the SRA Tool, there's no better time to make sure your organization is keeping its compliance program current.
Benefit Allocation Systems (BAS) provides best-in-class, online solutions for: Employee Benefits Enrollment; COBRA; Flexible Spending Accounts (FSAs); Health Reimbursement Accounts (HRAs); Leave of Absence Premium Billing (LOA); Affordable Care Act Record Keeping, Compliance & IRS Reporting (ACA); Group Insurance Premium Billing; Property & Casualty Premium Billing; and Payroll Integration.
MyEnroll360 can Integrate with any insurance carrier for enrollment eligibility management (e.g., Blue Cross, Blue Shield, Aetna, United Health Care, Kaiser, CIGNA and many others), and integrate with any payroll system for enrollment deduction management (e.g., Workday, ADP, Paylocity, PayCor, UKG, and many others).
This article is for informational purposes only and is not intended as legal, tax, or benefits advice. Readers should not rely on this information for taking (or not taking) any action relating to employment, compliance, or benefits. Always consult with a qualified professional before making decisions based on this content.
