OCR HIPAA Risk Assessment Tool: Comprehensive Guide and Compliance Checklist

Overview of the OCR HIPAA Risk Assessment Tool

The OCR HIPAA Risk Assessment Tool—often called the Security Risk Assessment (SRA) Tool—is a free HHS resource developed by ONC in collaboration with OCR to guide small and mid-sized healthcare organizations through a structured security risk assessment aligned to the HIPAA Security Rule. It helps you evaluate risks to electronic protected health information (ePHI) and document decisions for auditors and leadership. ([healthit.gov](https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool?utm_source=openai))

The SRA Tool is not required by HIPAA and does not, by itself, guarantee compliance; rather, it operationalizes the risk analysis methodology so you can produce consistent, audit-ready outputs that feed your broader risk management program. Its purpose-built prompts, references, and reports make the security risk assessment repeatable and easier to govern over time. ([healthit.gov](https://www.healthit.gov/topic/security-risk-assessment-tool?utm_source=openai))

Who should use it

The tool is designed primarily for small and medium-sized providers and business associates that need a practical way to assess security controls and risks to ePHI without deploying enterprise GRC software. Larger enterprises may prefer more customizable platforms but can still leverage the tool’s structure for workshops and gap checks. ([healthit.gov](https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool?utm_source=openai))

How it fits into HIPAA compliance

HIPAA’s Security Rule requires a documented risk analysis and ongoing risk management process under 45 C.F.R. § 164.308(a)(1). OCR’s guidance treats risk analysis as foundational to implementing reasonable and appropriate safeguards; the SRA Tool supports, but does not replace, those obligations. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.308?utm_source=openai))

Features and Capabilities

Guided assessment workflow

The Windows application and Excel workbook lead you through multiple-choice questions, threat and vulnerability considerations, and asset and vendor management, with embedded references to Security Rule requirements. You can save, print, and share reports that capture responses and risk ratings for audit and leadership review. ([healthit.gov](https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool?utm_source=openai))

Risk scoring and documentation

The tool supports a likelihood–impact approach consistent with common risk analysis methodology, and it lets you record remediation or corrective action plans directly alongside identified risks. This creates a clear bridge from analysis to action. ([healthit.gov](https://www.healthit.gov/topic/security-risk-assessment-tool?utm_source=openai))

Supports supply chain risk management

By including vendor and asset management elements, the SRA Tool helps you identify third-party exposures and prioritize supply chain risk management activities involving business associates and critical service providers that handle ePHI. ([healthit.gov](https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool?utm_source=openai))

Tool Accessibility and Formats

You can use the SRA Tool in two formats: a Windows desktop application and a Microsoft Excel workbook with equivalent content. Choose the Windows app for a wizard-style experience, or the workbook if you need flexible, spreadsheet-based collaboration. ([healthit.gov](https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool?utm_source=openai))

The Windows application supports 64-bit Windows 7/8/10/11 and stores all information locally. HHS does not collect, view, store, or transmit your data, which simplifies deployment for organizations with strict privacy and security policies. ([healthit.gov](https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool?utm_source=openai))

The Excel workbook mirrors the application’s content and calculations, making it useful for teams that prefer spreadsheet tooling or operate in mixed environments where Windows installation is constrained. ([healthit.gov](https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool?utm_source=openai))

Latest Updates and Enhancements

In September 2025, OCR and the Assistant Secretary for Technology Policy released Version 3.6, focusing on audit readiness, NIST alignment, and content quality. ([healthit.gov](https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool?utm_source=openai))

• Reviewed-by confirmation: a section-level approval button that records the approver’s username and date to support governance and audits. ([healthit.gov](https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool?utm_source=openai))
• NIST-aligned risk scale: the mid-tier rating changed from “medium” to “moderate,” aligning terminology with NIST usage. ([healthit.gov](https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool?utm_source=openai))
• Enhanced reports: updated disclaimers and section-specific approval details in the Detailed Report PDF and workbook outputs. ([healthit.gov](https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool?utm_source=openai))
• Updated libraries: refreshed installation files to reduce potential vulnerabilities tied to outdated components. ([healthit.gov](https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool?utm_source=openai))
• Content improvements: refined questions, responses, and educational text for today’s cybersecurity environment. ([healthit.gov](https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool?utm_source=openai))

HHS also hosted live webinars to introduce the 3.6 release and demonstrate changes, offering Q&A for implementers in small and medium practices. ([healthit.gov](https://www.healthit.gov/news/events/security-risk-assessment-tool-astponc-and-ocr-overview-small-and-medium-practices?utm_source=openai))

Importance of Risk Assessments for HIPAA Compliance

The HIPAA Security Rule requires covered entities and business associates to conduct an “accurate and thorough” assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI and to implement risk management to reduce those risks to a reasonable and appropriate level. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.308?utm_source=openai))

OCR emphasizes that risk analysis is the starting point for selecting administrative, physical, and technical safeguards; it must consider all systems and processes that create, receive, maintain, or transmit ePHI. Results should be documented and drive corrective action plans. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html?utm_source=openai))

Frequency is not prescribed; OCR advises continuous, periodic review and updates “as needed” based on changes to your environment, threats, operations, or technology—an approach that aligns well with the NIST Cybersecurity Framework’s iterative identify–protect–detect–respond–recover cycle. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html?utm_source=openai))

Step-by-Step Compliance Checklist

1. Define scope and context: identify all locations, systems, vendors, and workflows that create, receive, maintain, or transmit ePHI.
2. Inventory assets and data flows: map where ePHI resides and moves; include cloud services, medical devices, and third parties to support supply chain risk management.
3. Select a risk analysis methodology: use a likelihood–impact model and consistent criteria to rate risks across administrative, physical, and technical safeguards.
4. Use the SRA Tool to assess controls: answer prompts, record evidence, and capture notes that support findings and corrective action plans. ([healthit.gov](https://www.healthit.gov/topic/security-risk-assessment-tool?utm_source=openai))
5. Evaluate threats and vulnerabilities: consider human, natural, and environmental threats, including phishing, ransomware, insider misuse, and vendor failures. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html?utm_source=openai))
6. Rate and prioritize risks: apply your scoring rubric; align the mid-tier “moderate” rating with your NIST-informed taxonomy for consistency across reports. ([healthit.gov](https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool?utm_source=openai))
7. Develop corrective action plans: specify safeguards, owners, resources, and timelines; track progress to closure and integrate with change management. ([healthit.gov](https://www.healthit.gov/topic/security-risk-assessment-tool?utm_source=openai))
8. Address vendor and BA risks: assess contracts, security attestations, incident notification, and contingency capabilities; document residual risks.
9. Generate and review reports: produce the Detailed Report PDF or workbook output and obtain management sign-off using the 3.6 reviewed-by confirmation. ([healthit.gov](https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool?utm_source=openai))
10. Implement and verify controls: configure encryption, access controls, logging, backups, MFA, and training; validate with testing and monitoring.
11. Maintain documentation: retain analysis artifacts, decisions, and approval records to demonstrate compliance with the Security Rule.
12. Schedule periodic reassessments: revisit the SRA after material changes, incidents, or at least annually to keep pace with evolving threats.

Additional Resources and Guidance

Leverage the SRA Tool User Guide and OCR’s guidance on risk analysis to deepen understanding of expectations and documentation practices. The tool also references NIST, HICP, and HPH CPG materials as informational resources to help you align practices without mandating specific standards. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html?utm_source=openai))

Conclusion

The OCR HIPAA Risk Assessment Tool gives you a practical, structured way to perform a security risk assessment, document corrective action plans, and demonstrate governance over ePHI risks. By adopting a clear methodology, leveraging Version 3.6’s audit-ready features, and reassessing regularly, you strengthen Security Rule compliance and reduce real-world cybersecurity exposure. ([healthit.gov](https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool?utm_source=openai))

FAQs

What is the OCR HIPAA Risk Assessment Tool used for?

It guides covered entities and business associates through a structured security risk assessment of ePHI, helping you evaluate safeguards, identify risks, and generate reports you can use for remediation and oversight. The tool operationalizes Security Rule concepts but is not itself a compliance requirement. ([healthit.gov](https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool?utm_source=openai))

How often should a HIPAA risk assessment be conducted?

OCR does not set a fixed interval. Risk analysis is an ongoing process that should be reviewed and updated “as needed,” such as after significant changes to systems, operations, or threats; many organizations reassess at least annually and after major events. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html?utm_source=openai))

What updates were included in version 3.6 of the tool?

Version 3.6 adds a reviewed-by confirmation with dates for each section, replaces “medium” with “moderate” to align with NIST terminology, enhances reports and disclaimers, refreshes installation libraries, and improves question and education content. ([healthit.gov](https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool?utm_source=openai))

How does the tool help identify risks to ePHI?

It walks you through questions tied to Security Rule safeguards, prompts threat and vulnerability analysis, captures asset and vendor context, and produces risk ratings and documentation that you can translate into corrective action plans and ongoing risk management activities. ([healthit.gov](https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool?utm_source=openai))