Chat with us, powered by LiveChat

HHS SRA Tool V3.0 – The Good, Bad and Ugly

Earlier this month, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) released an updated version of their Security Risk Assessment Tool (SRAT) found on the website. Each time a new version is released, we circle up with a few trusted industry partners and review the changes/updates so that we may accurately counsel healthcare Providers, Payers and Business Associates on the pro’s and con’s of utilizing this free, government-issued application.

Before diving into our review of V3.0, it is important to remember that HHS in NO way states that by using SRAT, healthcare providers can be assured that they are compliant with the Security Risk Analysis requirement under HIPAA. Per the Health website: “Disclaimer: The Security Risk Assessment Tool at is provided for informational purposes only. Use of this tool is neither required by nor guarantees compliance with federal, state or local laws.”

This is not to say that SRAT does not have its merits. At HIPAA One, we firmly believe that SRAT can be an effective training tool for compliance professionals in training or a guideline for Certified Auditors.  Despite being a time-consuming process, SRAT does provide step-by-step instructions similar to a bona fide HIPAA Security Risk Analysis and there is certainly value in that. Healthcare professionals should merely be warned that without the guidance of a trained auditor, SRAT may or may not hold up in an audit scenario.

The Good

In short, the newly updated Security Risk Assessment Tool (SRAT) tool has made improvements mainly related to user experience and follows the HIPAA Audit Protocol and NIST-based methodologies for calculating risk. For example, a new bulk asset upload feature has been added along with a multi-location option for larger entities. Although mostly a file repository, this feature does assist larger organizations with their assessment. Organizations seeking assistance with Business Associate Agreement management will find that HHS has added a BAA-type function, however, it is important to note that this does not actually produce a BAA agreement.

As users work through the tool they will find that questions now map back to the HIPAA citations (similar to our software) and there is a bit more guidance (in the way of tips) that have added throughout. Additionally, users will find they have the ability enter specific information around asset type and status relative to the different stages of ePHI systems. However, without having the ability to track or assign questions, the inexperienced end user will not be able to identify where some of the gaps come from. Probably the most significant update is related to the production of a Final Report which is arguably the most crucial component in completely a risk analysis and what you walk away with. Much like the rest of the tool, the newly created Final Report does have a flag attached as the results of this report are fairly arbitrary with a large margin of error based on how the user responds to the risk calculation.

The Bad

At HIPAA One, we frequently use the term “Free like a puppy” and that’s exactly what SRAT is. Although this tool does not cost a fee, SRAT still has a ways to go when comparing it to other software or solutions in the marketplace today (spreadsheets included.)  Aside from being labor-intensive, mundane and error-prone; each measure results in multiple questions that need to be individually selected by one who knows how to estimate impact and likelihood year-over-year.

SRAT takes a single-user approach meaning there is no way to collaborate on the assessment with others in the organization.  This approach can result in the need for additional committee meetings to oversee remediation of identified risks. For example, there is no option to delegate survey questions to employees in different roles so it would be totally possible to have someone in IT trying to answer HR related questions. Also, should users desire to go back to previous sections or revise a past answer while in the middle of the assessment, navigation is really difficult. Past sections are merely available through <BACK> and <NEXT>.

Being that SRAT does not save any historical data related to previous assessments, organizations who have completed risk assessments in past years are unable to import their old assessments and simply make updates reflective of the past year. Healthcare providers focused on creating a sustainable and long-lasting HIPAA compliant office, should seek out a tool that allows for previous year imports to greatly decrease the amount of administrative work in complete your risk analysis year over year.

The Ugly

When evaluating the accuracy and comprehensive nature of the tool, there are a few glaring issues that we would be remiss not to address. These are the aspects of SRAT that would require either the experience of a Certified Auditor or compliance professional in training to ensure the assessment is accurate.

Some of the large issues not remedied by the V3.0 update include:

  • No Calculation of Risk – Without an experienced Auditor who is qualified to answer and assess risk, the average user is required to assign a risk score to each question without guidance or training. For example, the generated gaps from the SRAT do not have a correlation or identify which HIPAA control requirement those policies need to be addressed.
  • No Remediation Planning or Guidance – One critical component to completing a risk analysis is addressing and re-mediating the deficiencies and findings after the fact. The re-mediating planning process gives providers a framework for next steps and continued compliance.
  • Final Report
    • Does not include an executive high-level overview
    • Unable to show if at least a partial requirement is met
    • No prescriptive recommendations on how to address any of the found risks
  • No Included Policies and Procedures – SRAT does not include PnP templates nor does it review any current, existing PnP’s. This leaves providers at risk for continuing to use potentially outdated PnP templates and minimizes the possibility for a yearly review of these templates.

In Summary

  • Bulk Asset Upload 
  • Multiple Location Option
  • Basic Business Associate Agreement (BAA) Utility
  • Questions Map to HIPAA Citation
  • Final Report
  • User Guide
  • No Roles
  • No Auto Calculation of Risk
  • No Remediation Planning or Guidance
  • No Ongoing Updates
  • No Vulnerability Scans

If your workplace is considering using the SRAT tool for your 2018 risk analysis, we encourage you to take a look at our industry-leading automated software before doing so.  Our software scales seamlessly based on the size of your organization and with tiered pricing accessible for even single-doc physician practices, HIPAA One is the only choice for a guaranteed to pass an audit.

What are your thoughts on the SRAT tool?  Feel free to enter your comments below or Contact Us anytime for a free consultation.

NOTE: We have been following the development of this toolkit since its inception in 2011 and reviewed the 2014 v2.0 version here:

Speak Your Mind