The HHS SRA Tool vs Paid HIPAA Risk Analysis Options
5 min read · Last reviewed May 22, 2026
What the HHS SRA Tool is
The Office of the National Coordinator for Health IT and the HHS Office for Civil Rights jointly publish the Security Risk Assessment Tool. It is a free Windows and iPad application updated periodically (the current major release is v3.x). The tool walks a small practice through questions mapped to the Security Rule and exports the answers as a PDF and Excel report.
The tool is targeted at small and medium-sized providers. The federal government does not certify any tool as guaranteeing HIPAA compliance, and the published SRA Tool User Guide is explicit that using the tool does not by itself satisfy the Security Rule.
What the tool does well
- It is free.
- It covers every Security Rule standard at 45 CFR 164.308, 164.310, and 164.312.
- Each question links to the underlying citation.
- The export is in a format payers and auditors recognize.
- Data stays local on the practice's machine.
- A built-in glossary helps non-technical staff get through the questions.
For a practice with a security-conscious owner or a technical staff member, the HHS SRA Tool is a defensible starting point.
Where the tool is genuinely thin
Real-world friction points that come up consistently:
- The Windows desktop application is awkward on Mac-only or Chromebook-only practices.
- The iPad version is a separate tool with its own data file format.
- The questions are yes/no/flagged; the tool does not produce the narrative risk register that auditors expect to see in supplemental documentation.
- The tool does not maintain a vendor inventory or BAA register.
- It does not draft remediation plans; it lists items to address but the prose belongs to the practice.
- It does not generate the supporting policies and procedures (training records, sanction policy, contingency plan) that the Security Rule also requires under 164.530 and 164.316.
- It is a snapshot tool. There is no easy diff between this year's answers and last year's.
- It does not capture the meaningful-use / Promoting Interoperability attestation language that CMS requires when the practice reports the security risk analysis measure.
In short: the HHS tool gets the practice to a written record of the risk analysis itself. The rest of the binder (policies, procedures, training logs, sanction records, contingency plan tests, vendor BAAs, evidence files, sign-off records) is the practice's job to assemble.
How paid options market themselves
Paid SRA tools and consultants typically pitch some combination of:
- A guided workflow that produces both the risk analysis and the policies
- A vendor and BAA inventory feature
- A risk register with remediation tracking and re-evaluation reminders
- Document storage and audit-ready export
- Updates as Security Rule guidance and proposed rules evolve
- Templates for common practice specialties
- Optional consultant review or attestation services
Pricing in the small-practice segment ranges roughly from low-three-digit one-time fees up to several thousand dollars per year. Consultant-led engagements are typically several thousand to low five figures.
How to evaluate any paid option
The questions that matter:
- Does it cover every Security Rule standard at 164.308, 164.310, and 164.312, with each implementation specification flagged required or addressable?
- Does it generate an actual risk register (threat, vulnerability, likelihood, impact, residual risk, owner, due date) rather than just a yes/no list?
- Does it maintain a vendor and BAA inventory?
- Does it support per-site facility detail for multi-location practices?
- Does it produce the supporting policies and procedures required by 164.316?
- Does it preserve last year's binder so you can do a delta refresh next year instead of starting over?
- Does it export a self-contained document set you can hand to a payer requesting evidence, or are you locked into the vendor's portal?
- Does the marketing claim anything that the Security Rule does not actually deliver? Any vendor promising that a tool will help you pass an audit, or that it produces a state OCR could call compliant, is making a claim the regulation does not support. The Security Rule is a process, and no tool is granted certification status by HHS.
What "no tool can promise"
OCR's Guidance on Risk Analysis is explicit: the Security Rule is process-based, not product-based. No software certifies a practice. The Security Rule does not have an issuing authority that grants compliance status. Any tool or consultant that promises otherwise is marketing past what the regulation provides.
A reasonable decision framework
For a solo or 1-3 provider practice with no dedicated compliance staff:
- If staff time is the bottleneck and the practice values guided prose output, a small paid tool that bundles policies and risk register is usually worth it.
- If staff time is available and someone is willing to read the HHS guidance and write the prose, the HHS SRA Tool plus a self-built risk register and policies works.
- If the practice needs a defensible audit response on short notice (an OCR audit letter, a payer BAA request, a CMS Promoting Interoperability audit), a tool that produces a packaged binder shortens the response time materially.
How D3rx fits
D3rx SRA Binder Studio is an administrative documentation aid that walks each Security Rule specification in plain English, asks for evidence, generates a draft risk register and policy stack, and links everything back to HHS, OCR, eCFR, or NIST sources. It is positioned between the free HHS tool and a consultant engagement. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for the substance of every answer.
Next steps
See where your practice currently stands with the free 5-question readiness check, or review the full workflow and pricing on the main SRA page.
Where do you stand on your SRA today?
Five quick questions, no signup. You'll see which Security Rule sections your practice already has covered and which ones still need work.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, the Code of Federal Regulations, and NIST.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- Security Risk Assessment Toolhttps://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool
- SRA Tool User Guidehttps://www.healthit.gov/sites/default/files/page-files/SRAToolUserGuide_v3.4.pdf
- 45 CFR 164.308https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308
- 164.310https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.310
- 164.312https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312
- 164.530https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530
- 164.316https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.316
- Guidance on Risk Analysishttps://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html
Sources verified as of May 22, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
HIPAA Risk Analysis Cost: What Small Practices Actually Pay
5 min readBy SpecialtyHIPAA Risk Analysis for a Primary Care Practice
5 min readFoundationsHow Often Should a Practice Conduct a HIPAA Risk Analysis?
6 min readFoundationsCMS Promoting Interoperability and the Security Risk Analysis Attestation
5 min readRelated across the archive
- SRAHIPAA Risk Analysis Cost: What Small Practices Actually PayWhat a small practice can realistically expect to spend on a HIPAA Security Risk Analysis: the free HHS tool, paid software ranges, and consultant engagements, with the buyer questions that prevent overpaying.
- SRACMS Promoting Interoperability and the Security Risk Analysis AttestationHow the CMS Promoting Interoperability program (formerly Meaningful Use) requires a HIPAA Security Risk Analysis for each EHR reporting period, what the attestation actually claims, and how CMS audits it after the fact.
- SRAHIPAA Risk Analysis for a Primary Care PracticeWhat a primary care practice owes under 45 CFR 164.308(a)(1)(ii)(A): ePHI scope, threats specific to family medicine and internal medicine workflows, and a Security Rule mapping that holds up to OCR's audit protocol.
- SRAHow Often Should a Practice Conduct a HIPAA Risk Analysis?What 45 CFR 164.308(a)(8) requires for periodic evaluation, what HHS guidance says about cadence, and the practical pattern most small practices land on.
- SRAHIPAA Risk Analysis for a Dental PracticeHow a small dental practice approaches the HIPAA Security Risk Analysis required by 45 CFR 164.308(a)(1)(ii)(A), with practical scope, ePHI flows, and Security Rule references.
- ComplianceAnnual HIPAA Training Curriculum (What to Cover + How to Document)A 2026 annual HIPAA training curriculum for small healthcare practices — eight required modules under 45 CFR 164.530(b) and 45 CFR 164.308(a)(5), with documentation templates.
- GlossarySecurity Risk AnalysisThe accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI required by the HIPAA Security Rule.
- RegulationHIPAA Privacy Rule Administrative Requirements (45 CFR 164.530)Designated privacy official, workforce training, safeguards, complaint process, sanctions, mitigation, anti-retaliation, anti-waiver, documentation, and policies and procedures.