The Free HHS SRA Tool Isn't Enough: What Independent Providers Actually Need for HIPAA Risk Assessment

The government's HIPAA Security Risk Assessment tool is a starting point — not a solution. Here's what solo practitioners and small practices actually need to stay protected.

Every year, thousands of independent healthcare providers download the free HHS Security Risk Assessment (SRA) Tool, work through its 166 questions, generate a report, and file it away — believing they've completed their HIPAA security risk assessment requirement.

They haven't.

Not really.

This isn't a criticism of the tool itself. The HHS SRA Tool, developed by the Office of the National Coordinator for Health IT (ONC) in collaboration with the HHS Office for Civil Rights (OCR), does exactly what it was designed to do: walk small and medium-sized practices through a structured security risk assessment questionnaire. It's free, it's thorough, and it's better than nothing.

But for independent providers — solo physicians, dentists, therapists, chiropractors, and small group practices — "better than nothing" is no longer good enough. Not in 2025. Not with healthcare breaches exposing over 276 million individuals in 2024 alone. Not with OCR actively naming risk analysis failures as its top enforcement priority.

This guide explains exactly what the free tool gets right, where it falls short, and what independent providers actually need to protect their patients and their practices.

What the HHS SRA Tool Is — and What It Was Designed For

The HHS Security Risk Assessment Tool (currently at version 3.6, updated September 2025) is a downloadable desktop application that guides healthcare providers through the security risk assessment process required by the HIPAA Security Rule under 45 CFR § 164.308(a)(1)(ii)(A).

The tool walks users through multiple-choice questions covering:

• Administrative, physical, and technical safeguards

• Threat and vulnerability assessments

• Asset and vendor management

• Risk scoring and reporting

  
  

It's free. It's updated regularly. And it's specifically designed for small to medium-sized providers who may not have dedicated compliance teams or IT staff.

So what's the problem?

What the HHS SRA Tool Cannot Do

The limitations aren't hidden. They're in the tool's own documentation.

The SRA Tool User Guide states plainly that "the SRA tool is not a guarantee of HIPAA compliance." Experts who work with the tool regularly go further. According to analysis published in HealthInfoSec, the free tool "aligns too closely with the HIPAA Security Rule, a rule that is outdated" and does not constitute a "thorough" risk analysis by OCR's own standards.

More critically: most practice managers cannot complete the SRA Tool questions without outside help. The tool identifies where weaknesses and vulnerabilities may exist — but it provides no guidance on how to assign risk levels, what policies and procedures to implement, or how to remediate the gaps it uncovers.

The result is a common and dangerous pattern: a practice completes the SRA Tool annually, generates a PDF report, and considers their risk assessment done. But the report sits in a folder. The vulnerabilities it identified go unaddressed. And when OCR investigates — which it increasingly does — the practice can't demonstrate that it actually managed the risks the assessment uncovered.

This is precisely the gap that has made HIPAA risk analysis failures the most common finding in OCR breach investigations and audits — and the top enforcement priority in OCR's active initiative launched in October 2024.

The Real Problem: Risk Assessment Without Risk Management

The HIPAA Security Rule requires two distinct things that the free tool only partially addresses:

1. A security risk analysis — identifying potential risks and vulnerabilities to ePHI. This is what the HHS SRA Tool helps with.

2. A risk management program — implementing security measures sufficient to reduce those risks to a reasonable and appropriate level. This is what the free tool leaves entirely to you.

For a solo practitioner or small practice without IT staff or a compliance officer, the gap between "here are your risks" and "here's how to fix them" is where practices get hurt.

A practice that identifies 23 risk items in the SRA Tool and addresses none of them is in worse legal and operational shape than a practice that never ran the assessment at all — because they now have documented evidence of known vulnerabilities they chose not to remediate.

What Independent Providers Actually Need

The research is unambiguous about what happens to small and independent providers when they get this wrong.

A 2025 study published on SSRN, The Economics of ePHI Exposure: A Long-Term Impact Model of Healthcare Data Breaches (ssrn.com/abstract=5257628), found that small and mid-sized providers are disproportionately exposed to breach consequences that often exceed their capacity to recover. Unlike larger organizations that can absorb breach costs, independent practices face permanent closure — the study found that roughly 35–40% of breached small practices close within two years.

The same research developed a web-based HIPAA Breach Cost Calculator that models 10-year financial exposure based on practice size and breach type. For a solo practice, the numbers are sobering.

A companion framework published in The Cyber-Economic Stack (ssrn.com/abstract=5792382) goes further, modeling healthcare cybersecurity through market economics rather than compliance checklists — finding that the 93-day average time-to-detection in healthcare (versus 4-day mandatory disclosure in finance) creates exploitable windows that independent providers, with no real-time monitoring capability, are uniquely vulnerable to.

What this research makes clear is that independent providers need three things the HHS SRA Tool doesn't provide:

1. Guided remediation, not just gap identification Knowing you have a risk is step one. Knowing what to do about it — in plain language, prioritized by actual impact on a small practice — is what closes the gap.

2. Continuous monitoring, not annual snapshots The HHS SRA Tool is a point-in-time assessment. Security threats don't operate annually. A risk assessment completed in January doesn't account for the new device added in March, the staff change in June, or the software update in September that introduced new vulnerabilities.

3. Documentation that holds up to OCR scrutiny Generating a PDF isn't the same as maintaining a defensible compliance record. OCR expects covered entities to demonstrate that risk assessments were accurate, thorough, and — critically — acted upon. That requires audit-ready documentation that connects assessment findings to remediation actions.

How Patient Protect Closes the Gap

Patient Protect was built specifically for independent providers who need actual HIPAA security protection — not just documentation to satisfy auditors.

Where the HHS SRA Tool asks questions and generates a report, Patient Protect's Security Risk Assessment module does the following:

Maps to the frameworks that matter. Patient Protect's SRA is built on a 166-question database mapped to both NIST CSF and HPH CPG frameworks — the same standards OCR uses to evaluate the thoroughness of a risk assessment. This isn't a generic questionnaire; it's the structure OCR actually looks for.

Tells you what needs attention. Rather than presenting 166 equal-weight questions, Patient Protect surfaces the risks that create the highest exposure for your specific practice type and size — so a solo therapist isn't wading through controls designed for a 200-bed hospital.

Connects assessment to remediation. Every risk identified in the assessment links to specific remediation guidance. Not "implement appropriate safeguards" — but concrete, actionable steps calibrated for a practice without dedicated IT staff.

Provides continuous monitoring. Between annual assessments, Patient Protect monitors your compliance posture in real time, alerting you when something needs attention before it becomes an OCR finding.

Generates audit-ready documentation. Every assessment, every remediation action, every policy acknowledgment is logged in a format designed to demonstrate compliance to OCR — not just to satisfy an internal checklist.

You can estimate your practice's 10-year breach exposure using the HIPAA Breach Cost Calculator — built from the same economic modeling framework published in the SSRN research above.

The Pricing Reality

One reason independent providers rely on the free HHS tool is cost. Enterprise HIPAA compliance platforms — Compliancy Group, Accountable HQ, Vanta — are priced for organizations with compliance staff, IT departments, and multi-million-dollar budgets. Compliancy Group starts at $300+/month. Accountable HQ runs $149–$749/month.

Patient Protect's Basic plan starts at $39/month. The Pro plan is $99/month. Both include a 14-day free trial with no long-term contract required.

For a solo practitioner spending $39/month to replace a free tool that leaves them exposed, the math is simple: one OCR penalty for a risk analysis failure starts at $100 per violation. The settlements OCR closed in 2025 ranged from $25,000 to $3,000,000. The average healthcare data breach now costs $7.42 million.

The free tool costs nothing. The gap it leaves open costs everything.

See Patient Protect pricing | Start your 14-day free trial

Frequently Asked Questions

What is the HHS HIPAA Security Risk Assessment Tool? The HHS SRA Tool is a free downloadable application developed by ONC and OCR to help small and medium-sized healthcare providers conduct a HIPAA security risk assessment as required by the HIPAA Security Rule. The current version is 3.6, updated in September 2025. It guides users through 166 questions covering administrative, physical, and technical safeguards, and generates a risk report. It is not a guarantee of HIPAA compliance.

Is the HHS SRA Tool enough for HIPAA compliance? No. The SRA Tool helps with gap identification but does not provide remediation guidance, continuous monitoring, or audit-ready documentation connecting assessment findings to corrective actions. OCR's enforcement initiative specifically targets risk analysis failures — including cases where risk assessments were completed but risks were not actually managed.

What is HIPAA SRA software for independent providers? HIPAA SRA software for independent providers is a platform that automates the security risk assessment process, provides guided remediation, and maintains compliance documentation — designed for solo practitioners and small practices without dedicated IT or compliance staff. Unlike enterprise platforms priced for large health systems, tools like Patient Protect are built for the operational reality and budget of independent practices.

How often do independent practices need to complete a HIPAA risk assessment? The HIPAA Security Rule requires a risk assessment when significant changes occur in the organization's environment, and OCR expects annual reviews at minimum. However, a point-in-time annual assessment is no longer sufficient given the continuous nature of modern cybersecurity threats. Continuous monitoring between formal assessments is increasingly the standard OCR expects.

What happens if a small practice fails a HIPAA risk analysis audit? OCR penalties for risk analysis failures range from $100 to $50,000 per violation, with maximum annual penalties of $1.5 million per violation category. In 2025, risk analysis failures were the most common reason for OCR financial penalties. Beyond fines, breached practices face litigation costs, remediation expenses, patient attrition, and reputational damage — research modeling shows that 35–40% of breached small practices close permanently within two years.

How much does HIPAA SRA software cost for a small practice? Patient Protect starts at $39/month for the Basic plan and $99/month for the Pro plan, with a 14-day free trial. Enterprise alternatives like Compliancy Group start at $300+/month and are designed for larger organizations with compliance staff. For an independent practice, purpose-built software at $39/month is significantly more cost-effective than the exposure created by relying on the free HHS tool alone.

The Bottom Line

The HHS SRA Tool is a valuable resource. It's free, it's structured, and it's better than conducting no risk assessment at all. For a practice with no HIPAA infrastructure, it's a legitimate place to start.

But it was never designed to be a complete HIPAA compliance solution for independent providers. The gap between completing a questionnaire and actually managing the risks it uncovers is where practices get breached, where OCR investigations begin, and where careers end.

Independent providers deserve tools built for their actual situation — not enterprise platforms stripped down and repriced, and not government tools that hand them a list of problems with no path to resolution.

Start your free 14-day trial of Patient Protect — no IT team required.

This article draws on research published in The Economics of ePHI Exposure: A Long-Term Impact Model of Healthcare Data Breaches (SSRN, 2025) and The Cyber-Economic Stack: How AI Turns Health-Care Data into a Financialized Attack Asset (SSRN, 2025), developed at Patient Protect.