HHS Releases Updated Security Risk Assessment Tool

Posted by Steve Alder

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and the Assistant Secretary for Technology Policy (ASTP) have announced the release of an updated version of the Security Risk Assessment (SRA) Tool.

The SRA tool was developed to help small to medium-sized healthcare providers comply with the security risk assessment provision of the HIPAA Security Rule, one of the foundational requirements of the Security Rule. A HIPAA risk assessment failure is the most commonly identified HIPAA Security Rule violation, and OCR currently has an active enforcement initiative targeting noncompliance. Through its investigations of complaints, data breaches, and compliance audits, OCR commonly discovers that HIPAA-regulated entities have either failed to conduct a risk assessment or that risk assessments are inaccurate or incomplete. For instance, a risk assessment is conducted based on an incomplete or out-of-date asset inventory.

The enforcement initiative was announced by OCR in October 2024 when the first penalty was imposed on Bryan County Ambulance Authority in Oklahoma. Since then, OCR has imposed 10 financial penalties for risk analysis failures, making it the most common reason for security-related HIPAA civil monetary penalties and settlements.

The SRA tool is an invaluable tool for small and medium-sized healthcare providers, as it guides them through the process of conducting a risk assessment. The latest release, version 3.6, includes several updates to improve usability. A new assessment confirmation button has been added with a reviewed-by date for each section, allowing users to confirm that a section has been reviewed and approved, which will be saved for audit records.

The risk scale has been updated to align with NIST scoring, with the score of “medium” changed to “moderate”. Updated library files will be installed when the new version is installed, mitigating vulnerabilities that may exist in outdated versions. The reports have been updated with new content, including section-specific approval/reviewed-by details and additional information entered by users. There have also been improvements to questions, responses, and education to make the SRA Tool more relevant to the evolving cybersecurity environment and to improve ease of use.

OCR and ASTP are hosting two live webinars this month on the SRA Tool. Experts will provide an introduction to the SRA tool, demonstrate the new features and enhanced reports, and will be available to answer questions about the tool and new features. The webinars will be held on September 15, 2025, at 12 p.m. ET, and on September 16, 2025, at 3 p.m. ET. You can register for the webinar on this link.

The post HHS Releases Updated Security Risk Assessment Tool appeared first on The HIPAA Journal.

HHS Agrees to Settlement Requiring the Restoration of Deleted Health Data and Websites

Posted by Steve Alder

The Trump administration has agreed to settle a lawsuit filed by the Washington State Medical Association (WSMA) and eight other plaintiffs that sought to stop and reverse the deletion of important public health and science data from federal websites. Under the terms of the settlement, the Department of Health and Human Services is required to restore more than 100 datasets and webpages that were deleted since January 2025.

On January 20, 2025, President Trump signed several executive orders, two of which concerned gender identity and diversity, equity, and inclusion (DEI) – Executive Order 14168: Ending Radical and Wasteful Government DEI Programs and Preferencing & Executive Order 14151: Defending Women from Gender Ideology Extremism and Restoring Biological Truth to the Federal Government. Over the course of several months, the Trump administration directed federal agencies such as the Centers for Disease Control and Prevention (CDC), National Institutes of Health (NIH), and Food and Drug Administration (FDA) to delete public health information that had previously been published on those agencies’ websites.

The deleted content included public health information relating to LGBTQ health, gender and reproductive health, vaccine guidance, Mpox treatment, pregnancy risk, opioid use disorder, HIV/AIDS research, and the NIH HIV Risk reduction tool, data from clinical trials, and more.

A lawsuit was filed in federal court to stop the deletion of data from taxpayer-funded websites, restore the deleted content, and establish legal protection to prevent future efforts to suppress public health information. The lawsuit was filed by the WSMA, Washington State Nurses Association, Washington Chapter of the American Academy of Pediatrics, AcademyHealth, Association of Nurses in AIDS Care, Fast-Track Cities Institute, International Association of Providers of AIDS Care, National LGBT Cancer Network, and Vermont Medical Society.

The defendants were Robert F. Kennedy Jr., Department of Health and Human Services (HHS), Matthew Buzzelli, CDC, Jay Bhattacharya, NIH, Martin A. Makary, FDC, Thomas J. Engels, Health Resources and Services Administration, Charles Ezell, and the Office of Personnel Management.

The lawsuit – Washington State Medical Association et al. v. Kennedy et al.– alleged that the deleted data was critical to public health research and combatting morbidity and mortality, and the removal of health-related data in response to the executive orders violated the Administrative Procedure Act, the separation of powers principle, the Paperwork Reduction Act, the Public Health Service Act, and the Prematurity Research Expansion and Education for Mothers Who Deliver Infants Early Act.

“The unannounced and unprecedented deletion of these federal webpages and datasets came as a shock to the medical and scientific communities, which had come to rely on them to monitor and respond to disease outbreaks, assist physicians and other clinicians in daily care, and inform the public about a wide range of healthcare issues,” wrote the plaintiffs in the lawsuit. “Health professionals, nonprofit organizations, and state and local authorities used the websites and datasets daily to care for their patients, provide resources to their communities, and promote public health.”

The lawsuit alleged that thousands of databases have been deleted, depriving the medical community and the public of accessing critical resources. The defendants have restored some of the deleted datasets and webpages, in some instances in response to court orders, but the restoration has been inconsistent and scattershot. The plaintiffs claimed that the defendants made “arbitrary, capricious and unreasoned” decisions to delete critical resources that, under American law, are required to be made available to the American people.

“Access to trustworthy information allows us to solve real problems, improve health outcomes, and plan for the future. If we don’t stand up for data now, we risk losing the tools we rely on to make progress, regardless of politics,” said Dr. Aaron Carroll, president and CEO of AcademyHealth.

On September 2, 2025, the WSMA announced that it was thrilled that a settlement had been reached, which requires the HHS to restore webpages and data that were wrongfully deleted, and make them available again to physicians, scientists, medical professionals, and the American public.” Under the terms of the settlement, the HHS is required to restore the deleted websites, webpages, and datasets that were taken down this year and have not already been restored, as detailed in Appendix A of the complaint.

“I am extremely proud of the health care community in Washington state and our partners in this case for pushing back on this egregious example of government overreach,” said John Bramhall, MD, PhD, president of the WSMA. “This was not a partisan issue – open data benefits everyone, and ensuring its availability should be a bipartisan priority.”

The post HHS Agrees to Settlement Requiring the Restoration of Deleted Health Data and Websites appeared first on The HIPAA Journal.