Skip to main content
CoreFolioHIPAA

HIPAA risk analysis for small medical and dental practices

Find your HIPAA gaps. Close them.

The free assessment shows where you stand in about 15 minutes. The Digital Binder turns those gaps into the dated Risk Analysis Report the Office for Civil Rights (OCR) asks for — and keeps it current all year.

Plain EnglishStep-by-stepNo expertise needed
Sample assessment interface showing plain-English HIPAA questions
Questions that pinpoint your HIPAA gaps
Gap report showing section scores and prioritized remediation actions
Section-level gap scores with prioritized actions

Same rules as a hospital. None of the staff.

A small practice answers to the same HIPAA Security Rule as a 4,000-bed hospital — without the compliance officer, security team, or counsel.

When a breach or a patient complaint brings OCR to your door, the first thing they ask for is your risk analysis. CoreFolio keeps yours done, dated, and current.

And the risk analysis is just the start. What defends you is the whole file behind it:

  • Policies and procedures
  • Workforce training records
  • Business Associate Agreements
  • Access, device, and incident logs

The distinction that matters

The work is done. The file just hasn’t kept up.

HIPAA documentation is not a measure of care quality — OCR audits the file, not how you treat patients. Most small practices are already doing the right things; the gap is the documentation that proves it. No one on a 5-person staff was hired to maintain that file, and that’s exactly what CoreFolio is for.

The risk isn’t a random audit.

The federal government does run its own audits — but for any one small practice, that’s not the most likely event. Three ordinary moments each ask for your risk analysis first — a breach, an insurance renewal, a Medicare audit — and “we never did one” is what turns a routine request into a problem.

A breach

A breach brings OCR to your door.

Small practices are frequent targets for ransomware and phishing, and a reported breach triggers a mandatory OCR investigation. The first thing they request is your risk analysis. In April 2025, a small New York radiology practice paid $350,000 after a breach exposed nearly 300,000 patients’ images — OCR found no current risk analysis on file, the cited violation under 45 CFR § 164.308(a)(1)(ii)(A), in one of several settlements under its Risk Analysis Initiative.1

What the Risk Analysis Initiative means for you

Insurance renewal

Your cyber-insurer already asks.

Many cyber-liability carriers now require a current risk analysis to issue or renew your policy — and point to a missing one when they decide whether to pay a claim. Unlike an audit, that request has a date on it: your renewal.

Medicare / MIPS

You may have already attested.

If your practice reports to Medicare under MIPS, you have likely already attested that you completed a Security Risk Analysis (45 CFR § 164.308(a)(1)(ii)(A)). A CMS audit of that attestation with nothing behind it can mean repaying the adjustment — separate from anything OCR does.

The solution: CoreFolio

Step-by-step support

You’re never staring at a blank page.

You go from scattered files to a complete, dated draft of every required document. Your binder shows what’s done, what’s in progress, and what to tackle next, so you always know your next step.

And if you decide to bring in a HIPAA consultant, fractional privacy officer or attorney, you arrive already informed, with a draft in hand. What used to be a months-long engagement becomes a short review.

Digital Binder dashboard showing remediation progress — documents implemented, in progress, and not yet started — with the next actions to take.
Your Digital Binder dashboard — progress and your next actions at a glance.

Inside the Digital Binder

Find the gaps. Close them. Stay current.

The free assessment finds the gaps, defensible and dated. The Digital Binder is the digital home for everything HIPAA requires you to keep — risk analysis, policies, logs, and practice records in one shared, living file your team and collaborators work in together.

1

Risk analysis

§ 164.308(a)(1)(ii)(A)

Annual Risk Analysis Report

A dated, downloadable PDF structured per NIST SP 800-30 — the methodology the U.S. Department of Health and Human Services (HHS) points to. Questions that identify gaps.

2

Gap mitigation

§ 164.308(a)(1)(ii)(B)

Policy templates that close the gaps

Policy templates ready to adopt — dated, defensible, fill-in-and-file. Workforce sanctions, workstation use, incident response, access management, device + media, and more. The Risk Management Plan PDF documents your response.

3

Forward look

90 Fed. Reg. 898

2026 Readiness Gap Report

A side-by-side gap report against the proposed 2026 Security Rule (90 Fed. Reg. 898). Color-coded so you see where you stand at a glance — no surprises when the rule finalizes.

4

Ongoing monitoring

§ 164.308(a)(1)(i)

Documents that stay current

Your required HIPAA documents stay current. When OCR enforcement priorities or federal regulations shift, you see what to review. No manual tracking of HHS announcements required. Your logs and practice details live here too — record entries as they happen, and update a device once to have it flow through every document that names it.

Inside the Risk Management Plan

Three tiers, organized for how you actually work.

This week

Steps your team can address now, without budget approval or outside help.

Vendor conversations

What to ask the vendors who handle your patient data, and what to do with their answers.

Budget decisions

The gaps that require investment, prioritized by regulatory risk level.

Pricing

The Risk Assessment is free. The Digital Binder is one flat price for a single practice. Pro is for consultants and fractional officers who manage 2 or more practices.

Risk Assessment

Free, no account

$0
  • Every section of the 8-section assessment (about 15 minutes)
  • Risk score with critical gaps flagged
  • Plain-English questions
  • Optional email summary
  • Your answers stay in your browser unless you choose to create an account
  • CoreFolio Brief — free weekly federal HIPAA update
Start the free assessment

Practice

Your dated, defensible risk-management file

$99/month

or $990/year (save $198)

Founding rate: $49/month or $490/year — locked for life with continuous subscription. Available to the first 100 customers.

  • Two dated PDFs the Office for Civil Rights (OCR) cites in every Risk Analysis Initiative settlement
  • 50+ required HIPAA documents, auto-tailored to your practice
  • A clear action plan — what to fix, in priority order
  • We keep your binder current — you're alerted only when you need to act
  • Workforce training included — unlimited seats, no per-seat fees
  • BAA management and e-signature
  • Share with up to 2 collaborators — read-only or editor access
  • Update a device, workforce, or vendor once — it flows to every document
  • One flat price for your whole practice — cancel anytime
Lock in founding rate

Pro

For HIPAA consultants managing 2+ practices

Founding rate

$59/ practice / month

Founding rate: a flat $59 per practice per month — every practice, no volume tiers. Locked for life with continuous subscription, for the first 10 Pro customers.

  • Everything in the Digital Binder, for every practice you manage
  • One dashboard for all your client practices
  • Move between practices without separate logins
  • Each practice keeps its own dated, defensible risk-management file
  • Give each client read access to their own binder
  • Full activity trail — every action shows who took it, you or the practice
  • After the founding cohort, standard volume pricing applies: from $79 per practice (2–5 clients) down to $59 (21+)
  • Consolidated billing — one invoice for your whole book
Talk to our team

What else is out there.

  • The free government tool is a Windows or Excel desktop app that covers one document — a risk analysis — and hands you a PDF you still have to interpret yourself.
  • A HIPAA consultant can run the whole engagement for you — typically $5,000 to $25,000 over several weeks — a strong fit for complex environments or a post-incident review.

Built for a small practice, not a hospital IT department.

How CoreFolio HIPAA compares to the alternatives most small practices currently consider. The free HHS SRA Tool helps with one document — a risk analysis; the Digital Binder keeps that current alongside the 50+ documents HIPAA requires.

Time to complete

Free HHS SRA Tool
Hours to days, alone
Typical consultant
4–8 weeks
Typical HIPAA software
Hours, form-style
CoreFolio HIPAA
15 minutes to mitigate key gaps — close the rest at your pace

Complete HIPAA document set

Free HHS SRA Tool
Risk analysis only
Typical consultant
Yes, by engagement
Typical HIPAA software
Generic template library
CoreFolio HIPAA
All 50+, auto-tailored to your practice

Exact documents OCR names

Free HHS SRA Tool
Combined Detailed Report PDF
Typical consultant
Yes
Typical HIPAA software
Generic SRA report
CoreFolio HIPAA
Annual Risk Analysis Report + Risk Management Plan

Vendor-specific action plan

Free HHS SRA Tool
No
Typical consultant
Sometimes
Typical HIPAA software
No
CoreFolio HIPAA
Yes

Current between assessments

Free HHS SRA Tool
No
Typical consultant
Requires new engagement
Typical HIPAA software
No — static templates
CoreFolio HIPAA
Yes — stays current as federal HIPAA rules and your practice change

Workforce training

Free HHS SRA Tool
No
Typical consultant
Separate engagement
Typical HIPAA software
Generic modules, extra cost
CoreFolio HIPAA
Included

Proposed 2026 Security Rule alignment

Free HHS SRA Tool
Not yet
Typical consultant
Varies
Typical HIPAA software
Announced, not confirmed
CoreFolio HIPAA
Yes — cited to NPRM

Cost

Free HHS SRA Tool
Free
Typical consultant
$5,000–$25,000+
Typical HIPAA software
$1,200+/year
CoreFolio HIPAA
$99/month or $990/year — workforce training included

Sources: HHS / ONC Security Risk Assessment Tool v3.6.1 User Guide; consultant ranges from public engagement scopes for practices with 1–25 employees; typical HIPAA software column reflects publicly advertised pricing and feature claims from HIPAA compliance software vendors. CoreFolio HIPAA column reflects the Digital Binder; the proposed 2026 Security Rule references the 2024 NPRM (90 Fed. Reg. 898). Last verified 2026-07-03.

We never tell you you’re “HIPAA compliant.”

We can’t, and neither can anyone else. Compliance is a determination only HHS’s Office for Civil Rights makes, usually in response to an investigation. What we can do is give you a structured, dated, defensible answer to the question “have you assessed your risks this year, and do you have a plan?” That answer is what holds up.

CoreFolio HIPAA is self-assessment software. It is not legal advice, an HHS audit, or a certification. Your free assessment runs entirely in your browser — your answers stay on your device until you choose to save or export. The Digital Binder is yours: account-backed, encrypted at rest, recoverable across devices and after a browser cache clear. If anything in your assessment is ambiguous, we say so — and we recommend you review it with your privacy officer or counsel.

We also publish the CoreFolio Brief— a free weekly federal HIPAA update written from primary sources (Federal Register, CFR, OCR press releases). It’s how we keep our own assessment current, and it’s how you can keep tabs on the rule without having to read it yourself. Subscribe in the footer.

Start with the requirements

Understand what HIPAA actually asks of you.

Plain-English explainers of the rules small practices run into most often.

Questions we hear a lot.

A risk analysis is just one element OCR looks at. Doing one is mandatory under 45 CFR § 164.308(a)(1)(ii)(A), and not doing one is the most common finding in OCR settlements. Our output gives you the documentation OCR expects to see, but you also need to actually act on the gaps it identifies. The Digital Binder gives you three ways to do that: a remediation checklist prioritized by risk level, policy templates ready to adopt the day the assessment finds a gap, and integrated workforce training so your team operates to the standard the policies set.
The HHS SRA Tool helps you produce a single document — a risk analysis — as a Windows or Excel desktop tool. That risk analysis is just one of the 50+ documents in the CoreFolio Digital Binder. Our free assessment covers the same ground, but web-based, mobile-friendly, written in plain English, and aligned with the proposed 2026 rule changes — and it produces a remediation plan you can actually use on Monday morning. The Digital Binder then adds the policies, logs, and records that surround that risk analysis and keep it current.
You can cancel any time from the link in your receipt email. No setup fees, no exit penalties. Your downloaded reports are yours to keep.
No. We never see and never store ePHI.The assessment asks questions about your practice’s compliance posture — not about patients. Your answers stay in your browser and your reports are saved directly to your device.
OCR’s question isn’t “did you do a risk analysis?” — it’s “do you have a current one?” A one-time PDF is defensible the day you download it and stale the day after. The Digital Binder is the shared workspace where it stays current: adopt policies as the assessment finds gaps, record your logs as events happen, and update a device or vendor once to have it flow through every document. When the rules move, changes are queued for your approval — and your team and collaborators work in the same live file, not a folder of stale PDFs.
Right now, we do the HIPAA Security Rule risk analysis and 2026 readiness gap. CoreFolio is built to expand — OSHA, training, state privacy laws (including California’s Data Exchange Framework and CMIA), AI policy — but we’re starting where the urgency is sharpest.

Start your Digital Binder today.

The free 15-minute Risk Assessment finds the gaps. The Digital Binder ($99/month or $990/year) closes them with policy templates ready to adopt — and stays current as the rule moves.

Sources

  1. 1. Notice of Proposed Rulemaking, HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information, 90 Fed. Reg. 898 (Jan. 6, 2025). Status as of today: NPRM, comment period closed March 7, 2025. Final rule timing is not guaranteed; OCR continues to actively enforce the existing 2013 Security Rule regardless.
  2. 2. U.S. Department of Health and Human Services, Office for Civil Rights, HHS Office for Civil Rights Settles HIPAA Security Rule Investigation with Northeast Radiology (Apr. 10, 2025), available at hhs.gov/press-room. OCR’s investigation followed a breach report Northeast Radiology filed in March 2020 concerning unauthorized access to ePHI on its PACS server (April 2019–January 2020) affecting 298,532 individuals. OCR cited failure to conduct an accurate and thorough risk analysis under 45 CFR § 164.308(a)(1)(ii)(A); the sixth settlement under OCR’s Risk Analysis Initiative.