OCR Risk Analysis Initiative — active enforcement

Have you done your HIPAA risk analysis this year?

Q: Is “60 minutes” really realistic?

For a small practice (25 employees or fewer) doing the assessment for the first time, with the practice owner or office manager who knows the basics about how the practice operates: yes. If you need to track down information from vendors or IT, you can save and resume — we keep your progress in your browser.

Q: Do you store our patient data (ePHI)?

No. We never see and never store ePHI. The assessment asks questions about your practice’s compliance posture — not about patients. Your answers stay in your browser and your reports generate locally.

OCR is investigating small practices that haven’t — and the proposed 2026 Security Rule will make it mandatory for everyone. CoreFolio uses AI to guide you through one in about 60 minutes and produces the dated PDF OCR expects to see.

AI-guided questionsCited to the exact CFR provisionAdapts to your practice type

Get started Why this is urgent

For our first cohort of small US healthcare practices.

Why this is suddenly urgent.

Two regulatory shifts that small practices keep missing — and that auditors and OCR keep finding.

April 2025 · OCR settlement

$350,000 for one missing document.

A small New York radiology practice paid OCR $350,000 in April 2025 — not for a breach, but for failing to conduct an accurate risk analysis. It was the sixth settlement under OCR’s Risk Analysis Initiative. The pattern is consistent: small practice, no breach, no current risk analysis on file.¹

What the Risk Analysis Initiative means for you

2026 rule update · annual cadence

HIPAA isn’t a one-time event anymore.

The proposed 2026 Security Rule update would require every covered entity to complete a documented risk analysis every 12 months — no more “addressable” loopholes. The 2013 rule already requires one; the 2026 update just removes the wiggle room.²

And most small practices don’t have a HIPAA team.

You run a small practice. You know HIPAA matters. You also know:

The free government tool is a Windows-only desktop app that produces a PDF you have to interpret yourself.
The next-cheapest option is a HIPAA consultant who’ll bill $5,000 to $25,000 and take six weeks — for what is now an annual ritual.
And a binder from 2018 doesn’t count. OCR asks for a current risk analysis, dated within the past 12 months.

You don’t need a $15K consultant. You need a clear, dated, defensible answer to “have we done our risk analysis this year?”

HIPAA’s Security Rule is 15,000 words of federal register text, and the proposed 2026 update adds more. CoreFolio uses AI to read it for you — translating each requirement into a plain-English question, citing the exact 45 CFR provision it maps to, and adapting the flow based on your practice type, EHR, and hosting setup. The output is yours, signed, dated, and traceable to the rule.

One assessment. Three dated documents. A real plan for Monday morning.

About 60 minutes of focused work produces the two artifacts OCR enforces against — plus a forward look at the proposed 2026 Security Rule. Each is dated, signable, and yours to file.

1 — The assessment under § 164.308(a)(1)(ii)(A)

Risk Analysis Report

A dated, downloadable PDF structured per NIST SP 800-30 — the methodology HHS points to. Maps to 45 CFR § 164.308(a)(1)(ii)(A), the exact provision OCR cites in every Risk Analysis Initiative settlement.

2 — The response under § 164.308(a)(1)(ii)(B)

Risk Management Plan

The matching artifact OCR enforces alongside the analysis — a documented response to each identified risk. The user-facing surface is a 3-tier action plan (this week, vendor conversations, budget). EHR-specific scripts attach as annexes.

3 — A forward look at the 2026 rule

2026 Readiness Gap Report

A side-by-side gap report against the proposed 2026 Security Rule (90 Fed. Reg. 898). Color-coded: likely meets, partial, gap — so you are not surprised when the rule finalizes.

Inside the Risk Management Plan

Three tiers, organized for how you actually work.

This week

Things you can do today — turn on MFA for email, update your Notice of Privacy Practices, rotate shared logins.

Vendor conversations

Scripted questions for your EHR rep, IT provider, cloud host. Email templates included as annexes.

Budget decisions

The items that need real money — network segmentation, pen testing, backup infrastructure — and when.

Built for a small practice, not a hospital IT department.

How HIPAA CoreFolio compares to the alternatives most small practices currently consider.

Dimension	Free HHS SRA Tool	Typical consultant	HIPAA CoreFolio
Cost	Free	$5,000–$25,000+	$49/month or $499/year
Time to complete	Days, alone	4–8 weeks	About 60 minutes
Works on your phone	Windows only	n/a	Yes
Plain-English questions	Partial	Yes, in person	Yes
2026 Security Rule alignment	Not updated	Varies	Yes
Vendor-specific action plan	No	Sometimes	Yes
Dated, downloadable artifact	Print-style	Yes	Yes
Year-over-year history	No	No	Yes

One price. Everything in.

Flat tiers. No setup fees. No per-seat creep. Cancel any time in one click.

Free preview

No card required

2 of 7 sections (Practice Profile + ePHI Asset Inventory)
Section-level signal
Email summary

Get early access

Practice

Most practices choose this

$49/month

or $499/year (save $89)

The full 7-section assessment (~60 minutes)
Risk Analysis Report PDF — § 164.308(a)(1)(ii)(A), NIST 800-30 structured
Risk Management Plan PDF — § 164.308(a)(1)(ii)(B), with 3-tier action plan
2026 Readiness Gap Report PDF — proposed 2026 Security Rule
EHR-specific vendor scripts as annexes (RXNT, Athenahealth, eClinicalWorks, Epic, Dentrix, +)
Re-run any time; year-over-year history kept for you
One-click cancel, no setup fees

Reserve your spot

Privacy officer assist

For larger practices

$249/month

Everything in Practice
30-minute quarterly review call with a compliance specialist

Join the waitlist

We never tell you you’re “HIPAA compliant.”

We can’t, and neither can anyone else. Compliance is a determination only HHS’s Office for Civil Rights makes, usually in response to an investigation. What we can do is give you a structured, dated, defensible answer to the question “have you assessed your risks this year, and do you have a plan?” That answer is what holds up.

HIPAA CoreFolio is self-assessment software. It is not legal advice, an HHS audit, or a certification. Your answers never leave your browser unless you choose to save them. Your reports are generated client-side and downloaded directly to you. If anything in your assessment is ambiguous, we say so — and we recommend you review it with your privacy officer or counsel.

We also publish the CoreFolio Brief — a free weekly federal HIPAA update written from primary sources (Federal Register, CFR, OCR press releases). It’s how we keep our own assessment current, and it’s how you can keep tabs on the rule without having to read it yourself. Subscribe in the footer.

Questions we hear a lot.

Is this enough to pass an OCR audit?

A risk analysis is just one element OCR looks at. Doing one is mandatory under 45 CFR § 164.308(a)(1)(ii)(A), and not doing one is the most common finding in OCR settlements. Our output gives you the documentation OCR expects to see, but you also need to actually act on the gaps it identifies. The remediation checklist is how we help you do that.

How is this different from the free HHS SRA Tool?

The HHS tool is a Windows-only desktop application from 2018, updated incrementally. It produces a static report. We’re web-based, mobile-friendly, written in plain English, aligned with the proposed 2026 rule changes, and we produce a remediation plan you can actually use on Monday morning.

Is “60 minutes” really realistic?

For a small practice (≤25 employees) doing the assessment for the first time, with the practice owner or office manager who knows the basics about how the practice operates: yes. If you need to track down information from vendors or IT, you can save and resume — we keep your progress in your browser.

What happens if I cancel?

You can cancel any time from the link in your receipt email. No setup fees, no exit penalties. Your downloaded reports are yours to keep.

Do you store our patient data (ePHI)?

No. We never see and never store ePHI. The assessment asks questions about your practice’s compliance posture — not about patients. Your answers stay in your browser and your reports generate locally.

Why subscription, not one-time?

Because the proposed 2026 Security Rule (and existing OCR enforcement) require an annual risk analysis — not a one-time event. Subscription gets you year-over-year history, fresh remediation plans as the rule evolves, and a current dated artifact whenever you need one.

Do you do other compliance areas?

Right now, we do the HIPAA Security Rule risk analysis and 2026 readiness gap. CoreFolio is built to expand — OSHA, training, state privacy laws (including California’s Data Exchange Framework and CMIA), AI policy — but we’re starting where the urgency is sharpest.

Be among the first practices to use it.

We’re opening CoreFolio to a first cohort of small US healthcare practices — no credit card, no sales call.

Get started

Sources

1. Notice of Proposed Rulemaking, HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information, 90 Fed. Reg. 898 (Jan. 6, 2025). Status as of today: NPRM, comment period closed March 7, 2025. Final rule timing is not guaranteed; OCR continues to actively enforce the existing 2013 Security Rule regardless.
2. U.S. Department of Health and Human Services, Office for Civil Rights, settlement with Northeast Radiology, P.C., April 2025 — the sixth settlement under OCR’s Risk Analysis Initiative. The pattern of recent enforcement consistently cites failure to conduct an accurate and thorough risk analysis under 45 CFR § 164.308(a)(1)(ii)(A).