Disclaimer

CoreFolio is self-assessment software. Nothing on this site or in any report generated by CoreFolio constitutes legal advice. No attorney-client relationship is formed by your use of this service. If your practice faces an OCR investigation, a breach notification obligation, or any other legal matter, retain qualified healthcare counsel. Do not rely solely on CoreFolio output in those situations.

CoreFolio is not affiliated with the U.S. Department of Health and Human Services (HHS), its Office for Civil Rights (OCR), or any government agency. Using CoreFolio does not constitute an HHS audit, a Safe Harbor election, or any other official determination. A finding that your practice “appears to meet” or “likely meets” a requirement is a readiness indicator based on your self-reported answers — it is not OCR’s conclusion.

The phrase “HIPAA compliant” has no official legal status. HHS does not certify practices as compliant. A determination of compliance or non-compliance is made by OCR, and only in the context of an investigation or audit. CoreFolio will never tell you that you are “HIPAA compliant” — not because we don’t want to, but because the statement is legally meaningless and could create false confidence.

What we say instead: your risk analysis indicates a gap, appears to meet the requirement, or likely meets the requirement based on your answers. Every assessment finding maps to a specific provision of 45 CFR Part 164 so you can verify our reasoning against the actual rule text.

CoreFolio produces output based entirely on the answers you enter. We do not verify your answers against your actual systems, policies, or practices. A gap report that shows “no gaps” for multi-factor authentication means only that you answered “yes” to that question — not that MFA is correctly implemented across every system that touches ePHI. The quality of your output depends on the honesty and accuracy of your input.

HIPAA is a live regulatory area. OCR guidance, settlement precedents, and proposed rules change. CoreFolio reflects our current understanding of the 2013 Security Rule and the proposed 2026 amendments (90 Fed. Reg. 898, NPRM comment period closed March 7, 2025). We update our question bank and scoring when the rule changes, but there may be a lag between a regulatory development and its reflection in our content. We cite the CFR provision alongside every assessment question so you can check current rule text directly.

References to specific EHR vendors, billing software, or other technology partners in CoreFolio output are based on publicly available information verified as of the date shown. Vendor contact paths, BAA processes, and support portals change; always confirm current procedures directly with the vendor before acting on our reference information.

Per our internal compliance standards, this disclaimer — or a condensed version of it — appears in four places:

• The footer of every page on corefolio.ai
• The top of every results and report page
• Inside every exported PDF
• Before any paid upgrade call to action

If you find a surface where this disclaimer is missing, please let us know.