Skip to main content
CoreFolioHIPAA

Pricing

Simple, transparent pricing

Free to start. One flat price for a single practice. Per-practice pricing for consultants. No surprises.

Pricing

The Risk Assessment is free. The Digital Binder is one flat price for a single practice. Pro is for consultants and fractional officers who manage multiple practices.

Risk Assessment

Free, no account

$0
  • Every section of the 8-section assessment (about 60 minutes)
  • Risk score with critical gaps flagged
  • Plain-English questions, defensible and dated
  • Optional email summary
  • Your answers stay in your browser unless you choose to create an account
  • CoreFolio Brief — free weekly federal HIPAA update
Start the assessment

Practice

Your dated, defensible risk-management file

$99/month

or $990/year (save $198)

Founding rate: $49/month or $490/year — locked for life with continuous subscription. Available to the first 100 customers.

  • Two dated PDFs OCR cites in every Risk Analysis Initiative settlement
  • 45+ required HIPAA documents, auto-tailored to your practice
  • We keep your binder current — you’re alerted only when you need to act
  • A clear action plan — what to fix, in priority order
  • Workforce training included — unlimited seats, no per-seat fees
  • Share with up to 2 collaborators — read-only or editor access
  • Update a device, system, or vendor once — it flows to every document
  • One flat price for your whole practice — cancel anytime
Lock in founding rate

Pro

For HIPAA consultants managing multiple practices

as low as

$59/ practice / month
  • Everything in the Digital Binder, for every practice you manage
  • One dashboard for all your client practices
  • Move between practices without separate logins
  • Each practice keeps its own dated, defensible risk-management file
  • Give each client read access to their own binder
  • Full activity trail — every action shows who took it, you or the practice
  • Volume pricing: from $79 per practice (1–5 clients) down to $59 (21+)
  • Consolidated billing — one invoice for your whole book
Talk to our team

Questions we hear a lot.

A risk analysis is just one element OCR looks at. Doing one is mandatory under 45 CFR § 164.308(a)(1)(ii)(A), and not doing one is the most common finding in OCR settlements. Our output gives you the documentation OCR expects to see, but you also need to actually act on the gaps it identifies. The Digital Binder gives you three ways to do that: a remediation checklist prioritized by risk level, policy templates ready to adopt the day the assessment finds a gap, and integrated workforce training so your team operates to the standard the policies set.
The HHS tool is a Windows-only desktop application from 2018, updated incrementally. It produces a static report. We’re web-based, mobile-friendly, written in plain English, aligned with the proposed 2026 rule changes, and we produce a remediation plan you can actually use on Monday morning.
For a small practice (≤25 employees) doing the assessment for the first time, with the practice owner or office manager who knows the basics about how the practice operates: yes. If you need to track down information from vendors or IT, you can save and resume — we keep your progress in your browser.
You can cancel any time from the link in your receipt email. No setup fees, no exit penalties. Your downloaded reports are yours to keep.
No. We never see and never store ePHI.The assessment asks questions about your practice’s compliance posture — not about patients. Your answers stay in your browser and your reports are saved directly to your device.
OCR’s question isn’t “did you do a risk analysis?” — it’s “do you have a current one?” A one-time PDF is defensible the day you download it and stale the day after. The Digital Binder is the shared workspace where it stays current: adopt policies as the assessment finds gaps, record your logs as events happen, and update a device or vendor once to have it flow through every document. When the rules move, changes are queued for your approval — and your team and collaborators work in the same live file, not a folder of stale PDFs.
Right now, we do the HIPAA Security Rule risk analysis and 2026 readiness gap. CoreFolio is built to expand — OSHA, training, state privacy laws (including California’s Data Exchange Framework and CMIA), AI policy — but we’re starting where the urgency is sharpest.