When OCR investigates a small practice, the first thing they ask for is the risk analysis.

Find your HIPAA gaps.
Close them.

Q: “60 minutes” — is that really realistic?

For a small practice (25 employees or fewer) doing the assessment for the first time, with the practice owner or office manager who knows the basics about how the practice operates: yes. If you need to track down information from vendors or IT, you can save and resume — we keep your progress in your browser.

Q: Do you store our patient data (ePHI)?

No. We never see and never store ePHI. The assessment asks questions about your practice's compliance posture — not about patients. Your answers stay in your browser and your reports are saved directly to your device.

Q: What keeps my Digital Binder current?

OCR’s question isn’t “did you do a risk analysis?” — it’s “do you have a current one?” A one-time PDF is defensible the day you download it and stale the day after. The Digital Binder is the shared workspace where it stays current: adopt policies as the assessment finds gaps, record your logs as events happen, and update a device or vendor once to have it flow through every document. When the rules move, changes are queued for your approval — and your team and collaborators work in the same live file, not a folder of stale PDFs.

OCR’s Risk Analysis Initiative has reached 16 settlements with small practices, ranging from $5,000 to $375,000 — every one involving a missing or inadequate risk analysis. The $99/month Digital Binder is both required documents, dated and current — a Risk Analysis Report and a Risk Management Plan — plus the policies that close the gaps and the rest of your federal HIPAA documentation, kept current as your practice changes and the rule moves. Start free with the 60-minute Risk Assessment.

Start the assessment Why this is urgent

Plain EnglishStep-by-stepNo expertise needed

Questions that pinpoint your HIPAA gaps

Section-level gap scores with prioritized actions

The problem

Most small practices are doing the right things — locking workstations, training staff, vetting vendors. What they don’t have is the file that shows they’re doing them. The federal HIPAA rules require a practice to maintain 50+ distinct documents — policies, procedures, logs, forms, and vendor templates — each retained for six years and kept current as the practice changes. A documentation gap isn’t a care gap. But OCR doesn’t audit care quality. They audit the file. When something brings OCR to a practice’s door — a ransomware report, a vendor breach, a patient records complaint — the first thing they ask for is a current risk analysis. Under its Risk Analysis Initiative, OCR is now settling six figures with small practices that can’t produce one.

The answer

Start with the free Risk Assessment — about 60 minutes to find the gaps in your federal HIPAA documentation. For $99/month, the Digital Binder gives you the two documents HIPAA requires — a dated Risk Analysis Report and a Risk Management Plan — alongside policy templates and a file kept current as your practice changes and the rule moves.

Start the assessment See the Digital Binder

The distinction that matters

The work is done. The file just hasn’t kept up.

HIPAA documentation is not a measure of care quality — OCR audits the file, not how you treat patients. Most small practices are already doing the right things; the gap is the documentation that proves it. No one on a 5-person staff was hired to maintain that file, and that’s exactly what CoreFolio is for.

Why this is suddenly urgent.

Two regulatory shifts that small practices keep missing — and that auditors and OCR keep finding.

April 2025 · OCR settlement

$350,000 — and the missing document drove the price.

In April 2025, a small New York radiology practice paid OCR $350,000 after reporting a 2020 hacking incident on its PACS server that exposed nearly 300,000 patients’ images. OCR’s investigation found no accurate, current risk analysis on file — the cited violation under 45 CFR § 164.308(a)(1)(ii)(A). It was the sixth settlement under OCR’s Risk Analysis Initiative, and the pattern is consistent: when an incident brings OCR in, the missing risk analysis is what drives the settlement amount.¹

What the Risk Analysis Initiative means for you

2026 rule update · annual cadence

HIPAA isn’t a one-time event anymore.

The proposed 2026 Security Rule update would require every covered entity to complete a documented risk analysis every 12 months— no more “addressable” loopholes. The 2013 rule already requires one; the 2026 update just removes the wiggle room.²

The CoreFolio answer

Your Digital Binder — dated, defensible, current.

The free Risk Assessment finds your gaps — about 60 minutes, defensible and dated. The Digital Binder ($99/month) is your durable file: required documents that stay current as the rule moves, review reminders when things change, and action plans so you know exactly what to fix. You also get the digital logs and reports that document your required HIPAA activities all year long.

The solution: CoreFolio

Step-by-step support

You’re never staring at a blank page.

You go from scattered files to a complete, dated draft of every required document. Your binder shows what’s done, what’s in progress, and what to tackle next, so you always know your next step.

And if you bring in a privacy officer or attorney, you arrive already informed, with a draft in hand. What used to be a months-long engagement becomes a short review.

Start the assessment

Your Digital Binder dashboard — progress and your next actions at a glance.

Inside the Digital Binder

Find the gaps. Close them. Stay current.

The free assessment finds the gaps, defensible and dated. The Digital Binder is the digital home for everything HIPAA requires you to keep — risk analysis, policies, logs, and practice records in one shared, living file your team and collaborators work in together.

Risk analysis

§ 164.308(a)(1)(ii)(A)

Risk Analysis Report

A dated, downloadable PDF structured per NIST SP 800-30 — the methodology HHS points to. Questions that identify gaps.

Gap mitigation

§ 164.308(a)(1)(ii)(B)

Policy templates that close the gaps

Policy templates ready to adopt — dated, defensible, fill-in-and-file. Workforce sanctions, workstation use, incident response, access management, device + media, and more. The Risk Management Plan PDF documents your response.

Forward look

90 Fed. Reg. 898

2026 Readiness Gap Report

A side-by-side gap report against the proposed 2026 Security Rule (90 Fed. Reg. 898). Color-coded so you see where you stand at a glance — no surprises when the rule finalizes.

Ongoing monitoring

§ 164.308(a)(1)(i)

Documents that stay current

Your required HIPAA documents stay current. When OCR enforcement priorities or federal regulations shift, you see what to review. No manual tracking of HHS announcements required. Your logs and practice details live here too — record entries as they happen, and update a device once to have it flow through every document that names it.

Inside the Risk Management Plan

Three tiers, organized for how you actually work.

This week

Steps your team can address now, without budget approval or outside help.

Vendor conversations

What to ask the vendors who handle your patient data, and what to do with their answers.

Budget decisions

The gaps that require investment, prioritized by regulatory risk level.

Pricing

The Risk Assessment is free. The Digital Binder is one flat price for a single practice. Pro is for consultants and fractional officers who manage 2 or more practices.

Risk Assessment

Free, no account

Every section of the 8-section assessment (about 60 minutes)
Risk score with critical gaps flagged
Plain-English questions, defensible and dated
Optional email summary
Your answers stay in your browser unless you choose to create an account
CoreFolio Brief — free weekly federal HIPAA update

Start the assessment

Practice

Your dated, defensible risk-management file

$99/month

or $990/year (save $198)

Founding rate: $49/month or $490/year — locked for life with continuous subscription. Available to the first 100 customers.

Two dated PDFs OCR cites in every Risk Analysis Initiative settlement
50+ required HIPAA documents, auto-tailored to your practice
A clear action plan — what to fix, in priority order
We keep your binder current — you're alerted only when you need to act
Workforce training included — unlimited seats, no per-seat fees
BAA management and e-signature
Share with up to 2 collaborators — read-only or editor access
Update a device, system, or vendor once — it flows to every document
One flat price for your whole practice — cancel anytime

Lock in founding rate

Pro

For HIPAA consultants managing 2+ practices

Founding rate

$59/ practice / month

Founding rate: a flat $59 per practice per month — every practice, no volume tiers. Locked for life with continuous subscription, for the first 10 Pro customers.

Everything in the Digital Binder, for every practice you manage
One dashboard for all your client practices
Move between practices without separate logins
Each practice keeps its own dated, defensible risk-management file
Give each client read access to their own binder
Full activity trail — every action shows who took it, you or the practice
After the founding cohort, standard volume pricing applies: from $79 per practice (2–5 clients) down to $59 (21+)
Consolidated billing — one invoice for your whole book

Talk to our team

Built for a small practice, not a hospital IT department.

How CoreFolio HIPAA compares to the alternatives most small practices currently consider. The free HHS SRA Tool helps with one document — a risk analysis; the Digital Binder keeps that current alongside the 50+ documents HIPAA requires.

Dimension	Free HHS SRA Tool	Typical consultant	Typical HIPAA software	CoreFolio HIPAA
Time to complete	Hours to days, alone	4–8 weeks	Hours, form-style	60 minutes to mitigate key gaps — close the rest at your pace
Complete HIPAA document set	Risk analysis only	Yes, by engagement	Generic template library	All 50+, auto-tailored to your practice
Exact documents OCR names	Combined Detailed Report PDF	Yes	Generic SRA report	Risk Analysis Report + Risk Management Plan
Vendor-specific action plan	No	Sometimes	No	Yes
Current between assessments	No	Requires new engagement	No — static templates	Yes — stays current as federal HIPAA rules and your practice change
Workforce training	No	Separate engagement	Generic modules, extra cost	Included
Proposed 2026 Security Rule alignment	Not yet	Varies	Announced, not confirmed	Yes — cited to NPRM
Cost	Free	$5,000–$25,000+	$499+/year, add-ons separate	$99/month or $990/year — workforce training included

Time to complete

Free HHS SRA Tool: Hours to days, alone
Typical consultant: 4–8 weeks
Typical HIPAA software: Hours, form-style
CoreFolio HIPAA: 60 minutes to mitigate key gaps — close the rest at your pace

Complete HIPAA document set

Free HHS SRA Tool: Risk analysis only
Typical consultant: Yes, by engagement
Typical HIPAA software: Generic template library
CoreFolio HIPAA: All 50+, auto-tailored to your practice

Exact documents OCR names

Free HHS SRA Tool: Combined Detailed Report PDF
Typical consultant: Yes
Typical HIPAA software: Generic SRA report
CoreFolio HIPAA: Risk Analysis Report + Risk Management Plan

Vendor-specific action plan

Free HHS SRA Tool: No
Typical consultant: Sometimes
Typical HIPAA software: No
CoreFolio HIPAA: Yes

Current between assessments

Free HHS SRA Tool: No
Typical consultant: Requires new engagement
Typical HIPAA software: No — static templates
CoreFolio HIPAA: Yes — stays current as federal HIPAA rules and your practice change

Workforce training

Free HHS SRA Tool: No
Typical consultant: Separate engagement
Typical HIPAA software: Generic modules, extra cost
CoreFolio HIPAA: Included

Proposed 2026 Security Rule alignment

Free HHS SRA Tool: Not yet
Typical consultant: Varies
Typical HIPAA software: Announced, not confirmed
CoreFolio HIPAA: Yes — cited to NPRM

Cost

Free HHS SRA Tool: Free
Typical consultant: $5,000–$25,000+
Typical HIPAA software: $499+/year, add-ons separate
CoreFolio HIPAA: $99/month or $990/year — workforce training included

Sources: HHS / ONC Security Risk Assessment Tool v3.6.1 User Guide; consultant ranges from public engagement scopes for practices with 1–25 employees; typical HIPAA software column reflects May 2026 public pricing and feature claims from Medcurity, Accountable HQ, and HIPAA One. CoreFolio HIPAA column reflects the Digital Binder; the proposed 2026 Security Rule references the 2024 NPRM (90 Fed. Reg. 898). Last verified 2026-06-10.

We never tell you you’re “HIPAA compliant.”

We can’t, and neither can anyone else. Compliance is a determination only HHS’s Office for Civil Rights makes, usually in response to an investigation. What we can do is give you a structured, dated, defensible answer to the question “have you assessed your risks this year, and do you have a plan?” That answer is what holds up.

CoreFolio HIPAA is self-assessment software. It is not legal advice, an HHS audit, or a certification. Your free assessment runs entirely in your browser — your answers stay on your device until you choose to save or export. The Digital Binder is yours: account-backed, encrypted at rest, recoverable across devices and after a browser cache clear. If anything in your assessment is ambiguous, we say so — and we recommend you review it with your privacy officer or counsel.

We also publish the CoreFolio Brief— a free weekly federal HIPAA update written from primary sources (Federal Register, CFR, OCR press releases). It’s how we keep our own assessment current, and it’s how you can keep tabs on the rule without having to read it yourself. Subscribe in the footer.

Questions we hear a lot.

A risk analysis is just one element OCR looks at. Doing one is mandatory under 45 CFR § 164.308(a)(1)(ii)(A), and not doing one is the most common finding in OCR settlements. Our output gives you the documentation OCR expects to see, but you also need to actually act on the gaps it identifies. The Digital Binder gives you three ways to do that: a remediation checklist prioritized by risk level, policy templates ready to adopt the day the assessment finds a gap, and integrated workforce training so your team operates to the standard the policies set.

The HHS SRA Tool helps you produce a single document — a risk analysis — as a Windows or Excel desktop tool. That risk analysis is just one of the 50+ documents in the CoreFolio Digital Binder. Our free assessment covers the same ground, but web-based, mobile-friendly, written in plain English, and aligned with the proposed 2026 rule changes — and it produces a remediation plan you can actually use on Monday morning. The Digital Binder then adds the policies, logs, and records that surround that risk analysis and keep it current.

For a small practice (≤25 employees) doing the assessment for the first time, with the practice owner or office manager who knows the basics about how the practice operates: yes. If you need to track down information from vendors or IT, you can save and resume — we keep your progress in your browser.

You can cancel any time from the link in your receipt email. No setup fees, no exit penalties. Your downloaded reports are yours to keep.

No. We never see and never store ePHI.The assessment asks questions about your practice’s compliance posture — not about patients. Your answers stay in your browser and your reports are saved directly to your device.

OCR’s question isn’t “did you do a risk analysis?” — it’s “do you have a current one?” A one-time PDF is defensible the day you download it and stale the day after. The Digital Binder is the shared workspace where it stays current: adopt policies as the assessment finds gaps, record your logs as events happen, and update a device or vendor once to have it flow through every document. When the rules move, changes are queued for your approval — and your team and collaborators work in the same live file, not a folder of stale PDFs.

Right now, we do the HIPAA Security Rule risk analysis and 2026 readiness gap. CoreFolio is built to expand — OSHA, training, state privacy laws (including California’s Data Exchange Framework and CMIA), AI policy — but we’re starting where the urgency is sharpest.

Start your Digital Binder today.

The free 60-minute Risk Assessment finds the gaps. The Digital Binder ($99/month or $990/year) closes them with policy templates ready to adopt — and stays current as the rule moves.

Start the free assessment See the Digital Binder

Sources

1. Notice of Proposed Rulemaking, HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information, 90 Fed. Reg. 898 (Jan. 6, 2025). Status as of today: NPRM, comment period closed March 7, 2025. Final rule timing is not guaranteed; OCR continues to actively enforce the existing 2013 Security Rule regardless.
2. U.S. Department of Health and Human Services, Office for Civil Rights, HHS Office for Civil Rights Settles HIPAA Security Rule Investigation with Northeast Radiology (Apr. 10, 2025), available at hhs.gov/press-room. OCR’s investigation followed a breach report Northeast Radiology filed in March 2020 concerning unauthorized access to ePHI on its PACS server (April 2019–January 2020) affecting 298,532 individuals. OCR cited failure to conduct an accurate and thorough risk analysis under 45 CFR § 164.308(a)(1)(ii)(A); the sixth settlement under OCR’s Risk Analysis Initiative.