Skip to main content
CoreFolioHIPAA

For business associates

A signed BAA is just the tip of the iceberg.

Most business associates handle patient data carefully. The compliance file — the written record that proves it — is the part that tends to fall behind. CoreFolio is building a product to help you close that gap.

OCR is now bringing enforcement actions directly against business associates

Since 2013, business associates have been directly liable for HIPAA Security Rule compliance under the Omnibus Rule (42 U.S.C. § 17931). A signed BAA documents your relationship with a covered entity — but it is not a substitute for your own risk analysis, written policies, and workforce training.

OCR’s Risk Analysis Initiative, active through 2026, has produced enforcement actions against business associates independently — without going through the covered entity client. Recent settlements include an accounting firm, a cloud hosting provider, an ambulance-billing company, and a third-party plan administrator, several of which never treated a patient. If OCR investigates a breach, the question is whether your organization can show it identified and addressed its own security risks under 45 CFR § 164.308(a)(1)(ii)(A). The signed BAA does not answer that question. A dated risk analysis and a written remediation plan do.

Read: HIPAA fines against business associates — the OCR enforcement record

Join the business-associate beta

We are opening the product to a small first cohort — billing companies, MSPs, and health-tech vendors who want to build their HIPAA compliance file and help shape what ships. Beta participants get full product access at no cost during the beta period.

What you get

  • Full product access during the beta, at no cost
  • A direct line to the founder for questions and feedback
  • First notification when the product opens publicly

What we ask

  • Complete your risk analysis within 30 days of access
  • One short conversation about what worked and what didn’t

We will review applications and follow up within a few business days. We are keeping the first cohort small — a few dozen organizations. We don’t share your address with anyone.

What it produces

A guided risk analysis adapted for business associates — scoped to the services you provide, the systems you run, and the covered entity relationships you maintain. At the end you have a dated Risk Analysis Report, a Risk Management Plan, and a set of written Security Rule policies: the foundational file you can keep current yourself and hand to a consultant or your counsel when you want expert eyes on it.

A compliance consultant can run the full engagement for you — a strong fit for complex environments or post-incident reviews. CoreFolio is the self-service path for organizations that want to build the foundational file in-house first.