HIPAA fines against business associates: the OCR enforcement record
Business associates are directly liable under HIPAA, and OCR fines them directly. Every verified OCR business associate settlement, from 2016 to 2026.
10-minute read
CoreFolio Learn
What small practices actually need to know.
Plain-English explainers of HIPAA enforcement, the proposed 2026 Security Rule, the California rules that layer on top, and reviews of the tools small practices reach for first. Every claim cites the underlying CFR section, Federal Register entry, or OCR press release.
Browse by topic
Enforcement
What OCR is actually investigating right now, and how small practices end up on the wrong end of a settlement.
7 articles
The 2026 rule
Plain-English explainers of the proposed 2026 HIPAA Security Rule and what changes for small practices.
4 articles
How-to
Practical walkthroughs for the work HIPAA actually requires — risk analysis, gap analysis, vendor reviews.
32 articles
California
California-specific rules that layer on top of HIPAA: the Data Exchange Framework, CMIA, and CCPA exemptions.
1 article
Tools
Reviews of the tools small practices reach for first — starting with the free HHS SRA Tool.
5 articles
Latest
HIPAA-compliant texting and encrypted messaging: what the rules actually require
Standard SMS is not encrypted and has no audit trail — two requirements HIPAA imposes on any system that transmits ePHI. Here is what the Security Rule, Privacy Rule, and 2026 NPRM mean for your messaging workflow.
19-minute read
HIPAA violation fines in 2026: penalty tiers and what reduces them
The 2026 HIPAA penalty tiers from the Federal Register, plus the documented evidence that security practices can mitigate what OCR imposes.
8-minute read
HIPAA BAAs for technology vendors: the requirement, what it covers, and how to verify
Any vendor that handles ePHI on your behalf is a business associate requiring a BAA before you transmit patient data. Here is the regulatory basis, which tool categories always need one, and how to find and verify a BAA with any vendor.
7-minute read
Ransomware and HIPAA: how to recognize and respond to a suspected attack
How to spot a suspected ransomware attack on your practice, what to do in the first hour, and why HIPAA treats a ransomware event on ePHI as a presumed breach.
8-minute read
What is a fractional HIPAA compliance officer?
HIPAA requires every covered entity to designate a Privacy Official and Security Official. Here is what that means, who typically fills the role in small practices, and when an outside consultant can serve in it.
10-minute read
HIPAA compliance responsibilities for office managers
In most small practices, the office manager is the de facto Privacy and Security Official. Here is what that means — the specific CFR obligations, the annual cycle, and what documentation needs to exist.
10-minute read
How HIPAA consultants run risk analyses across multiple client practices
Fractional HIPAA consultants and vCISOs serving multiple healthcare clients face a documentation and workflow challenge. Here is the compliance framework they work within and how the work is structured.
11-minute read
HIPAA compliance without a dedicated compliance officer: a small practice guide
HIPAA requires designated Privacy and Security Officials — not a full-time hire. Here is what the role involves, who typically holds it, and what a defensible documentation baseline looks like.
9-minute read
HIPAA consultant or DIY risk analysis: how to decide
A HIPAA consultant is the right call for some practices. DIY risk analysis works well for others. Here is a factual comparison of what each path provides, costs, and requires to produce a defensible result.
8-minute read
HIPAA risk analysis vs. security evaluation: you need both
The HIPAA Security Rule has two separate risk requirements with different triggers and different artifacts. Most practices only document one — here is exactly what each requires.
16-minute read
Does HIPAA apply to small practices?
Many small healthcare practices assume they are too small for HIPAA. The law has no size exemption. Here is the two-part test that determines whether you are a covered entity — and what applies if you are.
5-minute read
HIPAA administrative safeguards: the complete checklist for small practices
Administrative safeguards under 45 CFR § 164.308 are the most commonly cited standard in OCR enforcement actions. Here is every requirement, what 'addressable' actually means, and what a small practice must have documented.
8-minute read
What must a HIPAA business associate agreement include?
A HIPAA BAA is not just a signature on a template — 45 CFR § 164.504(e) specifies the exact provisions it must contain. Here is every required element, the common drafting gaps OCR finds, and what to verify before you sign one.
7-minute read
HIPAA breach notification requirements: what your practice must do and when
The HIPAA Breach Notification Rule sets mandatory timelines and procedures for notifying patients and regulators after a security incident. Here is every obligation, every deadline, and the four-factor analysis that determines whether you must notify at all.
8-minute read
HIPAA compliance for home health agencies: mobile workforce, devices, and ePHI
Home health agencies face HIPAA obligations across a distributed, mobile workforce with unique ePHI exposure points. Here is what the Privacy Rule, Security Rule, and device management requirements mean for an agency with field staff.
6-minute read
HIPAA compliance for medical billing companies: obligations as a business associate
Medical billing companies are business associates directly liable under HIPAA since the 2013 Omnibus Rule. Here is what that means for Security Rule compliance, BAA obligations, subcontractor chains, and breach notification.
6-minute read
HIPAA compliance for mental health counselors, therapists, and psychologists
Mental health providers face the same HIPAA obligations as any covered entity — plus additional protections for psychotherapy notes and, for substance use disorder providers, a separate regulatory layer under 42 CFR Part 2.
7-minute read
HIPAA compliance for physical therapy practices
Physical therapy practices are covered entities subject to the full HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. Here is what the requirements mean in a PT setting — including EHR selection, telehealth, and the 2026 NPP update deadline.
6-minute read
Am I a HIPAA covered entity or business associate? How to tell
Your HIPAA classification determines your direct liability, documentation requirements, and whether you need a BAA. Two questions reveal which one you are.
6-minute read
HIPAA physical safeguards for small practices: what the rule actually requires
Physical safeguards under 45 CFR § 164.310 govern how your practice controls physical access to ePHI — from workstations and server closets to portable devices and decommissioned hard drives. Here is every standard and what it means in a small-practice setting.
7-minute read
HIPAA policies and procedures for small practices: what you must have in writing
The HIPAA Security Rule requires covered entities to maintain written policies and procedures for every safeguard area. Here is what 45 CFR § 164.316 requires, what each policy must address, and the six-year retention obligation.
7-minute read
HIPAA requirements for solo and small practices: what applies and what is scaled
HIPAA has no size exemption. A solo practitioner is a covered entity subject to the same Privacy Rule, Security Rule, and Breach Notification Rule as a large health system. Here is what that means in practice, what is scaled to size, and what is not.
7-minute read
HIPAA technical safeguards: current requirements and what the 2026 NPRM changes
The HIPAA Security Rule's technical safeguards govern access, encryption, audit logging, and authentication. The 2026 NPRM proposes significant changes. Here is what is required now and what would change under the proposed rule.
7-minute read
How to prepare for a HIPAA OCR audit or investigation
OCR investigations open with a document request. Practices that respond quickly and completely with organized records fare substantially better than those that scramble. Here is what OCR asks for and how to have it ready.
8-minute read
What to do after a HIPAA breach: a step-by-step response guide
When a HIPAA breach occurs, the 60-day notification clock starts immediately. Here is the complete response sequence — from the first hour of discovery through patient notification, HHS reporting, and documentation.
9-minute read
What triggers an OCR HIPAA audit or investigation
OCR investigates covered entities through three channels: patient complaints, breach reports, and proactive enforcement initiatives. Here is how each channel works, what OCR does next, and how to reduce your practice's risk profile.
7-minute read
Who needs a HIPAA business associate agreement?
Not every vendor needs a BAA. Not every relationship that feels like it should requires one. Here is the legal test, the categories that consistently require BAAs, the common exceptions, and what happens if you skip one.
6-minute read
ePHI inventory template: the foundation of every risk analysis
How to create an accurate ePHI inventory for your HIPAA risk analysis. What to include, where ePHI hides, and why missing systems is the most common OCR finding.
9-minute read
Free HIPAA risk assessment tools compared
Review of free HIPAA risk assessment options: what the HHS SRA Tool does well, where it falls short, and what free tools cannot provide.
8-minute read
HIPAA risk analysis for behavioral health practices
Behavioral health-specific risk analysis considerations: therapy notes, telehealth, session recordings, 42 CFR Part 2, and the unique privacy threats mental health practices face.
9-minute read
HIPAA risk analysis checklist: 27-point pre-OCR review
A comprehensive checklist of what OCR investigators look for in a HIPAA risk analysis. Use this to review your documentation before it matters.
8-minute read
HIPAA risk analysis cost breakdown: DIY, software, and consultants
What a HIPAA risk analysis actually costs: from free DIY to consultant engagements. Comparison of time, money, and risk for each approach.
8-minute read
HIPAA risk analysis for dental practices: a specialty guide
Dental-specific considerations for HIPAA risk analysis: imaging systems, practice software, patient communication tools, and the unique threats dental practices face.
8-minute read
HIPAA risk analysis template for small practices
What a defensible HIPAA risk analysis template needs to include, how to structure it for OCR review, and why most free templates fail the accuracy requirement.
8-minute read
How often to update your HIPAA risk analysis (and why annual is the floor)
OCR treats risk analyses older than 12 months as presumptively stale. Here's when to update, what triggers immediate review, and how to document the cycle.
7-minute read
Risk analysis vs gap analysis: which does your practice need?
The difference between a HIPAA risk analysis and a gap analysis, which the Security Rule requires, and when you need both.
6-minute read
How to do a HIPAA risk analysis yourself: a step-by-step guide for small practices
The Security Rule requires every covered entity to conduct an accurate, thorough risk analysis. Here is what that actually means, what it has to contain, and how to do it yourself — or prepare for a focused consultant review.
6-minute read
The OCR Risk Analysis Initiative, explained
When OCR investigates a small practice — after a breach report, a ransomware attack, a vendor incident, or a patient complaint — the first thing they ask for is the risk analysis. Here is what changed in late 2024, what the rule actually requires, and what a defensible answer looks like.
17-minute read
What OCR actually wants in a risk analysis
HHS's Office for Civil Rights has now settled with dozens of practices for risk analysis failures. The pattern in their investigation letters and resolution agreements tells you exactly what they are looking for.
5-minute read
2026 HIPAA Security Rule: 7 major changes for small practices
First major Security Rule update since 2013 proposes MFA, encryption, and annual risk analysis. Seven changes every small practice should act on now.
6-minute read
What goes in a HIPAA risk management plan
The risk analysis gets all the attention, but OCR requires the risk management plan too. Here is what it needs to contain, how it relates to the risk analysis, and what a defensible plan looks like.
5-minute read
The HHS SRA Tool: what it does well and where it falls short
The free HHS Security Risk Assessment Tool is the most common starting point for small practices doing their first HIPAA risk analysis. What it does well, where it falls short, and whether it produces a defensible analysis.
5-minute read
What is a business associate agreement, and who needs one?
A business associate agreement (BAA) is required whenever a vendor handles your patient data. Here is who qualifies as a business associate, what the agreement must contain, and what happens when you skip it.
5-minute read
What the 2026 HIPAA Security Rule update means for a solo dental practice
Solo and small dental practices face specific HIPAA compliance challenges — legacy imaging software, shared workstations, and minimal IT support. Here is what the proposed 2026 rule changes for you.
5-minute read
What OCR finds every time it investigates a small practice
More than 100 OCR resolution agreements follow the same pattern. Here are the six violations investigators find most often — and what each means for your practice.
5-minute read
California's Data Exchange Framework and HIPAA: what small practices need to know
California's Data Exchange Framework creates active data-sharing obligations for most physician practices. Here is what has changed since 2024, who is required to participate, and how HIPAA, CMIA, and 42 CFR Part 2 interact.
10-minute read
HIPAA and multi-factor authentication: what the 2026 rule means for small practices
Multi-factor authentication is currently 'addressable' under HIPAA — meaning you can document why you didn't implement it. The proposed 2026 rule would make it mandatory. Here is what that means in practice.
6-minute read
HIPAA workforce training: what the rule requires and what actually works
HIPAA requires workforce training on security policies and procedures. Here is what the rule actually says, what OCR has cited in settlement agreements, and what training looks like in a small practice.
6-minute read