CoreFolio Learn
Plain-English explainers of HIPAA enforcement, the proposed 2026 Security Rule, the California rules that layer on top, and honest reviews of the tools small practices reach for first. Every claim cites the underlying CFR section, Federal Register entry, or OCR press release.
Enforcement
What OCR is actually investigating right now, and how small practices end up on the wrong end of a settlement.
3 articles
The 2026 rule
Plain-English explainers of the proposed 2026 HIPAA Security Rule and what changes for small practices.
3 articles
How-to
Practical walkthroughs for the work HIPAA actually requires — risk analysis, gap analysis, vendor reviews.
4 articles
California
California-specific rules that layer on top of HIPAA: the Data Exchange Framework, CMIA, and CCPA exemptions.
1 article
Tools
Honest reviews of the tools small practices reach for first — starting with the free HHS SRA Tool.
1 article
The Security Rule requires every covered entity to conduct an accurate, thorough risk analysis. Here is what that actually means, what it has to contain, and how to do it yourself.
5-minute read
OCR is now investigating small practices that have never had a breach — because they never did a risk analysis. Here is what changed in late 2024, what the rule actually requires, and what a defensible answer looks like.
12-minute read
HHS's Office for Civil Rights has now settled with dozens of practices for risk analysis failures. The pattern in their investigation letters and resolution agreements tells you exactly what they are looking for.
5-minute read
The proposed 2026 Security Rule update is the first major revision since 2013. Here is what is actually changing, what is not, and what small covered entities need to do before the rule finalizes.
5-minute read
The risk analysis gets all the attention, but OCR requires the risk management plan too. Here is what it needs to contain, how it relates to the risk analysis, and what a defensible plan looks like.
5-minute read
The free HHS Security Risk Assessment Tool is the most common starting point for small practices doing their first HIPAA risk analysis. Here is an honest look at what it does well and where it falls short.
5-minute read
A business associate agreement (BAA) is required whenever a vendor handles your patient data. Here is who qualifies as a business associate, what the agreement must contain, and what happens when you skip it.
5-minute read
Solo and small dental practices face specific HIPAA compliance challenges — legacy imaging software, shared workstations, and minimal IT support. Here is what the proposed 2026 rule changes for you.
5-minute read
OCR has published more than 100 resolution agreements over the past decade. The findings in those agreements follow a consistent pattern. Here is what investigators actually find — and what it means for your practice.
5-minute read
California's Data Exchange Framework (DxF) creates new data sharing obligations that layer on top of HIPAA. Here is how the two regimes interact and what covered entities in California need to understand.
5-minute read
Multi-factor authentication is currently 'addressable' under HIPAA — meaning you can document why you didn't implement it. The proposed 2026 rule would make it mandatory. Here is what that means in practice.
5-minute read
HIPAA requires workforce training on security policies and procedures. Here is what the rule actually says, what OCR has cited in settlement agreements, and what training looks like in a small practice.
5-minute read