CoreFolio Learn
Practical walkthroughs for the work HIPAA actually requires — risk analysis, gap analysis, vendor reviews.
Standard SMS is not encrypted and has no audit trail — two requirements HIPAA imposes on any system that transmits ePHI. Here is what the Security Rule, Privacy Rule, and 2026 NPRM mean for your messaging workflow.
19-minute read
Any vendor that handles ePHI on your behalf is a business associate requiring a BAA before you transmit patient data. Here is the regulatory basis, which tool categories always need one, and how to find and verify a BAA with any vendor.
7-minute read
How to spot a suspected ransomware attack on your practice, what to do in the first hour, and why HIPAA treats a ransomware event on ePHI as a presumed breach.
8-minute read
HIPAA requires every covered entity to designate a Privacy Official and Security Official. Here is what that means, who typically fills the role in small practices, and when an outside consultant can serve in it.
10-minute read
In most small practices, the office manager is the de facto Privacy and Security Official. Here is what that means — the specific CFR obligations, the annual cycle, and what documentation needs to exist.
10-minute read
HIPAA requires designated Privacy and Security Officials — not a full-time hire. Here is what the role involves, who typically holds it, and what a defensible documentation baseline looks like.
9-minute read
The HIPAA Security Rule has two separate risk requirements with different triggers and different artifacts. Most practices only document one — here is exactly what each requires.
16-minute read
Many small healthcare practices assume they are too small for HIPAA. The law has no size exemption. Here is the two-part test that determines whether you are a covered entity — and what applies if you are.
5-minute read
Administrative safeguards under 45 CFR § 164.308 are the most commonly cited standard in OCR enforcement actions. Here is every requirement, what 'addressable' actually means, and what a small practice must have documented.
8-minute read
A HIPAA BAA is not just a signature on a template — 45 CFR § 164.504(e) specifies the exact provisions it must contain. Here is every required element, the common drafting gaps OCR finds, and what to verify before you sign one.
7-minute read
The HIPAA Breach Notification Rule sets mandatory timelines and procedures for notifying patients and regulators after a security incident. Here is every obligation, every deadline, and the four-factor analysis that determines whether you must notify at all.
8-minute read
Home health agencies face HIPAA obligations across a distributed, mobile workforce with unique ePHI exposure points. Here is what the Privacy Rule, Security Rule, and device management requirements mean for an agency with field staff.
6-minute read
Medical billing companies are business associates directly liable under HIPAA since the 2013 Omnibus Rule. Here is what that means for Security Rule compliance, BAA obligations, subcontractor chains, and breach notification.
6-minute read
Mental health providers face the same HIPAA obligations as any covered entity — plus additional protections for psychotherapy notes and, for substance use disorder providers, a separate regulatory layer under 42 CFR Part 2.
7-minute read
Physical therapy practices are covered entities subject to the full HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. Here is what the requirements mean in a PT setting — including EHR selection, telehealth, and the 2026 NPP update deadline.
6-minute read
Your HIPAA classification determines your direct liability, documentation requirements, and whether you need a BAA. Two questions reveal which one you are.
6-minute read
Physical safeguards under 45 CFR § 164.310 govern how your practice controls physical access to ePHI — from workstations and server closets to portable devices and decommissioned hard drives. Here is every standard and what it means in a small-practice setting.
7-minute read
The HIPAA Security Rule requires covered entities to maintain written policies and procedures for every safeguard area. Here is what 45 CFR § 164.316 requires, what each policy must address, and the six-year retention obligation.
7-minute read
HIPAA has no size exemption. A solo practitioner is a covered entity subject to the same Privacy Rule, Security Rule, and Breach Notification Rule as a large health system. Here is what that means in practice, what is scaled to size, and what is not.
7-minute read
When a HIPAA breach occurs, the 60-day notification clock starts immediately. Here is the complete response sequence — from the first hour of discovery through patient notification, HHS reporting, and documentation.
9-minute read
Not every vendor needs a BAA. Not every relationship that feels like it should requires one. Here is the legal test, the categories that consistently require BAAs, the common exceptions, and what happens if you skip one.
6-minute read
How to create an accurate ePHI inventory for your HIPAA risk analysis. What to include, where ePHI hides, and why missing systems is the most common OCR finding.
9-minute read
Behavioral health-specific risk analysis considerations: therapy notes, telehealth, session recordings, 42 CFR Part 2, and the unique privacy threats mental health practices face.
9-minute read
A comprehensive checklist of what OCR investigators look for in a HIPAA risk analysis. Use this to review your documentation before it matters.
8-minute read
Dental-specific considerations for HIPAA risk analysis: imaging systems, practice software, patient communication tools, and the unique threats dental practices face.
8-minute read
What a defensible HIPAA risk analysis template needs to include, how to structure it for OCR review, and why most free templates fail the accuracy requirement.
8-minute read
OCR treats risk analyses older than 12 months as presumptively stale. Here's when to update, what triggers immediate review, and how to document the cycle.
7-minute read
The difference between a HIPAA risk analysis and a gap analysis, which the Security Rule requires, and when you need both.
6-minute read
The Security Rule requires every covered entity to conduct an accurate, thorough risk analysis. Here is what that actually means, what it has to contain, and how to do it yourself — or prepare for a focused consultant review.
6-minute read
The risk analysis gets all the attention, but OCR requires the risk management plan too. Here is what it needs to contain, how it relates to the risk analysis, and what a defensible plan looks like.
5-minute read
A business associate agreement (BAA) is required whenever a vendor handles your patient data. Here is who qualifies as a business associate, what the agreement must contain, and what happens when you skip it.
5-minute read
HIPAA requires workforce training on security policies and procedures. Here is what the rule actually says, what OCR has cited in settlement agreements, and what training looks like in a small practice.
6-minute read