# CoreFolio > Guided HIPAA compliance software for small US healthcare practices. > CoreFolio HIPAA runs a self-assessment that produces a dated Risk Analysis > Report and Risk Management Plan — self-service readiness tooling, not legal > advice or a certification. CoreFolio publishes plain-English Learn articles for clinic, dental, behavioral health, and home health practices. Each article cites primary HIPAA sources (45 CFR, HHS/OCR guidance) and is written for non-technical office managers and practice owners. ## Product - [Free HIPAA risk assessment](https://corefolio.ai/assess): Anonymous self-assessment; answers stay in the browser until you upgrade - [Pricing](https://corefolio.ai/pricing): Digital Binder for a single practice; Pro tier for consultants - [Learn index](https://corefolio.ai/learn): All regulatory explainers - [About CoreFolio](https://corefolio.ai/about) ## Learn categories - [Enforcement](https://corefolio.ai/learn/enforcement): What the Office for Civil Rights (OCR) is actually investigating right now, and how small practices end up on the wrong end of a settlement. - [Proposed rule updates](https://corefolio.ai/learn/the-2026-rule): Plain-English explainers of the proposed Security Rule update and the incoming Privacy Rule update — and what they mean for small practices. - [How-to](https://corefolio.ai/learn/how-to): Practical walkthroughs for the work HIPAA actually requires — risk analysis, gap analysis, vendor reviews. - [California](https://corefolio.ai/learn/california): California-specific rules that layer on top of HIPAA: the Data Exchange Framework, CMIA, and CCPA exemptions. - [Oregon](https://corefolio.ai/learn/oregon): Oregon-specific privacy, breach-notification, and health-records laws that layer on top of HIPAA for medical, dental, and behavioral health practices. - [Tools](https://corefolio.ai/learn/tools): Reviews of the tools small practices reach for first — starting with the free U.S. Department of Health and Human Services (HHS) Security Risk Assessment Tool. ## Topic clusters (pillar guides) - [HIPAA risk analysis](https://corefolio.ai/learn/how-to/how-to-do-hipaa-risk-analysis) - [Proposed Security Rule update](https://corefolio.ai/learn/the-2026-rule/2026-hipaa-security-rule-small-practices) - [Vendors and workforce](https://corefolio.ai/learn/how-to/business-associate-agreement-hipaa) - [Tools](https://corefolio.ai/learn/tools/hhs-sra-tool-review) - [California](https://corefolio.ai/learn/california/california-data-exchange-framework-hipaa) - [Oregon](https://corefolio.ai/learn/oregon/oregon-hipaa-privacy-security-laws) - [Fractional and self-serve compliance](https://corefolio.ai/learn/how-to/fractional-hipaa-compliance-officer) ## Featured guides (FAQ or HowTo structured data) - [Oregon behavioral health and substance use records: how ORS 179.505 and 42 CFR Part 2 layer on HIPAA](https://corefolio.ai/learn/oregon/oregon-behavioral-health-sud-records): Behavioral health and substance use records in Oregon carry two layers stricter than HIPAA — ORS 179.505 and 42 CFR Part 2. How they interact and which controls. - [What a coordinated care organization (CCO) contract adds to your HIPAA obligations in Oregon](https://corefolio.ai/learn/oregon/oregon-cco-contract-hipaa): Joining an Oregon coordinated care organization layers Medicaid managed-care duties on top of HIPAA — record-keeping, whole-person data sharing, member access, and subcontractor monitoring. What changes. - [The Oregon Health Plan and HIPAA: how Medicaid confidentiality goes beyond the federal floor](https://corefolio.ai/learn/oregon/oregon-health-plan-medicaid-hipaa): The Oregon Health Plan is Medicaid, and Medicaid confidentiality law is narrower than HIPAA. How the two interact, where they diverge, and which rule controls. - [Oregon healthcare data breach notification: how a practice actually responds under OCIPA and HIPAA](https://corefolio.ai/learn/oregon/oregon-healthcare-data-breach-notification): A step-by-step look at how an Oregon medical or dental practice responds to a data breach under the Oregon Consumer Information Protection Act and HIPAA — clocks, the AG copy, and documentation. - [HIV and genetic testing consent in Oregon: the sensitive-category rules that layer on HIPAA](https://corefolio.ai/learn/oregon/oregon-hiv-genetic-testing-consent): Oregon adds pre-test notice for HIV and informed-consent rules for genetic information that go beyond HIPAA. What the rules require and how they interact with the federal floor. - [Minor consent and medical records in Oregon: who authorizes a teen's record, and what HIPAA does with that](https://corefolio.ai/learn/oregon/oregon-minor-consent-medical-records): Oregon lets minors consent to some care on their own — which changes who can authorize a teen's record under HIPAA. The age rules, parent access, and provider discretion. - [The 2026 HIPAA Privacy Rule update: what's changing and how it affects your practice](https://corefolio.ai/learn/the-2026-rule/2026-hipaa-privacy-rule-changes): A 2026 HIPAA Privacy Rule update is in final review, covering patient access, care coordination, and privacy notices. What is proposed and how to prepare. - [Oregon privacy and security laws that layer with HIPAA: what medical and dental practices need to know](https://corefolio.ai/learn/oregon/oregon-hipaa-privacy-security-laws): How Oregon's breach-notification, data-security, and health-records laws layer on top of HIPAA for medical, dental, and behavioral health practices. - [HIPAA-compliant texting and encrypted messaging: what the rules actually require](https://corefolio.ai/learn/how-to/hipaa-compliant-texting-messaging): Standard SMS is not encrypted and has no audit trail. What the HIPAA Security Rule, Privacy Rule, and proposed Security Rule NPRM require before you text patient information. - [How much does HIPAA compliance cost? A small-practice breakdown](https://corefolio.ai/learn/tools/hipaa-compliance-cost): What HIPAA compliance actually costs a small practice — risk analysis, policies, training, safeguards, and annual upkeep, with real dollar ranges. - [45 CFR 164.308(a)(1): the HIPAA Security Management Process](https://corefolio.ai/learn/how-to/hipaa-security-management-process-164-308-a-1): 45 CFR 164.308(a)(1) is the standard behind many Office for Civil Rights (OCR) risk-analysis settlements. Its four required specifications and what a defensible record looks like. - [HIPAA fines against business associates: the Office for Civil Rights (OCR) enforcement record](https://corefolio.ai/learn/enforcement/hipaa-business-associate-enforcement): Business associates are directly liable under HIPAA, and OCR fines them directly. Every verified OCR business associate settlement, from 2016 to 2026. - [HIPAA violation fines in 2026: penalty tiers and what reduces them](https://corefolio.ai/learn/enforcement/hipaa-violation-fines-2026): The 2026 HIPAA penalty tiers from the Federal Register, plus evidence that strong security practices can reduce what Office for Civil Rights (OCR) imposes. - [HIPAA BAAs for technology vendors: the requirement, what it covers, and how to verify](https://corefolio.ai/learn/how-to/hipaa-baa-technology-vendors): Any tech vendor that handles ePHI is a business associate needing a BAA. Which tool categories always require one, and how to find and verify a vendor BAA. - [Ransomware and HIPAA: how to recognize and respond to a suspected attack](https://corefolio.ai/learn/how-to/hipaa-ransomware-attack-response): How to spot a suspected ransomware attack on your practice, what to do in the first hour, and why HIPAA treats a ransomware event on ePHI as a presumed breach. - [What is a fractional HIPAA compliance officer?](https://corefolio.ai/learn/how-to/fractional-hipaa-compliance-officer): HIPAA requires every covered entity to name a Privacy and Security Official. Who typically fills the role in small practices, and when an outsider can serve. - [HIPAA compliance responsibilities for office managers](https://corefolio.ai/learn/how-to/hipaa-compliance-office-manager): In many small practices, the office manager is the de facto Privacy and Security Official. The specific CFR duties, the annual cycle, and what to document. - [How HIPAA consultants run risk analyses across multiple client practices](https://corefolio.ai/learn/tools/hipaa-compliance-tools-for-consultants): HIPAA consultants and vCISOs serving multiple clients face a documentation challenge. The framework they work within and how the work is structured. - [HIPAA compliance without a dedicated compliance officer: a small practice guide](https://corefolio.ai/learn/how-to/hipaa-compliance-without-compliance-officer): HIPAA requires designated Privacy and Security Officials, not a full-time hire. What the role involves, who holds it, and a defensible documentation baseline. - [HIPAA consultant or DIY risk analysis: how to decide](https://corefolio.ai/learn/tools/hipaa-consultant-vs-diy-risk-analysis): A HIPAA consultant suits some practices; DIY risk analysis works for others. A factual comparison of what each path provides, costs, and requires. - [HIPAA risk analysis vs. security evaluation: you need both](https://corefolio.ai/learn/how-to/risk-analysis-vs-periodic-security-evaluation-hipaa): The HIPAA Security Rule has two separate risk requirements with different triggers. Many practices document only one; here is what each requires. - [Does HIPAA apply to small practices?](https://corefolio.ai/learn/how-to/does-hipaa-apply-to-small-practices): Many small practices assume they are too small for HIPAA, but the law has no size exemption. The two-part test for whether you are a covered entity. - [HIPAA administrative safeguards: the complete checklist for small practices](https://corefolio.ai/learn/how-to/hipaa-administrative-safeguards-checklist): Administrative safeguards under 45 CFR 164.308 are a frequently cited standard in Office for Civil Rights (OCR) cases. Every requirement, what addressable means, and what to document. - [What must a HIPAA business associate agreement include?](https://corefolio.ai/learn/how-to/hipaa-baa-checklist): A HIPAA BAA is more than a signature: 45 CFR 164.504(e) sets the provisions it must contain. Every required element and the common drafting gaps Office for Civil Rights (OCR) finds. - [HIPAA breach notification requirements: what your practice must do and when](https://corefolio.ai/learn/how-to/hipaa-breach-notification-requirements): The HIPAA Breach Notification Rule sets firm deadlines for notifying patients and regulators. Every obligation, deadline, and the four-factor analysis. - [HIPAA compliance for home health agencies: mobile workforce, devices, and ePHI](https://corefolio.ai/learn/how-to/hipaa-compliance-home-health-agencies): Home health agencies carry HIPAA obligations across a mobile workforce. What the Privacy Rule, Security Rule, and device management mean for field staff. - [HIPAA compliance for medical billing companies: obligations as a business associate](https://corefolio.ai/learn/how-to/hipaa-compliance-medical-billing): Medical billing companies are business associates liable under HIPAA since 2013. What that means for the Security Rule, BAAs, and breach notification. - [HIPAA compliance for mental health counselors, therapists, and psychologists](https://corefolio.ai/learn/how-to/hipaa-compliance-mental-health-counselors): Mental health providers face the same HIPAA duties as any covered entity, plus psychotherapy-note protections and, for SUD care, 42 CFR Part 2. - [HIPAA compliance for physical therapy practices](https://corefolio.ai/learn/how-to/hipaa-compliance-physical-therapy): Physical therapy practices are covered entities under HIPAA. What that means for PT: EHR choice, telehealth, and the 2026 privacy-notice deadline. - [Am I a HIPAA covered entity or business associate? How to tell](https://corefolio.ai/learn/how-to/hipaa-covered-entity-vs-business-associate): Your HIPAA classification determines your direct liability, documentation requirements, and whether you need a BAA. Two questions reveal which one you are. - [HIPAA physical safeguards for small practices: what the rule actually requires](https://corefolio.ai/learn/how-to/hipaa-physical-safeguards-small-practice): HIPAA physical safeguards under 45 CFR 164.310 control physical access to ePHI. Every standard explained for a small practice, from workstations to disposal. - [HIPAA policies and procedures for small practices: what you must have in writing](https://corefolio.ai/learn/how-to/hipaa-policies-procedures-small-practice): The HIPAA Security Rule requires written policies for every safeguard area. What 45 CFR 164.316 requires, what each policy must address, and 6-year retention. - [HIPAA requirements for solo and small practices: what applies and what is scaled](https://corefolio.ai/learn/how-to/hipaa-sole-practitioner-requirements): HIPAA has no size exemption. A solo practitioner faces the same Privacy, Security, and Breach rules as a hospital. What is scaled to size, and what is not. - [HIPAA technical safeguards: current requirements and what the Security Rule NPRM proposes to change](https://corefolio.ai/learn/the-2026-rule/hipaa-technical-safeguards-2026): HIPAA technical safeguards govern access, encryption, audit logging, and authentication. What is required now and what the NPRM proposes to change. - [How to prepare for a HIPAA audit or investigation](https://corefolio.ai/learn/enforcement/how-to-prepare-hipaa-audit): Office for Civil Rights (OCR) investigations open with a document request. Practices with organized records fare far better. What they ask for and how to have it ready in advance. - [What to do after a HIPAA breach: a step-by-step response guide](https://corefolio.ai/learn/how-to/what-to-do-after-hipaa-breach): After a HIPAA breach, the 60-day notification clock starts at once. Discovery, patient notice, U.S. Department of Health and Human Services (HHS) reporting, and what to document. - [What triggers a HIPAA audit or investigation](https://corefolio.ai/learn/enforcement/what-triggers-hipaa-audit): Office for Civil Rights (OCR) investigates practices through three channels: patient complaints, breach reports, and enforcement initiatives. How each works and how to lower your risk. - [Who needs a HIPAA business associate agreement?](https://corefolio.ai/learn/how-to/who-needs-a-hipaa-baa): Not every vendor needs a BAA. Here is the legal test, the categories that consistently require one, the common exceptions, and what happens if you skip it. - [ePHI inventory template: the foundation of every risk analysis](https://corefolio.ai/learn/how-to/ephi-inventory-template): How to build an ePHI inventory for your HIPAA risk analysis: what to include, where ePHI hides, and why missing systems is a top Office for Civil Rights (OCR) finding. - [Free HIPAA risk assessment tools compared](https://corefolio.ai/learn/tools/free-hipaa-risk-assessment-tools): Free HIPAA risk assessment options: what the U.S. Department of Health and Human Services (HHS) SRA Tool covers, where it falls short, and what free tools miss. - [HIPAA risk analysis for behavioral health practices](https://corefolio.ai/learn/how-to/hipaa-risk-analysis-behavioral-health): Behavioral health risk analysis considerations: therapy notes, telehealth, session recordings, 42 CFR Part 2, and the privacy threats these practices face. - [HIPAA risk analysis checklist: 27-point review before an audit](https://corefolio.ai/learn/how-to/hipaa-risk-analysis-checklist): A checklist of what Office for Civil Rights (OCR) investigators look for in a HIPAA risk analysis. Use it to review your documentation before an investigation. - [How much does a HIPAA risk assessment cost?](https://corefolio.ai/learn/tools/hipaa-risk-analysis-cost): A HIPAA risk assessment costs $0 to about $8,000 depending on who does the work. Here is what each path costs — and where guided software fits. - [HIPAA risk analysis for dental practices: a specialty guide](https://corefolio.ai/learn/how-to/hipaa-risk-analysis-dental-practices): Dental-specific HIPAA risk analysis: imaging systems, practice software, patient communication tools, and the unique threats dental practices face. - [HIPAA risk analysis template for small practices](https://corefolio.ai/learn/how-to/hipaa-risk-analysis-template): What a defensible HIPAA risk analysis template must include, how to structure it for Office for Civil Rights (OCR) review, and why many free templates fail the accuracy requirement. - [How often to update your HIPAA risk analysis (and why annual is the floor)](https://corefolio.ai/learn/how-to/how-often-update-hipaa-risk-analysis): Office for Civil Rights (OCR) treats risk analyses older than 12 months as presumptively stale. When to update, what triggers an immediate review, and how to document the cycle. - [Risk analysis vs gap analysis: which does your practice need?](https://corefolio.ai/learn/how-to/risk-analysis-vs-gap-analysis-hipaa): The difference between a HIPAA risk analysis and a gap analysis, which the Security Rule requires, and when you need both. - [How to do a HIPAA risk analysis yourself: a step-by-step guide for small practices](https://corefolio.ai/learn/how-to/how-to-do-hipaa-risk-analysis): The Security Rule requires every covered entity to conduct an accurate, thorough risk analysis. What it must contain and how to do it yourself, step by step. - [The Office for Civil Rights (OCR) Risk Analysis Initiative, explained](https://corefolio.ai/learn/enforcement/ocr-risk-analysis-initiative): The OCR Risk Analysis Initiative targets small practices after breaches, ransomware, and complaints. What changed in 2024 and what a defensible answer needs. - [What the Office for Civil Rights (OCR) actually wants in a risk analysis](https://corefolio.ai/learn/enforcement/what-ocr-wants-in-a-risk-analysis): OCR has settled with dozens of practices over risk analysis failures. Their letters and resolution agreements show exactly what a risk analysis must cover. - [Proposed HIPAA Security Rule update: 7 major changes for small practices](https://corefolio.ai/learn/the-2026-rule/2026-hipaa-security-rule-small-practices): The first major Security Rule update since 2013 has slipped to 2027. Here is what is actually proposed, what is law today, and what to do with the extra time. - [What goes in a HIPAA risk management plan](https://corefolio.ai/learn/how-to/hipaa-risk-management-plan): The risk analysis gets attention, but Office for Civil Rights (OCR) also requires a risk management plan. What it must contain, how it ties to the risk analysis, and what to include. - [The U.S. Department of Health and Human Services (HHS) Security Risk Assessment Tool: what it does well and where it falls short](https://corefolio.ai/learn/tools/hhs-sra-tool-review): A review of the free HHS Security Risk Assessment Tool: what it does well for a first HIPAA risk analysis, where it falls short, and whether it is defensible. - [What is a business associate agreement, and who needs one?](https://corefolio.ai/learn/how-to/business-associate-agreement-hipaa): A HIPAA business associate agreement (BAA) is required when a vendor handles patient data. Who qualifies, what it must contain, and the cost of skipping it. - [What the proposed HIPAA Security Rule update means for a solo dental practice](https://corefolio.ai/learn/the-2026-rule/2026-hipaa-security-rule-dental-practice): Small dental practices face specific HIPAA challenges: legacy imaging software, shared workstations, and minimal IT support. What the proposed Security Rule update would change. - [What the Office for Civil Rights (OCR) finds every time it investigates a small practice](https://corefolio.ai/learn/enforcement/hipaa-settlement-patterns-small-practices): More than 100 OCR resolution agreements follow one pattern. The six violations investigators cite again and again, and what each means for your practice. - [California's Data Exchange Framework and HIPAA: what small practices need to know](https://corefolio.ai/learn/california/california-data-exchange-framework-hipaa): The California Data Exchange Framework creates data-sharing duties for many practices. Who must participate, and how HIPAA, CMIA, and 42 CFR Part 2 interact. - [HIPAA and multi-factor authentication: what the proposed Security Rule update means for small practices](https://corefolio.ai/learn/the-2026-rule/hipaa-mfa-requirement-small-practice): Multi-factor authentication is currently addressable under HIPAA. The proposed Security Rule update would make MFA mandatory. What that means for a small practice. - [HIPAA workforce training: what the rule requires and what actually works](https://corefolio.ai/learn/how-to/hipaa-workforce-training-requirements): HIPAA requires workforce training on security policies. What the rule says, what Office for Civil Rights (OCR) has cited in settlements, and what it looks like in a small practice. ## All Learn articles ### Enforcement - [HIPAA fines against business associates: the Office for Civil Rights (OCR) enforcement record](https://corefolio.ai/learn/enforcement/hipaa-business-associate-enforcement) - [HIPAA violation fines in 2026: penalty tiers and what reduces them](https://corefolio.ai/learn/enforcement/hipaa-violation-fines-2026) - [How to prepare for a HIPAA audit or investigation](https://corefolio.ai/learn/enforcement/how-to-prepare-hipaa-audit) - [The Office for Civil Rights (OCR) Risk Analysis Initiative, explained](https://corefolio.ai/learn/enforcement/ocr-risk-analysis-initiative) - [What the Office for Civil Rights (OCR) actually wants in a risk analysis](https://corefolio.ai/learn/enforcement/what-ocr-wants-in-a-risk-analysis) - [What the Office for Civil Rights (OCR) finds every time it investigates a small practice](https://corefolio.ai/learn/enforcement/hipaa-settlement-patterns-small-practices) - [What triggers a HIPAA audit or investigation](https://corefolio.ai/learn/enforcement/what-triggers-hipaa-audit) ### Proposed rule updates - [HIPAA and multi-factor authentication: what the proposed Security Rule update means for small practices](https://corefolio.ai/learn/the-2026-rule/hipaa-mfa-requirement-small-practice) - [HIPAA technical safeguards: current requirements and what the Security Rule NPRM proposes to change](https://corefolio.ai/learn/the-2026-rule/hipaa-technical-safeguards-2026) - [Proposed HIPAA Security Rule update: 7 major changes for small practices](https://corefolio.ai/learn/the-2026-rule/2026-hipaa-security-rule-small-practices) - [The 2026 HIPAA Privacy Rule update: what's changing and how it affects your practice](https://corefolio.ai/learn/the-2026-rule/2026-hipaa-privacy-rule-changes) - [What the proposed HIPAA Security Rule update means for a solo dental practice](https://corefolio.ai/learn/the-2026-rule/2026-hipaa-security-rule-dental-practice) ### How-to - [45 CFR 164.308(a)(1): the HIPAA Security Management Process](https://corefolio.ai/learn/how-to/hipaa-security-management-process-164-308-a-1) - [Am I a HIPAA covered entity or business associate? How to tell](https://corefolio.ai/learn/how-to/hipaa-covered-entity-vs-business-associate) - [Does HIPAA apply to small practices?](https://corefolio.ai/learn/how-to/does-hipaa-apply-to-small-practices) - [ePHI inventory template: the foundation of every risk analysis](https://corefolio.ai/learn/how-to/ephi-inventory-template) - [HIPAA administrative safeguards: the complete checklist for small practices](https://corefolio.ai/learn/how-to/hipaa-administrative-safeguards-checklist) - [HIPAA BAAs for technology vendors: the requirement, what it covers, and how to verify](https://corefolio.ai/learn/how-to/hipaa-baa-technology-vendors) - [HIPAA breach notification requirements: what your practice must do and when](https://corefolio.ai/learn/how-to/hipaa-breach-notification-requirements) - [HIPAA compliance for home health agencies: mobile workforce, devices, and ePHI](https://corefolio.ai/learn/how-to/hipaa-compliance-home-health-agencies) - [HIPAA compliance for medical billing companies: obligations as a business associate](https://corefolio.ai/learn/how-to/hipaa-compliance-medical-billing) - [HIPAA compliance for mental health counselors, therapists, and psychologists](https://corefolio.ai/learn/how-to/hipaa-compliance-mental-health-counselors) - [HIPAA compliance for physical therapy practices](https://corefolio.ai/learn/how-to/hipaa-compliance-physical-therapy) - [HIPAA compliance responsibilities for office managers](https://corefolio.ai/learn/how-to/hipaa-compliance-office-manager) - [HIPAA compliance without a dedicated compliance officer: a small practice guide](https://corefolio.ai/learn/how-to/hipaa-compliance-without-compliance-officer) - [HIPAA physical safeguards for small practices: what the rule actually requires](https://corefolio.ai/learn/how-to/hipaa-physical-safeguards-small-practice) - [HIPAA policies and procedures for small practices: what you must have in writing](https://corefolio.ai/learn/how-to/hipaa-policies-procedures-small-practice) - [HIPAA requirements for solo and small practices: what applies and what is scaled](https://corefolio.ai/learn/how-to/hipaa-sole-practitioner-requirements) - [HIPAA risk analysis checklist: 27-point review before an audit](https://corefolio.ai/learn/how-to/hipaa-risk-analysis-checklist) - [HIPAA risk analysis for behavioral health practices](https://corefolio.ai/learn/how-to/hipaa-risk-analysis-behavioral-health) - [HIPAA risk analysis for dental practices: a specialty guide](https://corefolio.ai/learn/how-to/hipaa-risk-analysis-dental-practices) - [HIPAA risk analysis template for small practices](https://corefolio.ai/learn/how-to/hipaa-risk-analysis-template) - [HIPAA risk analysis vs. security evaluation: you need both](https://corefolio.ai/learn/how-to/risk-analysis-vs-periodic-security-evaluation-hipaa) - [HIPAA workforce training: what the rule requires and what actually works](https://corefolio.ai/learn/how-to/hipaa-workforce-training-requirements) - [HIPAA-compliant texting and encrypted messaging: what the rules actually require](https://corefolio.ai/learn/how-to/hipaa-compliant-texting-messaging) - [How often to update your HIPAA risk analysis (and why annual is the floor)](https://corefolio.ai/learn/how-to/how-often-update-hipaa-risk-analysis) - [How to do a HIPAA risk analysis yourself: a step-by-step guide for small practices](https://corefolio.ai/learn/how-to/how-to-do-hipaa-risk-analysis) - [Ransomware and HIPAA: how to recognize and respond to a suspected attack](https://corefolio.ai/learn/how-to/hipaa-ransomware-attack-response) - [Risk analysis vs gap analysis: which does your practice need?](https://corefolio.ai/learn/how-to/risk-analysis-vs-gap-analysis-hipaa) - [What goes in a HIPAA risk management plan](https://corefolio.ai/learn/how-to/hipaa-risk-management-plan) - [What is a business associate agreement, and who needs one?](https://corefolio.ai/learn/how-to/business-associate-agreement-hipaa) - [What is a fractional HIPAA compliance officer?](https://corefolio.ai/learn/how-to/fractional-hipaa-compliance-officer) - [What must a HIPAA business associate agreement include?](https://corefolio.ai/learn/how-to/hipaa-baa-checklist) - [What to do after a HIPAA breach: a step-by-step response guide](https://corefolio.ai/learn/how-to/what-to-do-after-hipaa-breach) - [Who needs a HIPAA business associate agreement?](https://corefolio.ai/learn/how-to/who-needs-a-hipaa-baa) ### California - [California's Data Exchange Framework and HIPAA: what small practices need to know](https://corefolio.ai/learn/california/california-data-exchange-framework-hipaa) ### Oregon - [HIV and genetic testing consent in Oregon: the sensitive-category rules that layer on HIPAA](https://corefolio.ai/learn/oregon/oregon-hiv-genetic-testing-consent) - [Minor consent and medical records in Oregon: who authorizes a teen's record, and what HIPAA does with that](https://corefolio.ai/learn/oregon/oregon-minor-consent-medical-records) - [Oregon behavioral health and substance use records: how ORS 179.505 and 42 CFR Part 2 layer on HIPAA](https://corefolio.ai/learn/oregon/oregon-behavioral-health-sud-records) - [Oregon healthcare data breach notification: how a practice actually responds under OCIPA and HIPAA](https://corefolio.ai/learn/oregon/oregon-healthcare-data-breach-notification) - [Oregon privacy and security laws that layer with HIPAA: what medical and dental practices need to know](https://corefolio.ai/learn/oregon/oregon-hipaa-privacy-security-laws) - [The Oregon Health Plan and HIPAA: how Medicaid confidentiality goes beyond the federal floor](https://corefolio.ai/learn/oregon/oregon-health-plan-medicaid-hipaa) - [What a coordinated care organization (CCO) contract adds to your HIPAA obligations in Oregon](https://corefolio.ai/learn/oregon/oregon-cco-contract-hipaa) ### Tools - [Free HIPAA risk assessment tools compared](https://corefolio.ai/learn/tools/free-hipaa-risk-assessment-tools) - [HIPAA consultant or DIY risk analysis: how to decide](https://corefolio.ai/learn/tools/hipaa-consultant-vs-diy-risk-analysis) - [How HIPAA consultants run risk analyses across multiple client practices](https://corefolio.ai/learn/tools/hipaa-compliance-tools-for-consultants) - [How much does a HIPAA risk assessment cost?](https://corefolio.ai/learn/tools/hipaa-risk-analysis-cost) - [How much does HIPAA compliance cost? A small-practice breakdown](https://corefolio.ai/learn/tools/hipaa-compliance-cost) - [The U.S. Department of Health and Human Services (HHS) Security Risk Assessment Tool: what it does well and where it falls short](https://corefolio.ai/learn/tools/hhs-sra-tool-review) ## Site metadata - [XML sitemap](https://corefolio.ai/sitemap.xml) - [Privacy policy](https://corefolio.ai/privacy) - [Disclaimer](https://corefolio.ai/disclaimer) - [Terms of use](https://corefolio.ai/terms)