What is the HIPAA Security Rule?

The HIPAA Security Rule establishes national standards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI) through administrative, physical, and technical safeguards.

What is considered a HIPAA violation in cybersecurity?

A HIPAA violation occurs when PHI or ePHI is impermissibly used or disclosed or insufficiently safeguarded. Common causes include weak access controls, missing risk analyses, unencrypted devices, improper workforce training, and delayed breach reporting.

What are administrative, physical, and technical safeguards?

Administrative safeguards are policies, procedures, and training. Physical safeguards protect facilities and devices. Technical safeguards include access controls, audit logging, transmission security, and encryption.

Is a HIPAA risk assessment required annually?

HIPAA requires a regular and thorough risk analysis but does not mandate a specific frequency. Many organizations perform it annually and whenever significant changes occur, such as new systems, vendors, or workflows.

What should a HIPAA risk assessment include?

It should identify where ePHI resides, evaluate threats and vulnerabilities, assess likelihood and impact, review current controls, document risk levels, and define prioritized remediation steps and timelines.

What is the role of encryption in HIPAA compliance?

Encryption is an addressable implementation specification. If reasonable and appropriate, it should be implemented for data at rest and in transit. If not implemented, the decision must be documented and an equivalent alternative safeguard applied.

What is a Business Associate under HIPAA?

A Business Associate is any person or organization, other than a workforce member of a covered entity, that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Examples include cloud providers, IT support, billing services, and certain consultants. A Business Associate Agreement (BAA) is required before PHI access.

Do business associates need to be HIPAA compliant?

Yes. Business associates must implement appropriate safeguards for PHI, comply with applicable HIPAA requirements, enter into a BAA, report incidents and breaches, and ensure their subcontractors that handle PHI also comply.

What happens if a business associate causes a breach?

Both the covered entity and the business associate have obligations. The business associate must investigate, mitigate, and notify the covered entity. Breach notifications to individuals, HHS, and in some cases the media may be required based on the incident size and circumstances.

How do I secure remote access to ePHI?

Use VPN or zero-trust access, require multi-factor authentication, enforce least-privilege access, encrypt devices, manage endpoints and patches, disable local data storage when possible, and monitor logs for suspicious activity.

Can employees use personal devices under HIPAA?

Yes, if governed by a BYOD policy that enforces device encryption, screen locks, remote wipe, mobile device management, separation of work data, and prohibits storing ePHI in unsecured apps or locations.

What is considered a HIPAA data breach?

A breach is an impermissible use or disclosure of unsecured PHI that compromises its security or privacy, such as ransomware, lost or stolen devices, misdirected emails, or unauthorized access, unless a documented risk assessment shows a low probability of compromise.

How soon must a HIPAA breach be reported?

Affected individuals must be notified without unreasonable delay and no later than 60 days after discovery. Reporting to HHS depends on the number of affected individuals; large breaches (500 or more) require more immediate reporting and, in some cases, media notice.

What are the penalties for HIPAA violations?

HIPAA penalties vary by tier based on level of culpability, with per-violation amounts and annual caps per violation type. Enforcement may include corrective action plans, settlement amounts, and monitoring. Actual amounts depend on the facts and current HHS guidance.

Can my practice be audited for HIPAA compliance?

Yes. HHS’s Office for Civil Rights conducts audits and investigations, particularly after breaches or complaints. Maintaining documentation, training records, and current risk analyses helps demonstrate compliance readiness.

What documentation is required to prove HIPAA compliance?

Keep current risk analyses, remediation plans, security and privacy policies, workforce training logs, incident response procedures, business associate agreements, access audit logs, and evidence of ongoing monitoring and evaluations.

Health Tech 2026: 9 Bold Predictions Shaping the Future

Jan 1

Written By L Trotter II

TL;DR

2025 was a breakout year for AI in healthcare but also a reality check. As we step into 2026, Health Tech is entering a more mature, more regulated, and more risk-aware chapter. From AI consolidation and state-led regulation to the growing dominance of remote patient monitoring, here are 9 key predictions that health tech vendors and investors need to watch closely.

1. AI Governance Will Become a Procurement Requirement

Multiple U.S. states introduced bills in 2025 to regulate AI. Some passed. Others are pending. In 2026, we’ll see that momentum pick up.

Expect health systems to demand clear documentation of your AI governance approach covering ethics, validation, cybersecurity, and transparency.

This means if your AI solution touches PHI or clinical workflows, governance frameworks are a must.

2. AI Adoption Will Mature, But Remain Cautious

Hospitals rushed into generative AI in 2025, but are now slowing down to evaluate readiness, build use cases, and assess risks.

Expect 2026 to reward vendors who build smart, not fast.

That means:

Workflow-first design
Interoperability with EHRs and legacy systems
Measurable ROI
HIPAA & SOC 2 Compliant Solutions

✅ Planning an AI-powered product for 2026? Request the Health Tech AI Readiness Self-Assessment to evaluate your product with clinical alignment, AI security, governance, and market fit before pitching to hospitals.

3. Agentic AI Will Lag Behind the Hype

Agent AI (autonomous, multi-agent systems) is trending, but don’t expect adoption in healthcare anytime soon.

Hospitals aren’t ready to remove humans from the loop especially in decisions involving patient safety.

Security risks (e.g., prompt injection, autonomous execution of malicious tasks) are too high.

Slow down on building for full autonomy.

Human-in-the-loop will be the gold standard for trust and safety for years to come.

4. Remote Patient Monitoring (RPM) Will Surge

RPM is set to boom especially in rural and underserved areas.

It extends telehealth, supports care continuity, and reduces hospital burdens.

But it also expands the attack surface.

The health tech companies that shift their focus to remote care while embedding solid cybersecurity strategies has the opportunity to win big.

5. AI Security Will Finally Get Its Own Lane

Right now, AI security is lumped into AI governance.

That won’t last.

In 2026, expect to see clearer lines between governance (ethics, transparency) and security (model protection, prompt injection prevention, model IP).

NIST's current work on an AI security framework is a signal here.

6. HIPAA Will Stay Static, But Enforcement Will Tighten

While draft updates to the HIPAA Security Rule surfaced in 2025, don’t expect final changes in 2026.

However, providers will double down on vendor due diligence.

HIPAA Compliance will be a sales asset or a blocker.

✅ Know what buyers will expect during security reviews before they ask. Request the Strategic Security Compliance Guide.

7. VCs Will Favor Secure, Clinically Aligned AI Solutions

The AI hype cycle has tired investors.

In 2026, they’ll ask tougher questions:

Does it integrate with clinical workflows?
Is it interoperable?
Is it secure and governed?

Solutions that check all three boxes will lead the next funding wave.

8. State vs. Federal AI Regulation Battles Will Heat Up

The federal government is trying to unify AI laws under one national framework but states are pushing back.

Expect 2026 to bring more state-specific regulations, especially around:

AI decision-making in care
Human-in-the-loop mandates
Patient-facing AI transparency

Health Tech vendors will need to understand their legal obligations across multiple jurisdictions.

9. Cybersecurity Will Become a GTM Differentiator

Health systems are getting flooded with vendor pitches.

Cybersecurity and compliance are no longer just checkboxes, they’re part of your brand.

Health tech companies that lead with cybersecurity will win deals faster, reduce procurement delays, and stand out in a noisy space.

Final Thought

2026 won’t be about moving fast and breaking things.

It’ll be about building trust, proving outcomes, and showing up ready to be a long-term partner.

Health Tech companies who take HIPAA compliance, integration, and clinical alignment seriously are the ones who will lead health tech’s next wave.

Happy New Year and let’s get to it!

L Trotter II

As Founder and CEO of Inherent Security, Larry Trotter II is responsible for defining the mission and vision of the company, ensuring execution aligns with the business purpose. Larry has transformed Inherent Security from a consultancy to a cybersecurity company through partnerships and expert acquisitions. Today the company leverages its healthcare and government expertise to accelerate compliance operation for clients.

Larry has provided services for 12 years across the private industry developing security strategies and managing security operations for Fortune 500 companies and healthcare organizations. He is influential business leader who can demonstrate the value proposition of security and its direct link to customers.

Larry graduated from Old Dominion University with a bachelor’s degree in Business Administration with a focus on IT and Networking. Larry has accumulated certifications such as the CISM, ISO27001 Lead Implementer, GCIA and others. He serves on the Board of Directors for the MIT Enterprise Forum DC and Baltimore.

https://www.inherentsecurity.com