HIPAA's cybersecurity modernization effort is surfacing a blind spot many healthcare organizations still cannot see: AI interactions with sensitive health data.
The 2026 HIPAA Security Rule updates are landing later this year, with compliance deadlines following shortly after. Most health tech organizations are focused on the standard requirements: mandatory encryption, multi-factor authentication, annual penetration testing, faster breach reporting.
What they are missing is that the compliance surface area for ePHI has fundamentally expanded. A decade ago, protected health information lived in a relatively small, defined set of places: EHR systems, Word documents, email. Today, AI is embedded in nearly every digital tool healthcare professionals use: email assistants, browser extensions, writing tools like Grammarly, coding assistants, search interfaces, and agents accessing data in bulk. Employees now use AI as their default interface for daily work, and these productivity tools are receiving clinical information that they were never designed or evaluated to handle.
The rule's new standards apply to any system handling ePHI, and AI tools are now handling ePHI at scale. Traditional access-based controls don't solve this problem because you cannot block the productivity tools employees need to do their jobs. This is the compliance gap most likely to create exposure. Here is what you need to do to be ready.
5 Things Health Tech Security Teams Need to Do Before the 2026 Security Rule Takes Effect
1. Understand what data is flowing through AI interactions across your organization
The new risk assessment requirements mandate that you account for all systems handling ePHI. The challenge is not discovering specialized medical AI tools built for clinical workflows. Those are known, sanctioned, and typically designed with HIPAA compliance in mind. The risk lives in general-purpose productivity tools that employees legitimately need but that were never intended to handle patient data: email tools that help draft messages, writing bots that check grammar and tone, browser extensions that summarize content, assistants that can access local files.
Understanding where ePHI appears in AI usage requires inspecting the content of interactions, not just maintaining an inventory of approved applications. Clinical scenarios, patient intake summaries, discharge notes, and case details routinely appear in prompts sent to tools that have no Business Associate Agreement, no technical safeguards, and no evaluation for clinical data handling. You need visibility into what topics are being discussed, what data is moving through AI services, and who is sharing it.
2. Establish and verify business associate relationships with AI vendors handling ePHI
Under HIPAA, any vendor that processes, stores, or transmits ePHI on your behalf is a business associate and requires a business associate agreement. The 2026 rule adds a new requirement: covered entities must obtain annual written verification that business associates have implemented required technical safeguards. A signed BAA is necessary but no longer sufficient. You need documented evidence of actual control implementation from each AI vendor handling ePHI, obtained and reviewed annually.
The circular problem is this: you are supposed to have BAAs with vendors handling PHI, but without content-level visibility, you may not know which sanctioned productivity tools are inadvertently receiving PHI from employees. The BAA framework assumes you can identify every system that touches ePHI. That assumption breaks down when ePHI can leak into any AI-enabled tool that employees use for legitimate work purposes. As you raise your own security standards to meet the updated rule, your business associates must meet those same standards. They represent potential exposure in your compliance posture, and the 2026 updates acknowledge that by requiring active verification rather than contractual assurance.
3. Implement content-aware controls that understand what is being shared, not just which tools are being used
Discovering ePHI exposure after it occurs does not satisfy the new compliance standard. The rule requires active, demonstrable safeguards. For AI usage, that means the ability to detect when ePHI is about to be shared with an external service and either block the interaction or redact the sensitive data before it leaves your environment.
Healthcare professionals use AI tools in different contexts, and governance needs to reflect that. Specialized medical AI tools built into EHR systems are designed for clinical data. General productivity tools like email assistants, writing tools, and browser extensions are essential for daily work but should not receive patient information. Clinical reference tools may be appropriate for researching best practices but not for sharing actual patient cases. The same tool might be perfectly appropriate in one context and a compliance violation in another.
This is why access-based controls fail. You cannot use simple block or allow lists when employees need the tool but should not send certain kinds of information through it. You need controls that understand the semantic content of what is being shared: is this a clinical scenario with identifiable patient information, or is this a general productivity task with no PHI present? HIPAA violations require both personally identifiable information and medical context. A name alone is not PHI. A diagnosis alone is not PHI. Both together constitute PHI. Traditional DLP tools that rely on pattern matching or keyword detection will either miss violations or generate unmanageable volumes of false positives. Effective governance requires semantic understanding of natural language content.
4. Build a continuous, auditable log of AI-related ePHI activity
The 2026 updates shift the burden from documenting intent to proving controls are working. Auditors will expect logs showing what AI interactions occurred, which ones involved ePHI, how your safeguards responded, and who followed up on exceptions. If you cannot produce that record, you cannot demonstrate compliance.
Auditing specialized medical AI built into clinical systems is straightforward. Those tools are designed with compliance in mind and typically include robust logging. The challenge is auditing that your guardrails are working across the dozens of general-purpose productivity tools that employees must have access to: email, document editing, browsers, writing assistants, coding tools. While periodic audits may satisfy minimum requirements, continuous monitoring provides a stronger security posture and ensures you always have a complete trail when questions arise. Use compliance requirements as a baseline, but treat continuous visibility and logging as a security capability that protects the organization beyond what auditors require. The ability to answer questions about AI usage in real time, not just during an audit cycle, represents a material improvement in risk management.
5. Update your risk assessment to reflect how healthcare professionals actually use AI
The annual risk assessment required under the Security Rule must account for all systems and workflows handling ePHI. Healthcare professionals use different kinds of AI tools that require different governance approaches. Specialized medical AI built for clinical workflows is designed with HIPAA in mind. General productivity tools that are essential for daily work but should never see patient data require a different control strategy. Clinical reference tools that are valuable for research and best practices but should not receive identifiable patient information represent yet another category.
Your risk assessment needs to reflect this complexity. Lumping all AI tools into a single category misses the point. The question is not just which AI tools exist, but how they are used, what kinds of data flow through them, and whether the appropriate safeguards are in place for each use case. AI represents one of the fastest-growing areas of ePHI exposure in healthcare organizations, spanning technical, procedural, and strategic dimensions. Under the 2026 updates, treating it as a comprehensive risk surface in your assessment is mandatory.
Enforcement at the Network Layer Changes the Equation
You can address this list manually. Periodic shadow AI audits through endpoint monitoring. Vendor questionnaires sent annually to collect technical verification statements. Log infrastructure built to capture AI interaction data. Policy reviews and training programs reminding employees not to share ePHI. Manual review of AI usage patterns to identify where patient data might be leaking into productivity tools. It works, eventually, if you have the time and resources to sustain it.
Network-layer AI governance collapses most of this work into a single control point. Every AI interaction passes through the network. That means you can see it, inspect it for ePHI, enforce policy on it, and log it without deploying agents to endpoints or integrating with every individual application. Discovery happens automatically. Policies written in natural language get enforced in real time based on semantic understanding of content. ePHI can be redacted before it reaches an external service. Audit logs are generated continuously across all AI tools, not just the ones built for compliance.
When health tech security teams connect Lumia for the first time, they typically find two things. First, the number of distinct AI-enabled tools in use is higher than expected, often by a significant margin. Second, ePHI is present in interactions with general-purpose productivity tools that were never intended to handle clinical data. In practice, the gap between approved AI usage and actual AI usage tends to be wider than security leaders anticipate. Under the 2026 rule, that gap represents a compliance liability regardless of employee intent.
Move Now or Scramble Later
The HIPAA Security Rule was not written with AI in mind. The 2026 updates were designed to address known cybersecurity gaps: weak encryption, inadequate vendor oversight, insufficient monitoring, lax access controls. But those updates, applied to the healthcare environment of 2026, make AI one of the highest-priority compliance surfaces in the industry. Not because regulators set out to regulate AI, but because the rule's new standards apply to any system handling ePHI, and AI tools are handling ePHI at scale.
The organizations that treat AI governance as optional, or as something to address after the more familiar compliance work is done, will find themselves exposed when the rule takes effect. The ones that move now, with the same discipline they apply to endpoints and network access, will be prepared.
The rule was not written for AI. But AI is exactly what it is going to find.
Lumia provides network-layer AI governance for healthcare and health tech organizations. If you want to see what AI usage looks like in your environment and how much of it involves ePHI, we can show you in the first week. Contact us today.
