HIPAA & AI: The 2026 Security Checklist
In 2026, security is no longer just about a strong password. With the integration of AI-powered note takers and cloud-based EHRs, your digital footprint is more complex than ever.
The BAA is Just the Beginning
While having a Business Associate Agreement (BAA) with your EHR is legally required, it doesn't guarantee your practice is secure. In 2026, Ashfordale emphasizes "Data Sovereignty"—the ability to know exactly where your data is stored and who has access to it. Many modern EHRs now use AI models to analyze practice trends. You must ensure your BAA specifically forbids the training of large language models (LLMs) on your private clinical notes.
Two-Factor Authentication (2FA)
If you aren't using an authenticator app (like Google Authenticator or Authy) for your EHR, you are at risk. SMS-based 2FA is increasingly vulnerable to "SIM swapping" attacks. In 2026, we consider app-based 2FA the minimum viable security standard for any mental health professional handling PHI (Protected Health Information).
2026 Security Audit Checklist:
- Signed BAA for EHR and Telehealth platforms
- App-based 2FA enabled for all staff accounts
- Encrypted local storage for exported documents
- Quarterly password rotation policy
- Vetted AI note-taking permissions
Protecting the Client Relationship
Security is ultimately an act of care for your clients. A data breach can destroy the therapeutic alliance in seconds. By staying ahead of the 2026 security curve, you aren't just checking a compliance box—you are building a foundation of trust. Ashfordale recommends a biannual review of your software's privacy policy, as "quiet updates" to data usage terms are becoming more frequent in the industry.