@joegellatly

Building a BAA Inventory System That Holds Up Under a 2026 HIPAA Audit

2d ago · 6 min read · If you maintain HIPAA-covered systems, your Business Associate Agreement (BAA) inventory is one of the most under-engineered parts of your compliance posture. Most organizations carry it in a spreadsh

Why horizontal GRC platforms miss the half of HIPAA that actually fails an audit

5d ago · 6 min read · A 2026 engineering-perspective on the gap between "we passed SOC 2" and "we'd pass an OCR Risk Analysis Initiative inspection." The framing problem If you sell software into healthcare, you've probabl

A 2026 HIPAA Risk Assessment Pattern for Healthcare APIs

6d ago · 5 min read · The problem You're shipping a healthcare API. Your data plane touches PHI. Your auditors — eventually — will ask: show us your most recent HIPAA risk assessment. The answer "we'll generate one later"

How We Picked Our HIPAA Security Risk Assessment Tool in 2026 (Engineering-First Notes)

May 20 · 4 min read · If you're standing up the HIPAA SRA-tool stack for a healthcare org in 2026, what does the buying decision actually look like from the engineering side? A lot of the writing on this lives in marketing

Logging API calls in telehealth platforms: a 2026 HIPAA-compliant pattern

May 8 · 5 min read · The 2026 HIPAA Security Rule amendments tightened what an audit log has to look like. For telehealth platforms — where a single patient session can fan out to a half-dozen API calls touching PHI — get