@joegellatly

The 2026 HIPAA Risk Assessment Pattern for Healthcare APIs

1d ago · 8 min read · Originally published at medcurity.com. Mirrored here for engineering teams shipping healthcare-adjacent software. If you ship any service that reads, writes, or transports electronic protected health

Building a BAA Inventory System That Holds Up Under a 2026 HIPAA Audit

Jun 1 · 6 min read · If you maintain HIPAA-covered systems, your Business Associate Agreement (BAA) inventory is one of the most under-engineered parts of your compliance posture. Most organizations carry it in a spreadsh

Why horizontal GRC platforms miss the half of HIPAA that actually fails an audit

May 29 · 6 min read · A 2026 engineering-perspective on the gap between "we passed SOC 2" and "we'd pass an OCR Risk Analysis Initiative inspection." The framing problem If you sell software into healthcare, you've probabl

A 2026 HIPAA Risk Assessment Pattern for Healthcare APIs

May 28 · 5 min read · The problem You're shipping a healthcare API. Your data plane touches PHI. Your auditors — eventually — will ask: show us your most recent HIPAA risk assessment. The answer "we'll generate one later"

How We Picked Our HIPAA Security Risk Assessment Tool in 2026 (Engineering-First Notes)

May 20 · 4 min read · If you're standing up the HIPAA SRA-tool stack for a healthcare org in 2026, what does the buying decision actually look like from the engineering side? A lot of the writing on this lives in marketing