HHS OCR Shifts HIPAA Enforcement Focus to Telehealth and AI-Assisted Clinical Tools in 2026

The HHS Office for Civil Rights has identified telehealth platforms and AI-assisted clinical decision support tools as priority areas for HIPAA enforcement in 2026, signaling that healthcare organizations that expanded their digital health capabilities during and after the COVID-19 pandemic now face heightened scrutiny over how those tools handle protected health information.

The enforcement shift reflects a maturation of the telehealth market. The emergency flexibilities that allowed rapid telehealth expansion during the pandemic have largely expired or been formalized. OCR is now examining whether the telehealth platforms healthcare organizations adopted under those flexibilities are operating in full HIPAA compliance — not the relaxed standards that applied during the public health emergency.

The Telehealth Compliance Gap

The core HIPAA compliance issue with telehealth platforms is the Business Associate Agreement. A covered entity using a telehealth platform is sharing protected health information with the platform vendor. That relationship requires a BAA that meets HIPAA's specific requirements for what a business associate is permitted to do with PHI, how it must be secured, and what happens in the event of a breach.

During the pandemic, OCR exercised enforcement discretion for certain telehealth technologies operated by non-HIPAA-compliant vendors. That enforcement discretion ended. Healthcare organizations that selected telehealth vendors for speed during 2020 and 2021, rather than for HIPAA compliance, may now be operating under vendor relationships that were never fully papered to HIPAA standards.

OCR is also examining telehealth platforms' use of tracking technologies — pixels, cookies, and analytics tools that may be transmitting patient visit information to third parties including advertisers. The FTC and OCR issued joint guidance in 2023 on healthcare tracking technologies, and OCR has pursued enforcement actions against healthcare providers for impermissible tracking disclosures. That enforcement priority continues into 2026.

AI Clinical Decision Support and HIPAA

AI-assisted clinical decision support tools present a newer compliance challenge. These tools — which may analyze patient records, suggest diagnoses, recommend treatment protocols, or flag high-risk patients — typically process substantial amounts of PHI. The HIPAA compliance questions they raise are not new in principle but are new in scale and complexity.

The critical question for each AI clinical tool is whether the vendor relationship is properly structured as a Business Associate relationship, whether the BAA adequately covers the AI vendor's use of PHI for model training and improvement, and whether the AI vendor's security practices meet HIPAA's technical and administrative safeguard requirements.

AI vendors who train their models on patient data are business associates. AI vendors who receive de-identified data that was de-identified using HIPAA-compliant methods are not — but the de-identification process itself must be rigorous. Many healthcare organizations are discovering that their AI clinical tool contracts predate the current enforcement environment and do not adequately address these questions.

What Healthcare Organizations Should Do

Healthcare organizations should inventory every telehealth platform and AI-assisted clinical tool currently in use. For each, review the vendor contract to confirm a HIPAA-compliant BAA is in place. Confirm that the BAA's permitted uses and disclosures accurately reflect how the vendor is actually using PHI — including for AI model training. Review whether any vendor is using tracking technologies that may transmit PHI to third parties. And assess whether the vendor's security practices have been reviewed against current HIPAA Security Rule standards.

This article is for informational purposes and does not constitute legal advice.