In two weeks, healthcare’s biggest annual gathering kicks off in San Francisco. JPM 2026 isn’t just another conference year—it’s the starting gun for the most consequential twelve months in healthcare AI compliance.
The conversations at JPM will be different this year. Not “are you using AI?” but “can you prove your AI is safe?” Not “what’s your AI strategy?” but “what happens when Colorado asks for your risk assessment?”
The shift is real, and it’s happening fast.
What’s Coming in 2026
Let’s be honest about the landscape:
- June 30: Colorado AI Act takes effect. Every healthcare AI making “consequential decisions” needs risk assessments, impact statements, and consumer disclosures. That’s six months away.
- August 2: EU AI Act high-risk obligations go live. If you sell into Europe, your healthcare AI is almost certainly high-risk.
- All year: More states follow Colorado’s lead. Connecticut, Texas, Illinois—the patchwork is forming.
And that’s just regulation. The litigation pressure is mounting too. The Sharp HealthCare lawsuit over ambient AI scribes isn’t an isolated incident—it’s a template. $5,000 per violation under California’s wiretapping statute. Multiply that by patient encounters and the math gets uncomfortable fast.
The Question Governance Committees Are Asking
Here’s what I’m hearing from health system CISOs and CMIOs: “We’ve approved dozens of AI vendors based on attestation letters and SOC 2 reports. Now the board is asking what happens if one of them hallucinates in a clinical setting. And we don’t have a good answer.”
The old playbook—trust the vendor, check the boxes, move on—doesn’t work anymore. Governance committees want proof. Not “we have guardrails” but “here’s evidence the guardrail executed on this patient’s data at this timestamp.”
That’s the gap. And it’s why we’ve been heads-down building resources to help.
What We’ve Built
Over the past few months, we’ve put together a library of practical guides for navigating what’s ahead. Not theoretical frameworks—actionable resources for real compliance challenges.
Healthcare AI Compliance Briefing
The essential pre-read for JPM. State laws, consent litigation, HIPAA gaps, and what governance committees are asking.
RegulationColorado AI Act Compliance Guide
SB 24-205 requirements, timeline, and implementation checklist. What healthcare AI vendors need before June 30.
TrackerUS State AI Laws Tracker
The patchwork is forming. Track which states are regulating AI and what their requirements mean for healthcare.
Risk AlertAmbient AI Scribe Privacy Guide
CIPA liability, consent requirements, and lessons from the Sharp HealthCare lawsuit.
InternationalEU AI Act Compliance Guide
Complete guide to the world’s first comprehensive AI regulation. Risk classifications, timelines, and implementation.
Plus deep-dives on HIPAA-compliant AI, NIST AI RMF implementation, ISO 42001 certification, and role-specific guides for CISOs, CMIOs, and General Counsel.
See You at JPM
We’ll be in San Francisco January 12–15. If you’re navigating AI compliance challenges—whether you’re a health system trying to vet vendors, or a vendor trying to satisfy enterprise security reviews—let’s talk.
The shift from “trust us” to “prove it” is happening. The organizations that figure it out early will have a real advantage. The ones that don’t will spend 2026 playing catch-up.
Happy New Year. It’s going to be an interesting one.
Meeting at JPM?
We’re booking meetings for January 12–15 in San Francisco. Let’s discuss your AI compliance challenges.
Schedule a Meeting