Practical writing on governance, privacy, and risk from someone who's had to make it work.
I write about what I'm seeing in practice — what's working, what isn't, and where the gap between policy and operations actually lives. I'm not trying to cover everything. When something worth saying comes up, I say it.
If there's a topic you'd like me to dig into, reach out. I pay attention to what people are actually wrestling with.
The HIPAA Minimum Necessary Standard: History, Enforcement, and What AI Actually Changes
The minimum necessary standard has been on the books since 2002. OCR has never explained how it applies to AI inference, model training, or PHI flowing into vendor systems. This piece covers the history, where enforcement has actually landed, and what that gap in guidance means for covered entities deploying AI today.
The Federal AI Bill Isn't About Your Business - And That's the Problem
The Great American AI Act is primarily a frontier model governance bill. Title I — the bulk of the regulatory framework — targets the handful of companies that trained large AI foundation models using extraordinary compute resources. For businesses that deploy AI, two provisions apply, the state compliance patchwork is fully intact, and preemption is narrower than most coverage suggests.
Two Things I Couldn't Let Go This Week
Verizon's 2026 DBIR found vulnerability exploitation just knocked stolen credentials off the top spot as the most common initial access vector. First time in 19 years. Separately, Colorado repealed and replaced its landmark AI Act before it ever took effect. Two unrelated stories, both worth your time this week.
California's CCPA enforcer said $12.75M might not be high enough
California fined General Motors $12.75 million on May 8, the largest CCPA penalty in state history. Days later, CalPrivacy's Deputy Director of Enforcement said fines "could become a cost of doing business if they're not higher." Four cases, four years, and a self-replenishing enforcement budget: here's what California has built.
California Moved 11 AI Bills in One Week. Is Your Compliance Program Paying Attention?
Eleven AI bills cleared committee in Sacramento last week — chatbots, healthcare AI, and employment automation, all moving at the same time. California isn't waiting for federal action, and neither should your compliance program. Here's what just moved and what it means for enterprise AI governance.
HIPAA Compliance Beyond the Binder
OCR is increasingly focused on whether HIPAA programs work in practice, not just on paper. This article explains the enforcement trend and why operational compliance can help healthcare businesses move faster and scale more responsibly.
AI or You? Who’s on the hook?
When an AI tool fails in a healthcare setting, everyone points at someone else — and patients and regulators don't care. Six questions every compliance, legal, and IT leader should be able to answer before going live with an AI deployment.