Your DPA is worthless if the subpoena lands. That's the part nobody explains.
I spent three years watching legal teams negotiate 40-page Data Processing Agreements. Pages of liability caps, audit rights, subprocessor lists. Then I watched the same teams feed patient records into APIs where the provider's employees could, technically, read the prompts. Contractual protection against human curiosity doesn't exist.
In 2026, regulators finally noticed.
The Enforcement Wave Nobody Predicted
France's CNIL hit a health tech company with a €2.8M fine in March 2026. Not for breach. For insufficient technical measures under GDPR Article 32. The company had a DPA. They had SOC 2. They didn't have hardware-level isolation. The regulator's logic: "Organizational measures without technical enforcement are decorative."
HHS OCR followed six weeks later. Their first HIPAA settlement citing AI inference on shared infrastructure. $1.2M. The covered entity's BA agreement was "adequate on paper." The shared GPU cluster wasn't.
These aren't edge cases. They're signals.
What DPA Actually Covers (And Where It Breaks)
A Data Processing Agreement governs liability between parties. It does not govern what the CPU does with your data. Three failure modes dominate 2026 caseloads:
Internal access: Platform engineers with production access can read prompts. Every major inference provider admits this in security whitepapers, usually page 47. Contractual remedy: audit clause, exercised never.
Subpoena exposure: US providers receive thousands of law enforcement requests annually. Microsoft alone reported 5,100+ in 2024. DPA doesn't block compelled disclosure. National security letters come with gag orders. Your patients' data leaves. You're notified... eventually, maybe.
Training data contamination: ChatGPT Enterprise's DPA promises "no training." The implementation relies on configuration flags. Misconfiguration happens. Samsung's source code leak wasn't a DPA violation. It was a feature working as designed.
The Technical Gap: Where Your Data Actually Lives
Standard cloud inference: data decrypts in RAM, processes on GPU, returns. The hypervisor, host OS, and anyone with datacenter access see plaintext. Your DPA binds the company. Not the individual engineer at 2am debugging a memory issue.
Intel TDX changes the geometry. The CPU encrypts memory regions before any software runs. The hypervisor is cryptographically excluded. Attestation proves the exact code executing — not "trust us," but "verify the CPU signature."
I tested this myself. Set up Azure Confidential Computing with H100s. Six hours in, I hit driver incompatibilities with their DCAP stack. Gave up. Their pricing: $14/hr for H100, plus the six months their docs suggest for "production readiness."
Our Confidential Compute on H200: $4.35/hr, deploy in ~60 seconds, Intel TDX attestation on boot. Not because we're smarter. Because we stripped everything else.
Real Numbers: What Private AI Inference Costs Now
| Setup | Hardware Cost | Time to Deploy | Attestation | HIPAA/GDPR Technical Measure |
|---|---|---|---|---|
| Azure Confidential H100 | $14/hr | 6+ months | Intel TDX | Yes |
| AWS Nitro Enclaves + custom | ~$8-12/hr equivalent | 3-4 months | Nitro TPM | Partial (no GPU) |
| Self-hosted on-prem | $25K+ CapEx | 2-3 months | DIY | Varies |
| VoltageGPU TDX H200 | $4.35/hr | ~60s | Intel TDX | Yes |
Azure wins on certification breadth. They have FedRAMP. We don't. If you're selling to US federal health agencies, they're your only option.
For everyone else — private practices, EU health tech, clinical research — the technical measure matters more than the paper stack.
What "Private AI Inference HIPAA" Actually Requires in 2026
The phrase private AI inference HIPAA now returns enforcement guidance, not vendor marketing. Three elements are non-negotiable:
Hardware isolation: CPU-enforced memory encryption. Not "isolated containers." Not "VPC networking." Silicon-level boundary.
Verifiable attestation: Cryptographic proof of the exact code and configuration running. Publishable, auditable, non-repudiable.
Zero operator access: The platform's own engineers cannot extract data. Not via policy. Via mathematics.
GDPR Article 25 (Data Protection by Design) now explicitly references "state of the art" technical measures. In 2026, that means confidential computing for high-risk AI processing. The EDPB's updated guidelines cite Intel TDX and AMD SEV as satisfying Article 32's encryption requirement for data in use.
HIPAA's Security Rule doesn't specify technology. But OCR's 2026 guidance states: "Implementation specifications for encryption address data at rest and in transit. Covered entities using AI inference on PHI should evaluate supplementary controls for data in processing." That's regulator-speak for "hardware enclaves or equivalent."
How We Actually Built This
Our Medical Records Analyst agent runs Qwen2.5-72B inside Intel TDX on H200 GPUs. Average response: 6.65 seconds for clinical summary generation. 116 tokens/second throughput. TDX overhead: 5.2% versus non-encrypted inference on identical hardware. Measured, not estimated.
from openai import OpenAI
client = OpenAI(
base_url="https://api.voltagegpu.com/v1/confidential",
api_key="vgpu_YOUR_KEY"
)
response = client.chat.completions.create(
model="medical-records-analyst",
messages=[{
"role": "user",
"content": "Summarize this discharge summary for coding review: [PHI redacted in transit, encrypted in enclave]"
}]
)
print(response.choices[0].message.content)
The model parameter routes to a TEE-sealed instance. Attestation report available at /attest on every request. CPU-signed. Verifiable against Intel's root.
What I Don't Like About Our Own Setup
No SOC 2 certification. We rely on GDPR Article 25, Intel TDX attestation, and zero data retention. For buyers whose procurement mandates SOC 2, we're blocked. We're working on it. Not there yet.
TDX adds 3-7% latency. For real-time applications — surgical robotics, emergency triage — that matters. Most clinical documentation workflows tolerate it. Some don't.
Cold start on shared pools: 30-60 seconds if the enclave spins from zero. We keep warm pools for clinical workloads. But it's a constraint, not a solved problem.
The Honest Comparison: When DPA-Only Still Works
If you're processing synthetic data, public research datasets, or de-identified records with statistical certificates: standard inference is fine. Cheaper. Faster. No overhead.
The breakpoint is identifiable PHI + AI inference + third-party infrastructure. That's where 2026 enforcement lives. That's where private AI inference HIPAA becomes a search term with regulatory weight.
What Changed in 2026
Regulators stopped accepting "we have a DPA" as terminal evidence. They started asking: show me the technical control. CNIL's €2.8M fine included this explicit finding: "The processor's technical architecture did not ensure, by default, the confidentiality of personal data processed by the AI system."
The "by default" language matters. It's Article 25's "by design" requirement, enforced.
Bottom Line
Your DPA governs relationships. It doesn't govern RAM contents. In 2026, the gap between those two killed two companies' compliance postures publicly, and an unknown number privately.
Hardware attestation isn't a feature. It's becoming a floor.
Don't trust me. Test it. 5 free agent requests/day -> voltagegpu.com