Three predictions for Canadian healthcare AI in 2026
January 22, 2026 · 5 min read · Merakey Team
Forecasts are an annual ritual that mostly serves as a reading of the present. Done honestly, they pin down what the writer thinks is happening right now, in a way that can be checked against reality twelve months later. Here are three for Canadian healthcare AI in 2026, written with the expectation that we will revisit them at the end of the year.
Prediction one: self-hosted goes from niche to default in regulated sectors
At the start of 2025, "self-hosted AI" was a position that needed to be defended. Vendors who built on top of OpenAI and Azure OpenAI had the easier sell, and most healthcare buyers accepted that the data residency question would be addressed somehow, eventually, by the cloud provider. By the end of 2025, that position was already wobbling. PIPEDA breach disclosures involving cross-border data flows became frequent enough that buyers stopped accepting "trust us" as an answer.
By the end of 2026, we expect the default architectural choice for new AI tools sold into Canadian regulated industries to be Canadian-hosted, often self-hosted. Cloud-first vendors will offer Canadian regions as upgrades. Buyers who chose them will increasingly ask why the upgrade is not the default.
Prediction two: AI-related breach reports double
PIPEDA mandatory breach reporting has been in force since 2018. The volume of reports involving AI tools was small through 2023, modest through 2024, and noticeably higher through 2025. Most of the increase came from cloud LLM tools that retained data for purposes the custodian had not fully understood: model improvement, analytics, third-party logging.
We expect the volume of AI-related reports to roughly double in 2026 compared to 2025. Not because AI tools become less safe, but because organizations are getting better at recognizing when an AI deployment has triggered a reportable event. The first half of 2026 will be where most of the catch-up happens.
Prediction three: the first major regulatory action lands
Through 2025, the IPC and the OPC issued guidance and warnings on AI but stopped short of high-profile enforcement. We expect the first major action, with public findings and concrete consequences, to land in 2026. The candidate cases already exist: hospitals that deployed cloud chatbots without adequate due diligence, agencies that integrated US-based assistants into clinical workflows, vendors that misrepresented where data was processed.
The first action will be procedurally cautious, narrowly written, and uncomfortably specific. It will set a precedent that everyone in the market will be reading carefully. Custodians who have already moved their AI deployments to Canadian-hosted, accountable architectures will read it with relief. The ones who haven't will start migration projects the following Monday.
None of these are wild predictions. They are the year-end forecasts of trends already visible at the start of 2026. The interesting question is which of the three lands first.
Related articles
Self-hosted vs. cloud AI: why 43% of healthcare orgs are choosing local
Healthcare organizations are moving AI workloads off the cloud. We compare self-hosted and cloud AI for regulated industries, covering data sovereignty, PIPEDA compliance, and the real cost of a breach.
The $7.4M question: what a healthcare data breach actually costs
Healthcare data breaches cost an average of $7.4 million, the highest of any industry. We break down why DS agencies are at risk and how data residency, PIPEDA, and the CPPA shape your obligations.
Ready to see Meridian in action?
See how Merakey builds AI on Canadian-hosted, accountable architecture from the ground up.
Book a Demo