Home health and hospice leaders should be preparing now for what could become the most significant update to the HIPAA Security Rule in more than a decade. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has proposed sweeping changes designed to strengthen cybersecurity protections for electronic protected health information in…
Home health and hospice leaders should be preparing now for what could become the most significant update to the HIPAA Security Rule in more than a decade. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has proposed sweeping changes designed to strengthen cybersecurity protections for electronic protected health information in response to escalating ransomware attacks, data breaches, and persistent compliance failures across healthcare.
A final rule is currently projected for May 2026, with most requirements likely to take effect by late 2026 or early 2027. While the exact timeline remains uncertain, the direction is clear. Regulators are moving from flexibility to prescriptive, enforceable standards.
Why HIPAA Is Changing Now
The healthcare environment has changed dramatically since the Security Rule was first implemented. Today’s care delivery model includes cloud hosted systems, telehealth platforms, mobile devices in the field, connected medical equipment, health information exchanges, and artificial intelligence tools. At the same time, cyberattacks have surged, disrupting care and exposing sensitive patient information. OCR investigations consistently identify the same weaknesses: incomplete risk analyses, inadequate technical safeguards, and poor vendor oversight.
The proposed updates respond directly to these gaps.
Major Shifts And Safeguards
One of the most significant changes is eliminating the distinction between “required” and “addressable” safeguards. Under the proposal, all implementation specifications would be mandatory, with limited exceptions. For those organizations that have interpreted addressable as optional, this represents a major shift.
Risk analysis and risk management have become central. Covered entities and business associates would need to conduct comprehensive risk analyses at least annually. These assessments must include a current inventory of all technology assets that create, receive, maintain, or transmit ePHI, along with a network map showing how ePHI flows throughout systems. Organizations must identify reasonably anticipated threats, document vulnerabilities, assess risk levels, and implement remediation plans. Annual internal compliance audits are also required.
For home health and hospice providers, maintaining an accurate inventory of laptops, tablets, mobile devices, cloud systems, and third-party applications used by field staff may be one of the most operationally challenging requirements.
Technical safeguards are also tightening. Encryption of ePHI would be required both at rest and in transit. Multi-factor authentication would be mandatory for systems that access ePHI. Organizations would be expected to segment networks to limit the spread of an attack. Regular vulnerability scans, annual penetration testing, anti-malware protection, timely patch management, removal of unnecessary software, and disabling unused network ports are all part of the proposed framework.
Contingency planning receives renewed focus. Organizations would need written procedures capable of restoring critical systems and ePHI within 72 hours of a disruption, with clear restoration priorities. Backup and recovery controls must be clearly defined and tested.
Vendor oversight becomes more structured. Business associates and subcontractors would need to provide annual written confirmation of their security safeguards. They must notify covered entities within 24 hours of activating a contingency plan or when workforce access to ePHI changes. Given how heavily home health and hospice providers rely on vendors for EHR hosting, billing, analytics, and remote monitoring, contract updates and stronger vendor management processes will be essential.
Enforcement trends reinforce the stakes. In 2025, OCR imposed more than $6.6 million in HIPAA penalties, many tied to ransomware, phishing attacks, and failure to conduct adequate risk analyses. Penalties ranged from $80,000 to $3 million. Cybersecurity failures are increasingly viewed as systemic compliance breakdowns rather than isolated technical issues.
Proposed Changes And Impact On Operations
At the same time, proposed changes to the HIPAA Privacy Rule introduce additional operational pressure. The timeframe for responding to patient requests for records would be shortened from 30 days to 15 days, with a maximum 15-day extension. OCR has already issued dozens of penalties for Right of Access violations under the current timeline. Meeting a shorter deadline will require streamlined workflows, especially since billing records, often stored in separate systems, must be included in the definition of electronic health records.
The proposal also addresses personal health applications and standards-based application programming interfaces. Providers would need to inform patients about privacy and security risks when sending information to third party apps that are not covered by HIPAA. Patients could make oral requests to send records to third parties. They would also be allowed to inspect their records in person and take notes or photographs, creating practical and privacy considerations for supervised access.
For home health and hospice leaders, these changes carry real financial and operational implications. Technology upgrades, enhanced security tools, contract amendments, workforce training, and expanded audit functions all require time and resources. Smaller and lower resourced organizations may feel a particular strain.
However, the message from regulators is unmistakable. Cybersecurity is patient safety. Ransomware attacks disrupt visits, delay documentation, interfere with medication management, and erode trust with families and referral partners.
What Leaders Should Do Now
Start with an honest assessment of your current security posture. Review your most recent risk analysis. Confirm that your technology asset inventory is complete and current. Evaluate encryption, multi-factor authentication, patch management, and backup capabilities. Identify safeguards previously treated as addressable and determine what full implementation would require.
Engage IT, compliance, legal, operations, and vendor management teams in coordinated planning. Begin reviewing business associate agreements and internal policies. Monitor regulatory updates closely so you can move quickly once the final rule is published.
The era of flexible interpretation is ending. Organizations that act proactively will not only position themselves for compliance but will also strengthen operational resilience and protect the patients and families who depend on them.
