2026 HIPAA Security Rule: What Home Healthcare Agencies Need to Know

Editor's Note: As of May 2026, HHS/OCR has proposed updates to the HIPAA Security Rule, but agencies should confirm the final regulatory language once published. This article is for educational purposes and does not constitute legal advice.

A Deep Dive for Agency Owners, Administrators, Compliance Officers, and Healthcare Leaders

Healthcare is moving into the home. That is no longer a prediction; it is the direction of the industry.

Across the United States, home healthcare agencies are being asked to do more: support older adults who want to age in place, reduce unnecessary hospitalizations, coordinate with physicians and payers, document outcomes, meet quality expectations, and manage increasingly complex patient needs outside traditional clinical settings.

But as care moves into the home, something else moves with it: cyber risk.

Every home visit now depends on technology. Scheduling systems, electronic visit verification platforms, EMRs, mobile phones, tablets, laptops, email, cloud storage, billing systems, payer portals, referral platforms, and third-party vendors all play a role in delivering care. That means patient information is no longer sitting in one file cabinet or one office system. It is moving constantly across people, devices, applications, and organizations.

That is why the expected 2026 update to the HIPAA Security Rule matters so much for home healthcare agencies.

As of May 2026, HHS/OCR has issued a major Notice of Proposed Rulemaking to strengthen the HIPAA Security Rule, but the final rule has not yet been confirmed as published. HHS describes the proposal as an effort to update cybersecurity safeguards, better address modern threats, and require covered entities and business associates to better protect electronic protected health information, or ePHI, against internal and external threats.

For home healthcare leaders, the direction is clear: HIPAA security is becoming more specific, more operational, and more difficult to treat as a paperwork exercise.

The HIPAA Security Rule Is No Longer Just an IT Issue

The existing HIPAA Security Rule already requires covered entities and business associates to protect the confidentiality, integrity, and availability of ePHI through administrative, physical, and technical safeguards.

That sounds technical, but it is really a business leadership issue.

For a home healthcare agency, confidentiality means patient information is not exposed to unauthorized people. Integrity means patient information is accurate, reliable, and not improperly changed. Availability means staff can access the systems and data they need to deliver care when they need them.

A ransomware attack can destroy availability. A phishing incident can destroy confidentiality. A poorly managed user account can threaten integrity. A lost laptop, weak password, compromised email account, or careless vendor can become a HIPAA problem, an operational problem, and a patient trust problem at the same time.

This is why agency owners and administrators cannot leave cybersecurity entirely to "the IT person." The consequences are too broad. A cyber incident can interrupt visits, delay billing, expose patient records, damage referral relationships, trigger regulatory scrutiny, and create reputational harm in the community.

Cybersecurity has become part of care delivery.

Why Home Healthcare Agencies Are Especially Exposed

Hospitals and large health systems usually have centralized IT departments, security teams, compliance offices, and formal governance processes. Many home healthcare agencies operate differently.

They often have distributed workers, lean administrative teams, limited cybersecurity budgets, high staff turnover, multiple cloud platforms, and a mix of agency-owned and personal devices. Some staff access patient information from home, from the field, from a car, from a patient's residence, or from a mobile device connected to a public or home Wi-Fi network.

That creates a very different risk profile.

A typical agency may use one system for scheduling, another for billing, another for payroll, another for email, another for caregiver communication, another for document storage, and another for electronic visit verification. Patient information may flow through emails, attachments, spreadsheets, portals, text messages, scanned documents, and mobile apps.

This complexity creates gaps.

Common weaknesses include no multi-factor authentication, shared passwords, unmanaged laptops, personal phones used for work communication, weak email security, no endpoint detection and response, no tested backup, incomplete HIPAA risk analysis, outdated policies, limited staff training, and no clear incident response process.

These issues are not rare. They are common across small and mid-sized healthcare organizations. And the expected HIPAA Security Rule update is likely to make these gaps harder to ignore.

The Proposed Rule Signals a More Prescriptive Era

One of the most important things about the proposed HIPAA Security Rule update is its tone. HHS has stated that the proposed rule would clarify and provide more specific instruction about what regulated entities must do to protect ePHI. It would also require policies and procedures to be written, reviewed, tested, and updated regularly.

That matters.

For years, many organizations leaned on the flexibility of the Security Rule. Flexibility was useful because a small home healthcare agency does not have the same resources as a national hospital system. But flexibility was never intended to mean doing the minimum or avoiding basic cybersecurity controls.

The proposed rule reflects a larger shift in healthcare regulation: cybersecurity expectations are becoming more concrete.

In practical terms, agencies should expect more scrutiny around whether they can demonstrate actual security practices, not just policies. It will not be enough to say, "We take HIPAA seriously." Agencies will need evidence.

That evidence may include risk analysis documentation, asset inventories, access control reviews, MFA implementation, backup testing, incident response plans, vendor oversight, staff training records, and proof that security policies are reviewed and updated.

Risk Analysis Will Remain the Foundation

If there is one area every home healthcare agency should focus on immediately, it is the HIPAA Security Rule risk analysis.

OCR's January 2026 cybersecurity newsletter emphasized that the Security Rule's risk analysis provision requires regulated entities to conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI, including risks from unpatched software.

For home healthcare agencies, a proper HIPAA risk analysis cannot be generic. It must reflect how the agency actually operates.

That means asking:

• Where does ePHI enter our agency?
• Which systems store patient information?
• Which employees, contractors, and vendors can access it?
• Which devices are used by field staff?
• Are personal phones being used to communicate patient information?
• Is email protected with multi-factor authentication?
• Are laptops encrypted?
• Are former employees removed from systems immediately?
• Are backups tested?
• Do we know what to do if our EMR or billing system goes down?
• Do our vendors have access to ePHI?
• Do we have signed Business Associate Agreements?

A superficial checklist will not be enough. The agency must understand its real environment. If patient information flows through a process, device, application, vendor, or employee, that area belongs in the risk analysis.

Asset Inventory and ePHI Mapping Will Become Critical

One of the most practical changes home healthcare agencies should prepare for is the need for better system inventory and ePHI mapping.

You cannot protect what you cannot identify.

An agency should know every system, application, device, and vendor that creates, receives, maintains, transmits, or stores ePHI. This includes the obvious systems, such as EMRs and billing platforms, but also less obvious tools such as cloud drives, spreadsheets, email archives, scanned documents, messaging platforms, payroll systems, referral portals, and backup systems.

For many agencies, this exercise is eye-opening. Leaders often discover that patient information is scattered across more places than expected.

A strong system inventory should answer:

• What technology do we use?
• Who owns each system?
• What patient information is inside it?
• Who has access?
• Is access role-based?
• Is MFA enabled?
• Is the data encrypted?
• Is the system backed up?
• Does a vendor support it?
• Do we have a Business Associate Agreement?
• When was access last reviewed?

This type of inventory is not just for compliance. It improves operational discipline. It helps with onboarding, offboarding, vendor management, cyber insurance, incident response, and disaster recovery.

Multi-Factor Authentication Is Becoming Non-Negotiable

For home healthcare agencies, multi-factor authentication should be viewed as one of the most important safeguards.

Passwords alone are no longer enough. Staff reuse passwords. Passwords are stolen in breaches. Phishing emails trick employees into giving up credentials. Attackers know that email accounts and cloud platforms are often the easiest path into a healthcare organization.

MFA should be enabled for email, EMR access, billing systems, cloud storage, payroll, remote access tools, administrator accounts, and any system that contains or connects to ePHI.

This is especially important in home healthcare because staff are mobile. They may access systems from different locations, devices, and networks. MFA creates an additional layer of protection when passwords are compromised.

From a business perspective, MFA is one of the clearest examples of a control that is both practical and powerful. It does not solve every problem, but it significantly reduces the likelihood that a stolen password becomes a major breach.

Backup and Disaster Recovery Are Patient Care Issues

Many agencies think about backup only after something goes wrong. That is dangerous.

If ransomware locks an agency out of its systems, the impact can be immediate. Schedules may become unavailable. Care plans may be inaccessible. Billing may stop. Payroll may be delayed. Referral communication may break down. Staff may not know which patients require visits or what services are authorized.

That is not just an IT inconvenience. It can become a care continuity problem.

The HIPAA Security Rule already focuses on the availability of ePHI, not only confidentiality. For home healthcare agencies, availability should be treated as a core operating requirement.

Agencies should know:

• Are our critical systems backed up?
• Are Microsoft 365 or Google Workspace emails and files backed up separately?
• Can ransomware reach our backups?
• How quickly can we restore data?
• Have we tested restoration?
• Can we operate manually for 24 to 72 hours?
• Who makes decisions during downtime?
• Do staff know what to do if systems are unavailable?

A backup that has never been tested is only a hope. A real disaster recovery plan must be documented, tested, and understood by leadership.

Vendor Risk Is Agency Risk

Home healthcare agencies depend heavily on vendors. EMR vendors, billing companies, IT providers, payroll platforms, scheduling systems, cloud storage providers, consultants, cybersecurity firms, call centers, and document management platforms may all touch patient data.

That means vendor risk is no longer separate from agency risk.

If a vendor has weak security and experiences a breach, the agency may still face operational disruption, patient concern, payer questions, and regulatory obligations. The Change Healthcare cyberattack showed how deeply interconnected healthcare operations have become. HHS has maintained public guidance on the incident, including HIPAA breach notification issues related to affected covered entities and individuals.

Home healthcare agencies should not treat Business Associate Agreements as paperwork alone. A BAA is important, but it is not a substitute for vendor oversight.

Agency leaders should ask vendors:

• Do you use MFA?
• Is our data encrypted?
• Who can access our data?
• Do you subcontract any services?
• Where is our data stored?
• How quickly will you notify us of a security incident?
• Do you have an incident response plan?
• Do you test backups?
• Can you support us during an outage?
• Can you provide evidence of security practices?

If a vendor cannot answer basic security questions, that is a risk signal.

Staff Training Must Become Practical

Most cybersecurity incidents involve people in some way. A staff member clicks a phishing link. A weak password is reused. A device is lost. A document is sent to the wrong recipient. A caregiver texts patient information through an insecure channel. A former employee still has access to a system.

Training must be practical, not theoretical.

Home healthcare staff need to understand the situations they actually face: suspicious emails, fake invoices, password reset scams, unsafe texting, lost devices, public Wi-Fi, patient information in vehicles, family member requests for information, and urgent messages that pressure them to bypass procedures.

Annual HIPAA training is not enough by itself. Agencies need recurring awareness, short reminders, phishing education, onboarding training, and clear reporting procedures. Staff should know exactly who to contact if they suspect something is wrong.

A strong security culture does not punish employees for reporting mistakes quickly. It encourages fast reporting so the agency can contain issues before they become major incidents.

Incident Response Must Be Clear Before the Incident

When a cyber incident happens, confusion is expensive.

The agency should already know who is responsible for the first response. Who receives the report? Who contacts IT? Who contacts legal counsel? Who contacts cyber insurance? Who communicates with staff? Who speaks with vendors? Who preserves evidence? Who decides whether patient information may have been involved?

The first 24 to 72 hours matter. Agencies that improvise during that window often lose time, miss key facts, or make the incident worse.

A practical incident response plan should include ransomware, phishing, lost devices, unauthorized access, vendor incidents, email compromise, and system outages. It should include names, roles, phone numbers, escalation steps, and documentation requirements.

Most importantly, the plan should be tested. A tabletop exercise can reveal gaps before a real event does.

What Agencies Should Do in the Next 90 Days

Home healthcare agencies do not need to panic, but they should act.

During the first 30 days, leadership should focus on visibility. Build a system inventory. Identify where ePHI lives. List vendors. Review devices. Confirm who has access to critical systems. Check whether MFA is enabled. Review backup status. Gather current HIPAA policies and prior risk assessment documents.

During days 31 to 60, the agency should address the highest-risk gaps. Enable MFA. Remove access for former employees. Stop shared accounts. Strengthen email security. Deploy endpoint protection on agency-owned devices. Review remote access tools. Train staff on phishing. Confirm that backups are working. Update incident response contacts.

During days 61 to 90, the agency should formalize governance. Document the risk analysis. Update policies. Review Business Associate Agreements. Test backup restoration. Run a tabletop incident response exercise. Create a quarterly access review process. Establish recurring cybersecurity training. Prepare a leadership dashboard showing open risks and remediation progress.

This does not require perfection. It requires progress, discipline, and evidence.

The Real Message for Home Healthcare Leaders

The expected 2026 HIPAA Security Rule update should be viewed as a wake-up call.

Home healthcare has become a digital business. Patient care, billing, scheduling, referrals, documentation, compliance, payroll, and communication all depend on technology. That makes cybersecurity part of the agency's ability to function.

The agencies that understand this early will be stronger. They will be better prepared for audits, payer reviews, referral partner expectations, cyber insurance questionnaires, and real-world incidents. They will also be better positioned to earn trust.

The agencies that ignore this shift may find themselves reacting under pressure after a breach, a ransomware event, a failed audit, or a lost contract opportunity.

The future of home healthcare will not be defined only by compassion and clinical service. Those will always matter. But the future will also be shaped by operational maturity, compliance readiness, data protection, and cyber resilience.

Care is moving into the home.

Security must follow.

---

Is Your Agency Ready for the Next Era of HIPAA Cybersecurity Enforcement?

ShieldForce helps home healthcare agencies identify cybersecurity and HIPAA readiness gaps across people, devices, cloud systems, email, backups, vendors, mobile workers, and ePHI workflows.

Our Home Healthcare Cyber Readiness Assessment gives agency leaders a practical view of where they stand today and what needs to be strengthened before a breach, audit, payer review, cyber insurance renewal, or final rule deadline forces the conversation.

Schedule a complimentary Home Healthcare Cyber Readiness Assessment with ShieldForce today. Let us help your agency protect patient trust, reduce ransomware risk, strengthen HIPAA-aligned safeguards, and build a practical roadmap for secure growth in the new era of care at home.

---

About the Author

Obi Ibeto is the Founder and CEO of ShieldForce Corporation, a cybersecurity company helping home healthcare agencies, community health centers, and regulated small and mid-sized businesses strengthen cyber resilience, HIPAA-aligned safeguards, ransomware readiness, endpoint protection, email security, backup, and workforce security awareness.