The HIPAA Security Rule has not changed significantly since 2013. In those thirteen years, the hospice technology environment has transformed: cloud-based EHR systems, mobile devices for field staff, electronic care coordination with hospital systems, and digital family communication tools are all now standard. The threat environment has transformed equally dramatically.
The 2026 update to the HIPAA Security Rule addresses this gap — and for hospice agencies, several of the changes are particularly relevant given the distributed nature of hospice care delivery.
What Changed: The Five Most Important Updates for Hospice
Change 1: Encryption Is Now Mandatory
The original HIPAA Security Rule listed encryption as "addressable" — organizations could document a reasonable alternative if encryption wasn't implemented. The 2026 update removes that flexibility. Encryption of ePHI at rest and in transit is now required with no documentation workaround.
For hospice agencies: Every device used to access patient records must be encrypted. This includes:
- Office workstations and laptops
- Tablets and smartphones used by field nurses and social workers
- Devices used by chaplains and aides to document visits
- Backup systems and cloud storage containing patient records
For hospice agencies with field staff on personal devices — which is the operational norm — this creates an immediate action item. A nurse's personal phone used to access the agency EHR must be encrypted. For iPhones, encryption is enabled automatically when a passcode is set. For Android devices, encryption must be verified explicitly.
Change 2: MFA Is Now Required for All ePHI Access
Multi-factor authentication was previously recommended. The 2026 update makes it legally required for every account with access to ePHI — no exceptions.
For hospice agencies: Every clinical staff member, administrative staff member, and any contractor accessing patient records must use MFA. This includes access to:
- The hospice EHR (Netsmart myUnity, Brightree, Axxess, MatrixCare, Suncoast)
- Email accounts that receive or transmit patient information
- Cloud storage systems containing clinical documentation
- Any remote access to agency systems
The practical implementation for most hospice agencies using Microsoft 365 involves enabling Conditional Access policies that require MFA for all users. A qualified cybersecurity provider manages this without disrupting clinical workflows.
Change 3: Biannual Vulnerability Scanning Is Required
The original rule required "periodic" technical evaluation. The 2026 update specifies at minimum biannual automated vulnerability scanning.
For hospice agencies: This means scheduled vulnerability scans of your IT environment — the systems, devices, and networks through which ePHI flows — at least twice per year. Results must be documented. Identified vulnerabilities must have a documented remediation timeline.
For agencies without IT staff, this means engaging a managed security provider who conducts and documents the scans as part of their service.
Change 4: Annual Penetration Testing Is Required
Separate from vulnerability scanning, the 2026 rule requires annual penetration testing by a qualified internal or external party.
For hospice agencies: Annual pen testing by an external firm is the appropriate approach for most hospice agencies. Cost ranges from $3,000–$15,000 depending on scope. The test results and remediation actions must be documented.
Change 5: 72-Hour Breach Notification for Workforce Incidents
The 60-day HIPAA breach notification window for OCR reporting remains unchanged. But the 2026 update introduces a 72-hour internal notification requirement for incidents involving workforce member unauthorized access.
For hospice agencies: If you discover that an employee's credentials were compromised, that a staff member accessed patient records without authorization, or that an unauthorized party accessed ePHI through a workforce member's account, your incident response procedures must escalate internally within 72 hours.
The Hospice-Specific Compliance Challenges
EHR Integration Risk: Hospice EHR systems — Netsmart myUnity, Brightree, Axxess, MatrixCare, Suncoast — are themselves covered by BAAs with their vendors. But the controls layered on top of the EHR — device management, network security, email security, access control — are the hospice agency's responsibility, not the EHR vendors.
A hospice that assumes its EHR vendor's compliance covers the agency's own HIPAA obligations is mistaken. The EHR vendor is responsible for the security of the hosted application. The hospice agency is responsible for the security of the devices, networks, and users that access it.
IDG Communication: The interdisciplinary group model requires regular communication between nurses, social workers, chaplains, physicians, and administrators. Much of this communication involves ePHI. The email, messaging, and documentation tools used for IDG communication must meet the 2026 encryption and access control requirements.
Volunteer Management: Hospice volunteers who access patient information — even limited information like scheduling and contact details — have access to ePHI. The 2026 rule's MFA and encryption requirements apply to volunteer accounts. This is frequently overlooked in volunteer-driven hospice organizations.
The Documentation Standard for 2026
OCR's enforcement focus has expanded from risk analysis to risk management — meaning investigators are asking not just "did you conduct a risk analysis?" but "did you act on what you found?" For hospice agencies, the documentation standard includes:
- Current risk analysis (within the past 12 months or since last significant change)
- Risk management plan with identified controls and implementation status
- Written information security program addressing the 2026 requirements
- MFA implementation evidence
- Encryption verification for all device types
- Vulnerability scan results (biannual)
- Penetration test results (annual)
- Staff training completion records (annual, with role-specific content)
- Incident response plan with 72-hour internal notification procedures
ShieldForce provides all of this documentation as a standard component of the hospice cybersecurity managed service.
Is your hospice agency ready for the 2026 HIPAA Security Rule requirements? ShieldForce delivers a complete 2026-aligned HIPAA program for hospice agencies — including documentation, technical controls, and ongoing management.
Explore Hospice Cybersecurity Solutions →
Get your free hospice HIPAA risk assessment.