The 2026 HIPAA Security Rule update is the most significant change to federal healthcare data security law since 2013. Previously "addressable" specifications — meaning agencies could implement reasonable alternatives — have been converted into hard mandatory requirements. For home health agencies, this means no more flexibility on MFA, encryption, or annual penetration testing. This checklist covers every requirement, organized by implementation priority. What Changed: The Six New Mandatory Requirements The final 2026 rule added six requirements that did not exist as mandates in the original framework:
- Multi-factor authentication (MFA) — mandatory for all accounts with ePHI access, no exceptions, no bypass allowed
- Encryption at rest — every device and every cloud storage bucket containing ePHI must be encrypted
- Encryption in transit — TLS 1.2 minimum for all ePHI transmissions
- Biannual vulnerability scanning — with documented findings and remediation tracking
- Annual penetration testing — by a qualified party, with a written report and remediation documentation
- Technology asset inventory and network map — documenting all hardware, software, and ePHI data flows
Administrative Safeguards Checklist Risk Analysis and Management
- ☐ HIPAA Security Rule risk analysis completed within the past 12 months
- ☐ Analysis covers the full remote and BYOD environment, not just office infrastructure
- ☐ Risk management plan documents controls for every High and Critical finding
- ☐ Each risk management item has a named owner and a completion date
Security Officer and Governance
- ☐ HIPAA Security Officer designated in writing with title documented
- ☐ Security Officer can produce all compliance documentation within 5 minutes of a request
- ☐ Board or governing body receives annual cybersecurity briefing — documented in minutes
Workforce Training
- ☐ All staff with ePHI access trained in the past 12 months — 100% completion, field staff included
- ☐ Training records include individual name, date, content, and completion confirmation
- ☐ New staff training completed before ePHI access is granted
Policies and Business Associate Agreements
- ☐ Written Information Security Program exists, dated, and signed by senior leadership
- ☐ Sanctions policy documents specific consequences for violations — not vague language
- ☐ Complete vendor inventory — every vendor with ePHI access identified
- ☐ Signed BAA on file for every vendor on the inventory — zero gaps
Technical Safeguards Checklist — 2026 Mandatory Requirements
- ☐ MFA MANDATORY — enforced on every ePHI-accessible account, verified via configuration report
- ☐ Encryption at rest MANDATORY — BitLocker/FileVault on every endpoint, verified and documented
- ☐ Encryption at rest MANDATORY — every cloud storage bucket encrypted, BAA confirms
- ☐ Encryption in transit MANDATORY — TLS 1.2+ for all ePHI transmissions confirmed with vendors
- ☐ Behavioral EDR MANDATORY — deployed on all endpoints, not signature-only antivirus
- ☐ Biannual vulnerability scanning MANDATORY — completed, findings tracked and remediated
- ☐ Annual penetration testing MANDATORY — qualified party, findings and remediation documented
- ☐ Technology asset inventory MANDATORY — all hardware and software touching ePHI listed
- ☐ Network map MANDATORY — current diagram of ePHI data flows maintained
- ☐ Audit logging enabled on EHR, email platform, and identity platform — 6-year retention
- ☐ Automatic session timeout configured — maximum 15 minutes of inactivity
- ☐ No shared user accounts — every user has individual credentials
Physical Safeguards Checklist
- ☐ Server room and equipment areas have access controls with access log
- ☐ Workstation use policy governs appropriate use and prohibits unauthorized viewing
- ☐ Device disposal policy requires documented secure data wiping before disposal
- ☐ Mobile device policy covers field nurse devices and personal smartphones with ePHI access
Documentation Retention Checklist
- ☐ All policies retained for 6 years from creation or last effective date
- ☐ Risk analysis, risk management plan, and remediation evidence with dates
- ☐ Vulnerability scan results and remediation actions — all cycles retained
- ☐ Penetration test reports and remediation documentation
- ☐ Staff training records — all staff, all dates, all content
- ☐ Audit log review documentation — reviewer, date, findings
- ☐ BAA copies — all vendors, all effective dates
Using This Checklist Items marked MANDATORY are legally required as of the 2026 effective date. Non-compliance is a violation OCR can cite independently of any breach. For each gap identified, document it in your risk management plan with a remediation timeline and responsible party. A documented plan to close a known gap is materially more defensible in any OCR proceeding than an undocumented gap. ShieldForce delivers every item on this checklist — deployed within 72 hours of contract start, documented for immediate OCR readiness, starting at $35/user/month. Ready to protect your home health agency? The first step takes 30 minutes and costs nothing. ShieldForce delivers purpose-built managed cybersecurity for healthcare — 24/7 SOC monitoring, behavioral EDR, advanced layered email security, immutable backup with tested restoration, MFA enforcement, and complete HIPAA documentation — starting at $35/user/month. BAA signed on day one. Fully deployed in 72 hours. No IT staff required.
→ Schedule Your Free HIPAA Risk Assessment