The CMS Conditions of Participation for Hospice Providers (42 CFR Part 418) do not contain a cybersecurity section. There is no condition titled "Information Security" and no explicit requirement to deploy endpoint detection or implement multi-factor authentication.
And yet, in 2025 and 2026, hospice surveyors are increasingly citing data management deficiencies, inadequate patient record protection, and insufficient care plan accessibility as survey findings — all of which have a cybersecurity dimension that the original CoP language never anticipated.
The practical reality is this: a ransomware attack that locks your hospice's patient records during an active patient census is a care delivery failure under the CoP — specifically under the clinical records, patient rights, and comprehensive assessment conditions. A cybersecurity failure is not just an IT problem. It is a patient care problem and a regulatory survey problem.
This guide explains how the CMS Conditions of Participation relate to cybersecurity for hospice agencies, what documentation surveyors are increasingly requesting, and how to protect your agency against both care delivery failures and survey deficiencies.
The CoP Conditions That Have Cybersecurity Implications
Condition: Clinical Records (§418.104)
The Clinical Records condition requires hospice agencies to maintain clinical records on every patient served, and to ensure those records are:
- Complete and accurate — records must reflect the current care plan, medications, physician orders, and clinical assessments
- Accessible — records must be available to the clinical team when and where needed
- Protected against unauthorized access — patient information must be protected from unauthorized disclosure
- Retained — records must be retained for a minimum of six years (or longer per state law)
The cybersecurity implications are direct:
Accessibility: A ransomware attack that locks clinical records violates the accessibility requirement. If a hospice nurse cannot access a patient's medication list, care plan, or emergency contact information because the EHR has been encrypted, that is a failure to maintain accessible clinical records for an active patient.
Protection: Inadequate security controls that result in unauthorized access to clinical records — a phishing attack that exposes patient data, an unencrypted laptop that is stolen — is a failure to protect patient information from unauthorized disclosure.
Retention: If ransomware destroys clinical records that are not backed up, the six-year retention requirement cannot be met.
What surveyors may ask: Do you have documented procedures for accessing clinical records if your EHR system is unavailable? What backup and disaster recovery systems are in place? Who has access to clinical records and how is that access controlled?
Condition: Patient Rights (§418.52)
The Patient Rights condition requires hospice agencies to protect and promote patient rights, including the right to:
- Confidentiality of all clinical records and personal information
- Privacy in treatment and care planning
A data breach exposing a hospice patient's end-of-life wishes, diagnoses, or care preferences to unauthorized parties is a direct violation of the privacy and confidentiality rights this condition protects. Hospice patient data — which includes diagnoses, prognosis, advance directives, and family dynamics — is among the most sensitive PHI in healthcare.
What surveyors may ask: How do you protect patient information accessed by field staff? What is your policy for staff use of personal devices containing patient information? Have there been any unauthorized disclosures of patient information in the past 36 months?
Condition: Comprehensive Assessment (§418.54)
The Comprehensive Assessment condition requires the hospice interdisciplinary group (IDG) to complete and maintain a comprehensive assessment for each patient — and to update it at defined intervals and in response to changes in condition.
If the EHR containing the comprehensive assessment is inaccessible due to ransomware, the IDG cannot review and update the assessment. For a hospice patient experiencing rapid decline, the inability to access the current assessment is a care quality failure with potential patient safety consequences.
What surveyors may ask: What are your downtime procedures for the comprehensive assessment process? How do you ensure continuity when your EHR is unavailable?
Condition: Governing Body (§418.56)
The Governing Body condition requires the hospice governing body to assume full legal authority and responsibility for the operation of the agency — including ensuring that an effective organizational plan exists.
Cybersecurity governance is increasingly considered part of this organizational responsibility. A governing body that has never discussed cybersecurity risk, has no information security policy, and has not allocated resources for data protection may be cited for inadequate organizational planning if a breach occurs.
What surveyors may ask (following a breach): Was the governing body aware of cybersecurity risks? What policies had the governing body approved for information security? What resources had been allocated?
The Documentation That Protects Your Agency
To defend against cybersecurity-related CoP deficiencies, hospice agencies need documented evidence of:
Information security policies: Written policies covering clinical record access, device security, staff training, and incident response. These policies should be approved by the governing body and reviewed annually.
Downtime procedures: Documented procedures for maintaining care delivery when the EHR is unavailable. Who gets notified? How do field staff access patient information? How is care documentation maintained manually and transferred to the EHR when systems restore?
Business continuity plan: A broader plan demonstrates that the hospice can continue providing patient care during a significant technology disruption — including during a ransomware recovery period.
HIPAA Security Rule documentation: Risk analysis, written information security program, incident response plan, BAAs with technology vendors. These documents satisfy both HIPAA requirements and demonstrate to surveyors that a systematic approach to information security exists.
Training records: Documentation that all staff with access to clinical records have received security awareness training covering device security, phishing recognition, and incident reporting.
ShieldForce and Hospice CoP Compliance
ShieldForce's hospice cybersecurity program delivers both the technical controls and the compliance documentation that protect your agency in a survey. Our service includes:
- 24/7 monitoring and EDR that protects clinical record accessibility and confidentiality
- Immutable backup ensuring clinical records are retained and recoverable
- HIPAA Security Rule documentation package aligned to CoP requirements
- Downtime procedure templates tailored to hospice clinical operations
- Annual governing body briefing materials on cybersecurity risk
Protect your hospice from CoP deficiencies and HIPAA violations simultaneously. ShieldForce delivers the technical controls and documentation hospice agencies need to pass surveys and protect patients.
Explore Hospice Cybersecurity Solutions
Start with a free HIPAA risk assessment designed for hospice agencies.