2026-06-11 by IT Integrations Team

Cybersecurity Rules Home Health Agencies Should Know About in 2026

If you run a home health agency in Fort Worth, the cybersecurity rules that govern your business in 2026 come from two different parts of the federal government. CMS, through the Conditions of Participation, treats cybersecurity as part of emergency preparedness. HHS, through the HIPAA Security Rule, treats it as a privacy obligation. The two overlap, but neither one alone tells you everything you have to do, and most generalist IT vendors do not draw the line between them clearly.

Home health is harder to secure than a traditional clinic because the work happens in patients' homes, not behind a locked office door. Clinicians carry the EMR on laptops and tablets, borrow home WiFi during long visits, sync charts at 9 PM in a parking lot, and pull up schedules on personal phones. Every one of those touch points is part of your HIPAA footprint, and the vendor sprawl behind them (EMR, scheduling, billing, transcription, telehealth, secure messaging, fax-to-email, electronic visit verification) is larger than most agency owners realize until they sit down to count it. If you want to talk through any of this with a Fort Worth team that does this work every day, call us at (817) 808-1816. We have been doing healthcare IT here since 2003.

What CMS requires from home health agencies on cybersecurity in 2026

CMS does not publish a standalone cybersecurity rule for home health. What it has is a set of Conditions of Participation in 42 CFR Part 484 that bake cybersecurity into emergency preparedness.

1. An all-hazards emergency preparedness program that names cyber-attacks. Under 42 CFR § 484.102, every Medicare-certified home health agency has to maintain an emergency preparedness program based on a documented all-hazards risk assessment. CMS guidance is explicit that all-hazards includes "interruptions in communications including cyber-attacks." If your plan does not name cyber as a scenario, you are out of step with the regulation.

2. A documented risk assessment, reviewed at least every two years. § 484.102 requires the emergency preparedness program to be reviewed and updated on that cadence. CMS surveyors expect cyber-attack to sit alongside hurricanes and power loss, not as a separate IT problem.

3. Continuity of operations when systems go down. § 484.102(b) requires policies and procedures that maintain continuity of patient care during emergencies. For home health, that means an answer to "what do clinicians do if the EMR is encrypted by ransomware at 6 AM Monday." Paper backup workflows, downtime contact procedures, and access to current patient information outside the encrypted system are what CMS wants to see.

4. Annual training and a yearly exercise. The CoP requires initial and annual training and at least one exercise per year that tests the emergency plan. A real cyber event that disrupts patient care can count as the annual test if documented properly.

5. Quality reporting flexibility for cyber events. The Calendar Year 2026 Home Health Prospective Payment System Final Rule (CMS-1828-F) explicitly allows agencies to request a reconsideration extension if extraordinary circumstances such as a cyber-attack, hurricane, or earthquake prevent timely data submission. CMS is acknowledging that cyber disruption is a normal operational risk for home health, not granting a free pass.

The CMS side is preparedness, continuity, and reporting. The substantive technical controls live on the HIPAA side.

HIPAA technical safeguards that hit home health hardest

The current HIPAA Security Rule at 45 CFR Part 164 has been the operative law since the 2013 Omnibus update. The Notice of Proposed Rulemaking issued by HHS in December 2024 would tighten almost every technical safeguard, and OCR is enforcing the existing rule with the new posture in mind. Five safeguards hit home health harder than the rest.

Full-disk encryption on every device that leaves the office. Encryption is currently an "addressable" safeguard under 45 CFR § 164.312(a)(2)(iv) and § 164.312(e)(2)(ii), but for portable devices the burden of justifying non-encryption is enormous, and the proposed rule eliminates the addressable designation. Every laptop, tablet, and phone that touches ePHI needs BitLocker, FileVault, or device-level encryption, verified through a management console, not configured once and forgotten.

Secure remote access to the EMR. Field clinicians on home WiFi or LTE need their session protected end to end: TLS 1.2 or higher, MFA on every login, and conditional access policies that limit where ePHI can be opened. The proposed rule moves MFA from best practice to mandatory for nearly every account that accesses ePHI.

Business associate agreements across the full vendor sprawl. A home health agency typically has BAA obligations with the EMR, billing, e-fax, secure messaging, AI dictation, document storage, electronic visit verification, and every subcontractor that touches PHI. The HHS model BAA provisions require these contracts to be current with the actual entity providing the service. The proposed rule adds an annual written verification that each business associate has implemented the required technical safeguards.

Audit controls that someone reviews. 45 CFR § 164.312(b) requires mechanisms that record and examine activity in systems containing ePHI. The "examine" part is where most agencies fall down. The EMR has an audit log. Nobody reads it. OCR settlement actions through 2025 and 2026 have consistently cited the gap between "logs exist" and "logs are reviewed."

Lost and stolen device procedure. Falls under § 164.308(a)(6) security incident procedures and § 164.310(d) device and media controls. You need a documented procedure that covers remote wipe, account suspension, breach assessment, and documentation. HHS guidance on HIPAA and cloud computing is explicit that mobile safeguards must protect ePHI on the device and through the cloud service it connects to.

What we see when we audit a Fort Worth home health agency

When we take over IT for a home health agency in Fort Worth, the same patterns show up almost every time. None of these are unusual or malicious. They are what happens when an IT setup grows over years without anyone treating compliance as a property of the environment.

The most common gap is encryption turned on once and never verified: BitLocker is enabled in policy, but three out of ten devices show it suspended after a Windows update. The second is MFA exemptions for field clinicians that someone wrote in 2022 and never revisited. The third is BAA drift, where the binder lists the original vendors but the clinical team adopted a new e-fax and an AI scribe without telling the office. The fourth is audit logs that exist but are never read. The fifth is a lost-device procedure that has never been tested. The sixth is a global admin account in Microsoft 365 belonging to a previous IT provider, never rotated when the relationship ended.

A checklist home health owners can run through this week

Each of these is a yes-or-no question. If you cannot answer yes, write it down.

1. Is full-disk encryption enabled and verified on every laptop, tablet, and phone that touches ePHI?

2. Is MFA enforced on every account that accesses the EMR, Microsoft 365, billing, and remote access, with no field-clinician exemptions?

3. Do you have a current Business Associate Agreement on file for every vendor that touches PHI, including AI tools, e-fax, transcription, and electronic visit verification?

4. Has your HIPAA security risk analysis been updated within the last 12 months and after the last material change to your environment?

5. Does your CMS emergency preparedness plan name cyber-attack as a scenario and include a continuity-of-care procedure if your EMR is unavailable for 48 hours?

6. Are EMR and Microsoft 365 audit logs being collected, retained for at least 12 months, and reviewed on a documented cadence?

7. Do you have a written, tested lost-device procedure that covers remote wipe, account suspension, and breach assessment?

8. Have you reviewed and removed unused administrator accounts in your Microsoft 365 tenant in the last 90 days?

9. Has every workforce member completed HIPAA security training in the last 12 months, with documentation?

10. Have you run an exercise in the last 12 months that simulates a ransomware event affecting clinical operations?

If most are yes, you are in better shape than most Fort Worth home health agencies we audit. If most are no, that is the work.

When you need help and what to ask an IT provider

If you are talking with an IT provider about HIPAA-grade managed IT for home health, the answers to these questions tell you whether they can do the work or whether they are selling compliance on paper.

1. Can you show me a redacted example of a HIPAA security risk analysis you have produced for a home health client in the last 12 months, with the remediation plan attached?

2. How do you verify encryption is enforced on field devices, and what is your reporting cadence?

3. Do you maintain a current BAA inventory for your healthcare clients, and how often do you reconcile it against actual vendor activity?

4. What is your process for reviewing EMR and Microsoft 365 audit logs, and how do you document the review?

5. Do you have HITRUST capability, and if so at what level (e1, i1, or r2)?

6. What is your local response time when a field clinician calls at 8 AM and their EMR will not load before a visit?

IT Integrations is a Fort Worth MSP, HITRUST capable, and built for healthcare clients with mobile workforces. We open at 8 AM and we pick up the phone. Call us at (817) 808-1816 if those questions sound like the right ones to be asking. More on our HIPAA compliance and managed IT practice on the service pages.

Frequently Asked Questions

Is a home health agency covered by HIPAA?

Yes. Home health agencies that transmit health information electronically in connection with a covered transaction (billing Medicare, Medicaid, or commercial insurance, eligibility checks, claims status) are covered entities under HIPAA. The Privacy Rule, Security Rule, and Breach Notification Rule all apply, and Business Associate obligations attach to every vendor with PHI access.

What does CMS require on cybersecurity that goes beyond HIPAA?

CMS requires home health agencies to address cyber-attack as part of an all-hazards emergency preparedness program under 42 CFR § 484.102: a documented risk assessment, a continuity-of-care plan for system outages, annual training, and an annual exercise. HIPAA covers the technical safeguards. CMS covers the operational preparedness that has to keep patient care running when those safeguards fail.

Do our BAAs cover home health aides who use personal phones for work?

A BAA covers the vendor providing a service, not the workforce member using a device. If aides are texting on personal phones, the device is part of your environment and your responsibility under the Security Rule. The fix is either a mobile device management policy that brings the personal device under your control or a documented prohibition with a sanctioned tool the aide is required to use instead.

What happens if a caregiver's tablet is lost or stolen?

You need a documented incident response that includes immediate remote wipe, suspension of all accounts associated with the device, a breach risk assessment under 45 CFR § 164.402, and notification to OCR and affected individuals if the assessment concludes a breach occurred. If the device was encrypted with a key not stored on the device, the assessment may conclude the data was not compromised. If it was not encrypted, you are likely reporting a breach.

Are we required to encrypt the EMR on every device?

The current Security Rule treats encryption of ePHI at rest as an "addressable" safeguard, which means encryption is required unless you can document a defensible reason not to. For portable devices used in patient homes, that reason is almost impossible to defend, and the proposed 2026 rule removes the addressable category entirely. Encrypt every device, and verify it through a management console.

How often should we update our HIPAA security risk assessment?

OCR guidance on risk analysis requires the risk analysis to be updated when there is a material change to the environment and reviewed periodically. For home health, material changes include a new EMR, a new vendor with PHI access, a change to remote workforce policy, or an office move. The proposed 2026 rule makes the annual review explicit. Treat it as a yearly engagement, not a one-time project.

Next Steps

If your HIPAA and CMS preparedness work has not been touched in the last 12 months, this is the year to fix it. Both bodies of regulation are tightening, OCR enforcement is reaching mid-sized agencies, and the technical controls that used to be optional are becoming mandatory.

Ready to do this the right way? IT Integrations provides HIPAA compliance, managed IT, and cybersecurity for Fort Worth home health, hospice, and assisted living agencies and the surrounding DFW metro. Call (817) 808-1816 or contact us for a free IT assessment today.