If you haven't reviewed your HIPAA compliance recently, February 2026 changed the game. The HHS Office for Civil Rights finalized updates to the HIPAA Privacy Rule that affect every home care agency—and some previous "workarounds" are no longer acceptable.
Here's what you need to know.
The Big Change: Encryption Is Now Mandatory
Simplify Your Home Care Operations
CareCade helps DDA and HCBS providers manage scheduling, EVV, and billing in one platform.
Previously, HIPAA's Security Rule treated encryption as an "addressable" safeguard. Agencies could document why they chose not to encrypt and implement alternative protections instead.
That era is over.
As of February 2026, encryption is mandatory for all Protected Health Information (PHI)—both in transit and at rest. The regulatory language removed previous flexibility that allowed agencies to skip encryption with documented justification.
What This Means for Your Agency
In transit: Any PHI sent over networks—email, app data, EVV submissions, billing transmissions—must use TLS 1.2 or higher encryption.
At rest: PHI stored on servers, databases, mobile devices, or backup systems must be encrypted using AES-256 or equivalent.
No exceptions: The "addressable" designation that allowed documented alternatives is gone for encryption requirements.
Are You Compliant?
Check these common areas:
| Area | Encryption Required |
|---|---|
| Care management software data | Yes (at rest and in transit) |
| EVV clock-in/clock-out data | Yes |
| Email containing PHI | Yes (or don't send PHI via email) |
| Mobile device storage | Yes (full device encryption) |
| Backup systems | Yes |
| Fax machines | No (but minimize fax use) |
If your care management system stores client information unencrypted—even temporarily—you're now non-compliant.
Stricter Rules for Sensitive Categories
The February 2026 updates added heightened protections for two categories of PHI:
Reproductive Health Information
New rules restrict disclosure of reproductive health information, even for treatment purposes, unless specific conditions are met. This affects home care agencies serving clients who may have reproductive health documentation in their records.
Key requirement: Agencies must obtain specific authorization before disclosing reproductive health information for most non-treatment purposes.
Behavioral Health Information
Similar restrictions apply to behavioral health data. For agencies serving clients with developmental disabilities or mental health conditions, this means:
- Additional consent requirements before sharing behavioral health records
- Stricter limitations on who can access this information
- More detailed audit logging of access to behavioral health data
Practical Impact
Most home care agencies won't need major workflow changes, but you should:
- Review your authorization forms to ensure they address these categories
- Train staff on the heightened sensitivity of reproductive and behavioral health information
- Configure access controls so only clinically necessary staff see this data
- Update your Notice of Privacy Practices if it references these categories
March 1, 2026: Small Breach Reporting Deadline
This wasn't a rule change, but it's a critical date many agencies missed.
March 1, 2026 was the annual deadline for reporting small breaches (affecting fewer than 500 individuals) that occurred during 2025. If you had any breaches last year—even small ones—they should have been reported by this date.
What Counts as a Breach?
Any unauthorized access, use, or disclosure of PHI:
- Lost or stolen devices containing client information
- Emails sent to wrong recipients
- Staff accessing records without authorization
- Vendor security incidents affecting your data
- Misdirected faxes or mail
If you haven't reported small 2025 breaches, contact legal counsel about remediation options.
Risk Analysis Failures: Still the #1 Penalty Reason
The 2026 updates didn't change this, but it bears repeating: 76% of HIPAA enforcement actions in 2025 cited risk analysis failures.
A risk analysis isn't a one-time document you file away. It's an ongoing process:
- Identify where PHI exists in your organization
- Assess threats and vulnerabilities to that PHI
- Evaluate current security measures
- Determine likelihood and impact of potential breaches
- Document findings and remediation plans
- Implement additional safeguards where needed
- Review and update regularly (at least annually)
If your last risk analysis was more than a year ago—or if it doesn't address mobile devices, cloud systems, and current threats—it's time for an update.
Business Associate Scrutiny Increasing
OCR is paying closer attention to Business Associate compliance. For home care agencies, this means:
Review Your BAAs
Ensure you have signed Business Associate Agreements with:
- Care management software providers
- EVV system vendors
- Billing and claims processors
- Cloud storage providers
- IT support contractors
- Answering services
- Shredding companies
Verify Vendor Compliance
A BAA doesn't guarantee your vendor is actually compliant. OCR has made clear that covered entities can be liable for choosing vendors that don't adequately protect PHI.
Ask your vendors:
- Do you have SOC 2 Type II certification?
- How is data encrypted at rest and in transit?
- What's your incident response process?
- When was your last security assessment?
- Can you provide evidence of employee training?
New BAA Language
If your BAAs are several years old, they may not address current requirements. Consider updating them to include:
- Specific encryption requirements
- Breach notification timelines (without unreasonable delay, and no later than 60 days)
- Subcontractor compliance requirements
- Right to audit or request compliance documentation
Enforcement Trends to Watch
Based on 2025 enforcement patterns and 2026 regulatory signals:
Increased Focus on Access Controls
OCR is scrutinizing whether agencies implement the "minimum necessary" standard—ensuring staff only access PHI needed for their specific job functions. Role-based access controls aren't optional nice-to-haves; they're compliance requirements.
Mobile Device Enforcement
With caregivers accessing PHI from personal and agency devices, mobile security is getting attention. Expect questions about:
- How PHI is protected on mobile devices
- Remote wipe capabilities
- Device encryption verification
- Lost device procedures
Audit Log Requirements
The ability to track who accessed what PHI and when isn't just good practice—it's a technical safeguard requirement. Agencies that can't produce audit logs during investigations face additional penalties.
Updating Your Compliance Program
Immediate Actions
-
Verify encryption: Confirm all PHI is encrypted at rest and in transit. Ask your vendors for documentation.
-
Review sensitive data handling: Update procedures for reproductive and behavioral health information if applicable.
-
Check BAA inventory: Ensure you have current BAAs with all vendors handling PHI.
This Quarter
-
Update risk analysis: Include 2026 requirements, mobile devices, and current threat landscape.
-
Refresh training: Staff should understand the new encryption requirements and sensitive data categories.
-
Review access controls: Verify role-based permissions align with minimum necessary standard.
Ongoing
-
Document everything: Policies, training records, risk assessments, incident reports—documentation is your defense.
-
Monitor vendor compliance: Annual verification that Business Associates maintain required safeguards.
-
Stay current: HIPAA enforcement guidance continues evolving. Subscribe to HHS updates or work with compliance consultants.
Technology That Supports Compliance
The 2026 requirements make HIPAA-compliant technology more important than ever. When evaluating systems, verify:
Encryption: AES-256 encryption at rest, TLS 1.2+ in transit—as defaults, not optional add-ons.
Access controls: Granular role-based permissions that enforce minimum necessary access.
Audit logging: Comprehensive logs of all PHI access with user identification and timestamps.
Authentication: Multi-factor authentication or passkeys to prevent unauthorized access.
BAA availability: Vendor readily provides signed Business Associate Agreement.
Compliance documentation: Vendor can provide SOC 2 reports, security policies, and evidence of compliance.
The Bottom Line
The February 2026 HIPAA updates removed ambiguity around encryption and added protections for sensitive health categories. For agencies that were already following best practices, compliance requires minimal changes. For those relying on outdated systems or "addressable" workarounds, it's time to update.
The investment in compliance technology and processes pays dividends beyond avoiding penalties. Families increasingly ask about data protection when choosing agencies. "We encrypt all client information and have enterprise-grade security" is a competitive advantage.
Protect your clients. Protect your agency. The requirements are clearer than ever.