HIPAA Compliance for Nursing Homes & Long-Term Care: What Most Facilities Get Wrong

There are over 52,000 nursing homes, assisted living facilities, and hospice agencies in the United States. Almost all of them are covered entities under HIPAA. Almost none of them have a dedicated compliance officer.

Most HIPAA compliance guidance is written for physician offices and clinics — smaller teams, controlled environments, relatively straightforward vendor relationships. Long-term care is a fundamentally different operation, and the compliance challenges reflect that. Higher staff turnover, shared workstations across three shifts, dozens of vendor relationships requiring Business Associate Agreements, and a regulatory landscape where HIPAA is just one layer in a stack that includes CMS, OIG, and state licensing requirements.

This article covers what makes HIPAA compliance uniquely difficult in nursing homes, LTC facilities, and hospices — and what you can do about it.

Why Nursing Homes Face Harder HIPAA Challenges

The Turnover Problem

Nursing home staff turnover averages 82%. CNA turnover alone runs over 42%, RN turnover is 36.5%, and even administrator turnover hits 43%. These numbers are more than double the hospital industry average.

Every new hire needs documented HIPAA training — who was trained, when, on what topics, with sign-off records. Every departure requires access termination across every system that touches ePHI. When you’re replacing a significant portion of your workforce every year, these aren’t occasional tasks. They’re constant operations that need a system behind them.

The most common HIPAA training failure in long-term care isn’t that training doesn’t happen — it’s that documentation is incomplete or inconsistent. Staff get a verbal overview during orientation, but the signed acknowledgments, completion dates, and content records that OCR expects to see during an investigation are missing or scattered across paper files and spreadsheets.

Shared Workstations Everywhere

A typical physician’s office has a workstation per provider. A nursing home has shared terminals at nurses’ stations, medication carts with built-in screens, hallway kiosks, and break room computers — used by dozens of staff members across three shifts every day.

This creates HIPAA exposure at every level:

• Access controls: Each staff member needs unique login credentials with role-appropriate access levels. Shared logins — the “everyone uses the same password” approach — are a HIPAA violation waiting to be discovered.
• Automatic logoff: Workstations must lock after a period of inactivity. In a busy nurses’ station where someone steps away to answer a call light, an unlocked screen displaying a resident’s medical record is a breach risk every time.
• Audit logging: Every access to ePHI needs to be logged and attributable to a specific user. Shared credentials make this impossible.
• Physical security: Screens visible to residents, visitors, and non-clinical staff need privacy filters or positioning that prevents casual viewing.

The 2026 HIPAA Security Rule update makes this harder — automatic logoff and access controls move from “addressable” (which many facilities treated as optional) to required. There is no more flexibility to document why you chose not to implement a specific control.

The Vendor Web

A typical physician’s office might maintain 5-10 Business Associate Agreements. A nursing home can easily have 15-25 or more. Consider the vendors that routinely handle PHI in a long-term care setting:

• Long-term care pharmacy (Omnicare, PharMerica, or regional providers)
• Laboratory services
• Contracted therapy companies (PT, OT, speech — often third-party)
• Hospice agencies (when hospice services are provided within the facility)
• Staffing agencies (extremely common given turnover rates)
• Medical supply companies
• Billing and claims processing
• Healthcare clearinghouses
• EHR/EMR vendor
• IT managed services provider
• Cloud storage and backup providers
• Document destruction company
• Telehealth providers
• Diagnostic imaging services
• Contracted dental, podiatry, and optometry providers
• Dietitian or food service management
• Insurance and malpractice carriers
• Accounting and legal firms (when handling PHI)

Each of these relationships requires a signed BAA. But under the 2026 Security Rule update, signing a BAA is no longer sufficient — you’ll need to verify that your business associates have actually implemented the required safeguards and maintain documentation of their compliance posture.

For a facility administrator already managing dozens of vendor relationships for operational purposes, adding compliance verification to each one is a significant burden. Most facilities don’t have a systematic way to track which BAAs are current, which are expired, and which vendors have never been assessed.

The Regulatory Pileup

This is where long-term care diverges most sharply from other healthcare settings. A physician’s office deals primarily with HIPAA. A nursing home deals with:

HIPAA (enforced by OCR): Privacy Rule, Security Rule, Breach Notification Rule — the same requirements that apply to every covered entity.

CMS Conditions of Participation (enforced by state survey agencies): To accept Medicare and Medicaid, nursing homes must comply with the Requirements of Participation under 42 CFR Part 483. These include their own provisions about confidentiality of resident records and information — overlapping with HIPAA but using different language, different standards, and different enforcement mechanisms.

OIG Compliance Program Guidance: The Office of Inspector General released updated compliance program guidance specifically for nursing facilities in November 2024 — the first update since 2000. This emphasizes the seven elements of an effective compliance program and puts quality of care alongside fraud prevention. It’s not legally binding, but OIG has made clear that having an effective compliance program is considered a mitigating factor in enforcement actions.

State licensing requirements: Every state has its own set of regulations governing long-term care facilities, many of which include privacy and data security provisions that go beyond federal requirements.

The result is a regulatory stack where different agencies inspect different things on different timelines with different penalty structures — and the administrator or director of nursing is expected to manage all of it alongside their primary responsibilities. When state surveyors show up for an annual inspection, HIPAA compliance often gets deprioritized in favor of the clinical and safety issues that drive CMS star ratings.

Shift Handovers and Verbal Disclosures

Three shift changes per day. Each one involves clinical staff discussing resident conditions, medication changes, behavioral incidents, and care plan updates. These conversations happen at nurses’ stations, in hallways, in break rooms, and during walking rounds — frequently within earshot of other residents, visitors, and non-clinical staff.

Verbal disclosures account for roughly 5% of reported healthcare data breaches. In a nursing home with three daily handovers across multiple units, the exposure is constant. Staff may not even recognize these as HIPAA risks — discussing a resident’s condition feels like doing their job, not violating privacy regulations.

Hospice adds another layer. Hospice staff work in patients’ homes, discussing care plans with family members while neighbors, friends, and community contacts may be present. There is no controlled physical environment. A hospice aide discussing a patient’s medication changes on the phone from a patient’s living room while a neighbor is visiting is a scenario that happens daily across thousands of agencies.

What OCR Enforcement Looks Like in Long-Term Care

OCR has made it clear that long-term care facilities are not exempt from enforcement attention.

Cadia Healthcare — $182,000 settlement (September 2025). Five Delaware-based nursing and rehabilitation facilities settled with OCR after posting “success stories” on their websites and social media that included patient names, photographs, and details about conditions, treatment, and recovery — for 150 patients — without obtaining valid written HIPAA authorizations. This is a violation that many facilities don’t even recognize as a risk. Marketing feels harmless, but sharing identifiable patient information without authorization is a clear Privacy Rule violation regardless of intent.

Deer Oaks Behavioral Health (2025). A provider of psychological and psychiatric services to residents of long-term care and assisted living facilities settled with OCR after discharge summaries and initial assessments for 35 individuals were found to be publicly accessible online.

These cases illustrate a pattern: the violations that catch long-term care facilities aren’t always sophisticated cyberattacks. They’re operational mistakes — sharing too much in a social media post, leaving records accessible, failing to document authorizations. The kind of mistakes that happen when there’s no systematic compliance program in place and staff are focused on care delivery rather than regulatory requirements.

The Enforcement Numbers

OCR enforcement has been accelerating. In 2024, 22 investigations resulted in civil monetary penalties or settlements totaling over $9 million. The 2026 penalty tiers range from $141 per violation for unknowing violations up to $2.1 million per violation category per year for willful neglect.

For a nursing home, even a relatively minor breach can involve hundreds of residents. A facility with 120 beds that experiences a breach affecting all current residents could face per-violation penalties multiplied across every affected individual — numbers that quickly reach six figures even at the lowest penalty tier.

The 2026 Security Rule: Why It Hits Long-Term Care Harder

The proposed 2026 HIPAA Security Rule update eliminates the distinction between “required” and “addressable” implementation specifications. Every safeguard becomes mandatory, with no exceptions based on organization size.

For long-term care facilities that have relied on the “addressable” category to justify lighter security measures, this changes everything:

• Encryption at rest and in transit — every device, every email, every backup. No more documenting why a legacy medication cart doesn’t support encryption.
• Multi-factor authentication — on every system that accesses ePHI. Every EHR login, every email account, every remote access tool.
• Vulnerability scanning every six months and penetration testing annually — requirements that most nursing homes have never budgeted for.
• Technology asset inventory — a documented list of every device, system, and application that touches ePHI. In a facility with medication carts, shared workstations, mobile devices, and networked medical equipment, this inventory alone is a significant project.
• Business associate verification — not just signed BAAs, but documentation that your vendors are actually compliant.

The compliance deadline is expected approximately 240 days after the final rule publishes (anticipated May 2026), putting most facilities on a timeline through early 2027. There is no small-facility exemption.

What an Effective Compliance Program Looks Like in Long-Term Care

Given the unique challenges, a nursing home’s HIPAA compliance program needs to account for realities that a standard physician-office compliance checklist doesn’t address.

Training That Accounts for Turnover

With staff turnover averaging 82%, training can’t be a once-a-year event supplemented by orientation packets. You need:

• Standardized onboarding training that can be delivered consistently to every new hire, regardless of when they start
• Completion tracking that documents who was trained, when, and on what — with records that survive staff departures
• Role-specific training that addresses the difference between a CNA’s PHI access and an administrator’s
• Refresher training tied to specific incidents or policy changes, not just annual calendar dates
• Documentation that OCR can actually review — not binders of sign-in sheets with illegible signatures

Access Controls Built for Shared Environments

• Unique credentials for every user, including per-diem and agency staff
• Role-based access tied to job function, not convenience
• Automatic logoff configured on every shared device
• A process for same-day access termination when staff leave (critical given turnover rates)
• Audit log review on a regular schedule — not just when something goes wrong

Systematic BAA Management

• A complete inventory of every vendor that handles PHI
• Tracking of BAA execution dates, expiration dates, and renewal schedules
• A process for evaluating new vendors before they receive PHI access
• Documentation of vendor compliance verification (required under the 2026 rule)

Policies That Reflect Long-Term Care Operations

Generic HIPAA policy templates don’t address shift handovers, shared workstations, contracted therapy providers, hospice coordination, or the dozen other scenarios unique to long-term care. Your policies need to cover:

• Verbal disclosure guidelines during shift changes and care coordination
• Shared workstation procedures including logoff requirements and screen positioning
• Mobile device policies for staff using personal phones
• Visitor and family access to resident information
• Social media and marketing policies (the Cadia Healthcare settlement makes this one non-negotiable)
• Contracted provider access and BAA requirements
• Incident response procedures tailored to your facility’s staffing and communication structure

Integration with CMS and OIG Requirements

Rather than maintaining separate compliance programs for HIPAA and CMS, look for overlap and consolidation. The OIG’s seven elements of an effective compliance program — written standards, compliance oversight, training, reporting mechanisms, enforcement, risk assessment, and response to detected problems — map closely to what a solid HIPAA compliance program already requires. Building one program that satisfies both frameworks saves time and reduces the chance of gaps.

Getting Started Without a Dedicated Compliance Officer

Most nursing homes don’t have the budget for a full-time compliance officer, and that’s unlikely to change. The administrator or DON typically owns compliance alongside everything else on their plate.

The realistic path forward:

1. Start with the risk assessment. This is the document OCR looks for first in every investigation. If you don’t have a current, thorough security risk assessment that includes a complete technology asset inventory, nothing else matters. Get this done.

2. Enable MFA and verify encryption today. These are the highest-impact, lowest-cost changes you can make. Most EHR platforms and email systems support MFA at no additional cost. Device encryption (BitLocker on Windows, FileVault on Mac) is built into the operating system. These are same-week fixes.

3. Audit your BAAs. Make a list of every vendor that touches PHI. Identify which ones have signed BAAs and which ones don’t. This is often the area with the most gaps — facilities discover vendors they’ve worked with for years that never signed an agreement.

4. Systematize training. Move away from paper sign-in sheets and orientation packets. You need a training system that can handle continuous onboarding, tracks completion automatically, and produces the documentation OCR expects.

5. Use a tool built for this. Trying to manage a compliance program across spreadsheets, Word documents, and filing cabinets doesn’t scale — especially with 82% staff turnover. A compliance platform that handles risk assessments, policy generation, training tracking, and vendor management in one place turns an overwhelming regulatory burden into a manageable system.

The facilities that get into trouble aren’t the ones that tried and fell short. They’re the ones that put compliance off because the regulatory stack felt too overwhelming to start. The most expensive HIPAA compliance program is the one you never build.