Every remote care contract is also a data contract. HIPAA compliance in remote patient monitoring is easy for a vendor to claim and hard for a practice to verify, and the stakes just went up. The Office for Civil Rights (OCR) has carried its Risk Analysis Initiative into 2026, announcing its 11th and 12th enforcement actions in February and March of this year, and one of them targeted a software vendor, not a provider. Medicare paid more than $500 million for RPM services in 2024, per the HHS Office of Inspector General’s August 2025 report. Payment growth at that scale brings scrutiny with it.
When a practice hands patient enrollment lists, vitals data, and care plan documentation to a Remote Patient Monitoring (RPM) or Chronic Care Management (CCM) vendor, that vendor’s security posture becomes the practice’s compliance exposure. This guide covers what “HIPAA compliant” should actually mean in 2026, and how to test the claim before you sign.
Vendor compliance is now a provider problem
OCR’s Risk Analysis Initiative focuses on a specific failure: covered entities and business associates that never conducted an accurate, thorough analysis of where electronic protected health information (ePHI) lives and what threatens it. The initiative’s 2026 actions include MMG Fusion, a dental practice software company, cited for inadequate risk analysis, impermissible PHI disclosure, and late breach notification. That is a business associate, the same legal category your RPM or CCM vendor occupies.
The OIG is watching the billing side with equal attention. Its August 2025 report flagged patterns worth scrutiny, including monitoring billed for brand-new patients with no prior relationship to the practice and multiple device supply charges per patient in a single month. We covered the earlier phase of this in OIG Increases Scrutiny on RPM, and the direction has not changed: regulators expect providers to know what their vendors are doing in their name.
Start with the business associate agreement, then look past it
A signed business associate agreement (BAA) is the legal floor, not the finish line. Before evaluating anything technical, confirm four things in the paperwork itself:
- Timing. The BAA must exist before any patient data moves. No exceptions for pilots or test lists.
- Subcontractor flow-down. Device logistics partners, answering services, any offshore staffing, and cloud hosting all need equivalent agreements.
- Breach notification timelines. Specific and short. The proposed HIPAA Security Rule update would require business associates to report security incidents within 24 hours, so a vendor already operating near that standard is ahead of the market.
- Data return at exit. The agreement should state who owns and returns care plans, consent records, and audit documentation if the relationship ends. Practices switching vendors discover the cost of that omission at the worst possible time.
The 2026 HIPAA Security Rule update: where the floor is moving
OCR published a proposed overhaul of the HIPAA Security Rule on January 6, 2025, its first major revision in more than a decade. As of mid-2026 the rule has not been finalized. OCR is still working through more than 4,700 public comments, and the expected compliance window once it takes effect is roughly 180 days. That is a short runway, which is exactly why the proposal belongs in your vendor evaluation now.
The proposed rule would convert several formerly flexible safeguards into hard requirements:
- Mandatory multi-factor authentication for systems touching ePHI.
- Encryption of data at rest and in transit, no longer an “addressable” option.
- A documented asset inventory of every system that creates, receives, maintains, or transmits ePHI.
- Vulnerability scanning at least every six months and penetration testing at least annually.
A vendor that treats these as roadmap items is asking you to absorb the transition risk. A vendor that already operates this way has answered the question. For the policy context behind these shifts, the CMS 2026 Remote Care Update briefing with Elevare Law is a useful companion, and we outlined how compliance has to scale alongside program growth in Scaling Secure Care.
Seven questions that separate claims from evidence
1. Can you produce your most recent risk analysis, and when was it updated?
OCR’s enforcement record shows this is the single most common failure. A mature vendor produces the document and its revision date in days, not weeks.
2. Is multi-factor authentication enforced for every user who can view ePHI?
Including the vendor’s own clinical and support staff, not just practice-side logins.
3. Is patient data encrypted at rest and in transit, and can you document it?
Ask for the documentation, not the assurance. The proposed rule makes this mandatory.
4. How fast do you notify us of a suspected incident, and is that number in the BAA?
If the timeline lives in a slide deck instead of the contract, it does not exist.
5. Where is monitoring performed and where does data reside?
Ask specifically about offshore access to ePHI and how it is governed.
6. Do your subcontractors, including device suppliers, hold their own BAAs?
The chain is only as compliant as its weakest link, and OCR holds business associates directly liable.
7. What happens to our data if we leave?
Get export formats and timelines in writing before onboarding, not at exit. Slow or defensive answers to any of these seven are themselves data.
Evaluating vendors on reimbursement too? The 2026 Remote Care Billing and Coding Guide covers the full current code set, including the new 2-day and 10-minute codes.
Minimum compliance vs. 2026-ready
| Evaluation area | Legal minimum today | 2026-ready standard |
|---|---|---|
| BAA | Signed before go-live | Flows down to all subcontractors, 24-hour incident notification |
| Risk analysis | Performed “periodically” | Documented, updated on a defined cycle, shareable on request |
| Access control | Unique logins | Enforced MFA for all ePHI access |
| Encryption | Addressable safeguard | At rest and in transit, documented |
| Security testing | General evaluation | Vulnerability scans every 6 months, annual penetration test |
| Data return | Negotiated at exit | Export formats and timelines written into the contract |
Case in point: the Vivo Care approach to 2026 readiness
Compliance you cannot see in daily operations is compliance you cannot trust. Here is what the standard looks like in practice:
- U.S.-based, state-licensed care navigators. A nursing team approaching 150, supporting 300+ active healthcare organizations and approximately 40,000 active patients.
- Documentation aligned with CMS billing standards. Including the 2026 additions of CPT 99445 for 2-day device supply and CPT 99470 for 10-minute management time. 95.4% of active patients met the CMS billing threshold in January 2026.
- Every engagement minute logged and auditable. 25.9 million documented from 2023 through 2025.
- Public data handling commitments. The full terms are in the Vivo Care privacy policy. If you have to request a vendor’s privacy terms, that is a finding in itself.
Frequently Asked Questions
Is a signed BAA enough to make an RPM vendor HIPAA compliant?
No. The BAA establishes legal accountability, but compliance lives in the vendor’s actual safeguards: risk analysis, access controls, encryption, training, and incident response. OCR’s Risk Analysis Initiative has repeatedly penalized organizations that had paperwork in place and no supporting practice behind it.
Has the new HIPAA Security Rule been finalized?
Not yet. OCR published the proposed rule on January 6, 2025 and was still reviewing more than 4,700 public comments as of mid-2026. Once finalized, the expected compliance window is approximately 180 days, so evaluating vendors against the proposed requirements now is the lower-risk path.
Does HIPAA require RPM device data to be encrypted?
Under the current Security Rule, encryption is an addressable safeguard, meaning organizations must implement it or document why an alternative is reasonable. The proposed update would make encryption of ePHI at rest and in transit mandatory. Cellular-transmitting devices that route readings through encrypted channels without patient WiFi meet this standard cleanly.
Who is liable if my RPM vendor has a breach?
Both parties can face exposure. Business associates are directly liable under HIPAA for their own violations, and covered entities can be cited for failures in oversight, such as missing BAAs or ignoring known risks. Contractual indemnification helps, but it does not transfer regulatory accountability.
What should I do before switching to a new remote care vendor?
Confirm in writing how your current vendor will return patient data, consent documentation, and audit records, and verify the new vendor’s BAA, risk analysis, and security testing cadence before any data migrates. Vivo Care’s data commitments are documented in its privacy policy for exactly this stage of diligence.
Related reading
- The OIG Is Auditing CCM Payments. Here Is What Medicare Providers Need to Know.
- CMS 2026 Final Rule: New RPM CPT Codes (99445 & 99470) Are Here
Vendor compliance review is not a legal formality. It is the difference between a remote care program that survives an audit and one that becomes the audit. If you are evaluating RPM, CCM, or Advanced Primary Care Management (APCM) partners, Vivo Care will walk through every question in this guide with documentation on the table.