The FY 2026 IPPS/LTCH PPS final rule is here, and it brings meaningful updates for hospitals and critical access hospitals (CAHs) participating in the Medicare Promoting Interoperability Program. Starting with the 2026 EHR reporting period, CMS is turning up the dial on both cybersecurity and EHR safety standards.
Let’s break down the key changes—and what they mean for compliance teams.
Beginning in CY 2026, eligible hospitals and CAHs can define their EHR reporting period as any continuous 180-day stretch within the year. This gives organizations some breathing room to align reporting with operational realities while still ensuring robust participation.
Perhaps the most important change: hospitals must now attest “Yes” not only to conducting a Security Risk Analysis, but also to carrying out Security Risk Management.
This shift reflects a simple truth—identifying risks isn’t enough. Hospitals must also demonstrate they’re actively addressing vulnerabilities, mitigating threats, and reducing risks to PHI. In practice, this aligns MIPS Promoting Interoperability directly with HIPAA’s ongoing risk management requirement.
Key takeaway: A one-time annual SRA no longer checks the box. Continuous documentation of corrective action and mitigation steps will be essential.
The SAFER (Safety Assurance Factors for EHR Resilience) Guides have been overhauled for 2025, streamlined into eight Guides with updated recommendations. Starting in CY 2026, hospitals and CAHs must attest “Yes” to completing a full annual self-assessment using all eight Guides—not just the high-priority version.
The new Guides emphasize patient safety, AI risks in clinical care, and stronger EHR safeguards. CMS’s move underscores its expectation that hospitals proactively use SAFER assessments as a tool for real resilience, not just paperwork.
For those ready to go further, CMS is adding an optional bonus measure under Public Health and Clinical Data Exchange. Hospitals can now receive credit for exchanging data with public health agencies via TEFCA (Trusted Exchange Framework and Common Agreement®).
This isn’t mandatory—but it signals CMS’s continued push toward nationwide interoperability.
These new requirements may feel daunting, but with the right tools, they’re an opportunity to strengthen your compliance posture:
Risk Management Workflows
Go beyond analysis with Medcurity’s built-in tools to log risks, track remediation, and document mitigation efforts—ensuring audit-ready evidence.
Automated Documentation & Reporting
Produce CMS-ready and HIPAA-aligned reports at the push of a button, reducing manual workload and audit risk.
CMS’s FY 2026 updates raise the bar: risk management, not just analysis; complete SAFER assessments, not partial checklists. Hospitals that embrace these requirements will not only stay compliant but also create safer, more resilient environments for patient care.
With Medcurity, compliance doesn’t have to feel like a burden—it can become a strategic advantage.
