If you operate an IDD residential program, the next four years will bring more regulatory change than the last decade combined. Here are the five deadlines that should be on every compliance team’s radar — and what they mean in practical terms.
1. HIPAA Security Rule Overhaul (Expected May 2026)
The proposed rule, published in January 2025, represents the most significant update to HIPAA security requirements since 2013. When finalized — expected around May 2026 — organizations will have 240 days to comply.
What it requires: mandatory MFA for all systems touching ePHI, encryption at rest, annual penetration testing, vulnerability scanning, network segmentation, and comprehensive asset inventory. For organizations that currently rely on shared passwords and unencrypted devices, this is a significant infrastructure investment.
What it means for you: if your residential staff access any patient information on mobile devices, tablets, or shared computers, every one of those endpoints needs to meet the new standard. Start the gap assessment now.
2. New Jersey S3750 — Group Home Fine Law (Mid-2026)
Signed January 19, 2026, this is the first law in New Jersey’s history that imposes financial penalties specifically on group home operators for documented compliance failures. Fines up to $10,000 per violation.
What it means for you: if you operate in New Jersey, your incident documentation needs to be audit-ready. This law creates financial consequences for the documentation gaps that were previously just deficiency citations. Other states are watching — expect similar legislation.
3. CMS Incident Management Performance Standards (2027)
CMS is implementing performance thresholds for HCBS incident management: 90% of incidents must have investigations initiated on time, 90% must reach resolution, and 90% of corrective actions must be completed within required timeframes.
What it means for you: tracking corrective action completion across multiple facilities and multiple states requires a system, not a spreadsheet. Organizations that can’t demonstrate 90% compliance on these metrics will face consequences under the Ensuring Access rule.
4. Electronic Incident Management Systems Required (2029)
By 2029, all state HCBS programs must operate electronic incident management systems. Paper incident reporting will be eliminated at the regulatory level.
What it means for you: this isn’t optional. If your incident reporting still involves paper forms, you have three years to transition. That sounds like a lot of time until you factor in procurement cycles, implementation, training, and the parallel regulatory deadlines above.
5. The 80/20 Compensation Rule (2030)
Starting July 2030, at least 80% of Medicaid HCBS payments must go to direct care worker compensation. This puts every dollar of administrative overhead under scrutiny.
What it means for you: technology that reduces documentation burden on direct care workers isn’t just an efficiency play — it directly supports compliance with the 80/20 rule. Every minute a DSP spends filling out paper forms instead of providing care is a minute of compensation that regulators will question.
These five deadlines aren’t independent — they compound. An organization that’s behind on HIPAA will struggle with the CMS incident standards. An organization without electronic incident management will fail the 80/20 calculation. The time to start building the compliance infrastructure is now, not when the first deadline hits.
About SignumOps
SignumOps builds compliance automation technology for human services organizations. We use location intelligence, AI, and a configurable workflow engine to capture compliance data at the source — so your team spends less time on paperwork and more time on the work that matters. Learn more at signumops.ai.