HIPAA Requirements for Home Health Agencies: Complete Compliance Checklist

You care for patients in their homes, which means protected health information (PHI) moves with your team—across visits, devices, and vendors. This complete compliance checklist translates HIPAA requirements for home health agencies into practical, field-ready actions you can implement today.

Use it to build a living program that aligns administrative, privacy, security, breach response, physical, and technical safeguards. Throughout, you’ll see key concepts like the minimum necessary standard, risk management plan, encryption of ePHI, multi-factor authentication, and audit log review integrated where they matter most.

Administrative Requirements

Governance and accountability

• Designate a Privacy Officer and a Security Officer with clear authority, resources, and reporting lines.
• Maintain written policies and procedures that reflect how your agency actually operates in the field.
• Retain required documentation (e.g., risk analysis, policies, training logs, BAAs) for at least six years.

Risk analysis and risk management plan

• Perform an enterprise-wide risk analysis covering all locations, apps, devices, and vendors that handle ePHI.
• Document threats, vulnerabilities, likelihood/impact, and your chosen safeguards in a risk management plan.
• Update after major changes (new EHR, telehealth, mergers) and review at least annually.

Policies, procedures, and the minimum necessary standard

• Define role-based access so staff see only the minimum necessary PHI to perform their duties.
• Embed the minimum necessary standard into scheduling, referrals, billing, and information requests.
• Require identity verification steps before sharing PHI by phone, email, fax, or portal.

Workforce management and training

• Provide new-hire and periodic training tailored to field realities (lost devices, home visits, texting).
• Run sanctioned communication channels; prohibit unapproved texting apps for PHI.
• Apply and document sanctions for violations consistently.

Contingency and incident response planning

• Maintain a data backup plan, disaster recovery plan, and emergency mode operations procedures.
• Test restores, track recovery time objectives, and document results.
• Stand up an incident response playbook for suspected breaches, including forensics, containment, and notifications.

Evaluation and continuous improvement

• Conduct periodic technical and non-technical evaluations to confirm ongoing compliance.
• Use internal audits and audit log review findings to drive corrective actions.

Privacy Rule Compliance

Notice of Privacy Practices (NPP)

• Provide the NPP at or before the first visit and make it readily available thereafter.
• Document receipt or good-faith efforts to obtain acknowledgment.

Permitted uses and disclosures

• Use and disclose PHI for treatment, payment, and health care operations without authorization.
• Obtain written authorization for marketing, most research, or other non-TPO purposes.
• Apply the minimum necessary standard to payment/operations and most external requests.

Individual rights

• Right of access: provide records within 30 days (one 30‑day extension if needed), including e-copies when requested.
• Right to request amendment, restrictions, confidential communications, and an accounting of disclosures.
• Charge only a reasonable, cost-based fee for copies when applicable.

Practical safeguards for home visits

• Verify identity before discussing PHI in homes or by phone; avoid leaving PHI on shared voicemails.
• Use cover sheets for faxes and double-check numbers; avoid visible paperwork in patients’ homes or vehicles.

Security Rule Compliance

Risk-driven security program

• Base safeguards on your risk analysis and document rationale for each decision.
• Prioritize controls that reduce real-world risks: lost mobile devices, misrouted messages, and remote access.

Encryption of ePHI and authentication

• Implement encryption of ePHI in transit (e.g., TLS) and at rest where reasonable; if not, document equivalent alternatives.
• Require multi-factor authentication for remote access, EHR portals, and privileged accounts.

Security operations

• Enable centralized logging across EHRs, email, VPN, and MDM; perform regular audit log review.
• Keep systems patched, run anti-malware, and manage vulnerabilities on a defined cadence.

Breach Notification Rule

Determine if an incident is a breach

• Conduct a four-factor risk assessment: nature/extent of PHI, unauthorized person, whether PHI was viewed/acquired, and mitigation.
• Apply limited exceptions (e.g., good-faith, unintentional access within scope) where appropriate; document your analysis.

Breach notification timeline and content

• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery.
• For 500+ affected in a state/jurisdiction, notify HHS and prominent media within the same 60-day window.
• For fewer than 500, log and report to HHS within 60 days after the end of the calendar year.
• Notices must describe what happened, types of PHI involved, steps individuals should take, mitigation, and your contact info.

Response workflow

• Contain the incident, preserve evidence, and assess scope; consider law enforcement delay requests when applicable.
• Offer remediation (e.g., credit monitoring) when risk warrants; track corrective actions to closure.

Home health scenarios to prepare for

• Lost or stolen mobile devices or paper visit notes.
• Misdirected faxes, emails, or discharge summaries.
• Unapproved texting of PHI between staff or with patients.

Business Associate Agreements

Identify business associates

• EHR and billing vendors, telehealth platforms, cloud storage/backup, IT managed service providers, answering services, shredding, and transcription.
• Include remote patient monitoring, HIEs, and courier services that handle PHI.

Agreement essentials

• Define permitted uses/disclosures and require safeguards aligned to the Security Rule.
• Mandate breach reporting, flow-down terms to subcontractors, return/destruction of PHI, and HHS access rights.
• Set expectations for encryption of ePHI, multi-factor authentication, and timely incident cooperation.

Vendor risk management

• Perform due diligence, maintain a current inventory of business associate agreements, and review annually.
• Assign owners for vendor oversight and document security attestations or questionnaires.

Physical Safeguards

Facility access controls

• Secure offices, storage rooms, and file areas; use keys/badges and visitor sign-in.
• Plan for emergencies (power loss, disasters) with procedures for protecting and relocating records.

Workstation use and security

• Define where and how workstations are used; require privacy screens and automatic session timeouts.
• Prohibit storing PHI on local desktops; use secure remote access when offsite.

Device and media controls

• Maintain an asset inventory; encrypt laptops, tablets, and phones; enable remote wipe via MDM.
• Sanitize or destroy media before reuse or disposal; log chain-of-custody for devices.

Paper records in the field

• Carry only the minimum necessary paperwork in sealed folders; never leave PHI in vehicles or unattended locations.
• Return and securely store or shred documents promptly after visits.

Technical Safeguards

Access control

• Assign unique user IDs, enforce role-based access, and configure emergency access procedures.
• Require automatic logoff on mobile devices and laptops used in the field.
• Implement multi-factor authentication for remote and privileged access.

Audit controls and audit log review

• Enable detailed audit logging on EHRs, portals, email, VPN, and file systems.
• Perform routine audit log review to detect inappropriate access, after-hours activity, and anomalous downloads.
• Escalate, investigate, and document outcomes; retain logs per your retention policy.

Integrity and person/entity authentication

• Protect ePHI from improper alteration with hashing, signatures, and controlled change management.
• Use strong authentication standards and revoke access immediately when roles change or staff separate.

Transmission security and encryption of ePHI

• Encrypt data in transit (e.g., TLS) and at rest (e.g., full-disk/device encryption) wherever reasonable and appropriate.
• Use secure messaging or patient portals instead of unencrypted SMS or consumer email for PHI.
• Require VPN or zero-trust access for remote connections to internal systems.

Mobile and remote work protections

• Deploy MDM to enforce encryption, screen locks, app whitelisting, and remote wipe on agency and BYOD devices.
• Disable copy/paste and local downloads of PHI where feasible; keep field data synchronized to secure systems.

Conclusion

When you operationalize this checklist—tying the minimum necessary standard to roles, driving a documented risk management plan, enforcing encryption of ePHI and multi-factor authentication, and proving ongoing audit log review—you convert policy into practice. That’s how home health agencies stay compliant and protect patients every day.

FAQs.

What are the key HIPAA administrative requirements for home health agencies?

Designate privacy and security leadership, complete and maintain a written risk analysis, and implement a risk management plan with prioritized safeguards. Create and enforce policies (including the minimum necessary standard), train the workforce, apply sanctions, and keep business associate agreements current. Maintain contingency plans (backup, disaster recovery, emergency mode), document incidents and decisions, and retain all required records for at least six years.

How should agencies handle breach notifications?

Once a potential breach is discovered, contain it, preserve evidence, and complete a four-factor risk assessment. If notification is required, notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery, include required details, and offer remediation when appropriate. Report to HHS within the same 60-day window for incidents affecting 500+ individuals (and notify prominent media), or log and report smaller breaches to HHS within 60 days after year-end. Document every step, including your breach notification timeline.

What technical safeguards are required for ePHI protection?

Implement access controls (unique IDs, role-based access, emergency access), audit controls with ongoing audit log review, integrity protections, authentication, and transmission security. Encrypt ePHI in transit and at rest where reasonable and appropriate, require multi-factor authentication for remote/privileged access, enforce automatic logoff, manage vulnerabilities and patches, and secure mobile devices with MDM and remote wipe.

How often must staff training on HIPAA compliance be conducted?

Provide training for all new hires and whenever roles, systems, or policies change. As a best practice, deliver refreshers at least annually, reinforce high-risk scenarios for field staff, and document attendance and comprehension. Tailor content to real workflows so staff can apply the rules consistently during home visits and remote work.