Step-by-Step HIPAA Compliance Checklist for Home Health Agencies (2026)

This step-by-step guide helps you build a practical, audit-ready HIPAA program tailored to home health operations. Use it to standardize routines, prove due diligence, and protect electronic Protected Health Information (ePHI) across fieldwork, offices, and vendor ecosystems.

Monthly Compliance Activities

Checklist

• Run OIG LEIE screening for all employees, contractors, and key vendors; document results and remediation for any hits.
• Reconcile your vendor roster and confirm current Business Associate Agreements (BAAs); capture any scope or contact changes.
• Review access controls: remove dormant accounts, validate least-privilege roles, and confirm terminations were deprovisioned the same day.
• Sample and review audit logs from your EHR, remote visit apps, email, and file systems to spot unusual ePHI access.
• Do a quick privacy and security walk-through: locked storage, printed PHI minimization, encryption status, patching, and mobile device compliance.
• Conduct a 15-minute tabletop of incident response procedures; confirm call trees, containment steps, and documentation templates.
• Log all activities, findings, and corrective actions in a centralized tracker with owners and due dates.

Pre-Employment Screening

Checklist

• Verify identity, licensure, and credentials via primary sources; document expiration dates and renewal reminders.
• Complete OIG LEIE screening and applicable state exclusion checks before offer; repeat upon hire and monthly thereafter.
• Obtain signed confidentiality, acceptable-use, and telehealth/device use acknowledgments prior to system access.
• Assign role-based HIPAA onboarding and security awareness training; require attestation before ePHI access.
• Provision unique user IDs with least-privilege access controls; enable MFA and automatic logoff on all systems.
• For staffing agencies or outsourced functions, confirm BAAs are executed and vendor risk assessment artifacts are on file.

Quarterly HIPAA Compliance Review

Checklist

• Update your risk assessment with a focused look at new threats, changes in workflows, and technology or vendor additions.
• Audit 10–20 sample user activities against audit logs; verify appropriate access, print/export events, and off-hours usage.
• Evaluate policy effectiveness: investigate complaints, near-misses, and PHI misdirection trends; close gaps with action plans.
• Reassess Business Associate oversight: confirm active BAAs, review security attestations, and rate vendor risk tiers.
• Inventory devices that store or process ePHI; confirm encryption, patch currency, and remote wipe readiness.
• Deliver a concise report to leadership with risks, remediation timelines, and resource needs.

Annual Staff Training and Policy Review

Checklist

• Conduct organization-wide HIPAA training at least annually, plus role-specific refreshers for clinicians, schedulers, and IT.
• Run phishing simulations and secure-email exercises; address common field scenarios like family inquiries during visits.
• Review and update policies: privacy, security, sanctions, incident response procedures, BYOD/MDM, and telehealth workflows.
• Perform an enterprise-wide risk assessment; prioritize remediation items and budget for controls and monitoring.
• Maintain training rosters, test scores, and signed attestations; keep policy version history and distribution records.

CMS Survey Readiness

Checklist

• Create a survey-ready binder (digital or physical) with policies, the latest risk assessment, BAAs, training logs, incident logs, and audit log samples.
• Prepare frontline staff to explain privacy practices, minimum necessary use, misdirected-PHI steps, and visitor verification.
• Stage demonstrable controls: unique IDs, access controls matrices, MFA evidence, encryption status, and device inventory reports.
• Run a mock survey using prior findings and CMS worksheets; document a Plan of Correction template and proof of sustained fixes.

Incident Reporting

Checklist

• Identify and contain: stop the leak, recall or secure misdirected messages, disable compromised accounts, and enable remote wipe if needed.
• Activate incident response procedures: notify Privacy/Security Officers, open a ticket, and assign roles for triage and communication.
• Preserve evidence: collect audit logs, system notes, screenshots, and timelines; restrict access to need-to-know personnel.
• Perform the four-factor risk assessment to determine breach status and likelihood of compromise.
• Execute notifications when required: inform affected individuals without unreasonable delay and no later than 60 days from discovery; complete regulator and, if applicable, media notifications per thresholds.
• Document root cause, corrective actions, sanctions (if warranted), and lessons learned; update policies and training.
• Track closure and verify that similar incidents are prevented through technical or process changes.

Administrative Safeguards

Key Controls

• Designate Privacy and Security Officers with clear authority, charters, and reporting lines.
• Establish and enforce policies for privacy, security, sanctions, access authorization, and workforce termination procedures.
• Run continuous risk assessment and risk management cycles tied to realistic remediation plans and metrics.
• Manage Business Associates: maintain a complete inventory, signed Business Associate Agreements, and documented due diligence.
• Develop contingency plans: data backup, disaster recovery, and emergency-mode operations; test at least annually.
• Formalize change management for systems that handle ePHI; require security review before go-live.

Physical Safeguards

Key Controls

• Control facility access: locked records rooms, visitor logs, and restricted areas for devices storing ePHI.
• Harden workstations: position screens away from public view, use privacy filters, and auto-lock after brief inactivity.
• Manage device and media: full-disk encryption, secure transport during home visits, chain-of-custody for repairs or disposal, and certified destruction.
• Minimize paper: avoid printing PHI; if needed, secure carry cases, prompt return to office, and locked storage with shredding schedules.

Technical Safeguards

Key Controls

• Access controls: unique IDs, role-based permissions, MFA, emergency access procedures, and automatic logoff.
• Audit logs: enable detailed access and activity logging on EHR, email, file shares, and mobile apps; review and retain per policy.
• Integrity protections: change tracking, tamper-evident logs, and restricted admin rights to prevent unauthorized alterations.
• Transmission security: use encrypted portals or secure messaging for PHI; enforce TLS, VPN for remote access, and no standard SMS for ePHI.
• Device security: MDM for mobile endpoints, patch management, anti-malware, and remote wipe; block unapproved cloud sync.
• Data minimization and DLP: restrict copy/paste, external drives, and bulk exports; monitor for anomalous downloads.
• Backups and recovery: test restores for systems that store electronic Protected Health Information; document success criteria.

Conclusion

By operationalizing these checklists—monthly, quarterly, and annually—you create defensible compliance, reduce breach risk, and sustain patient trust. Keep BAAs current, verify access controls, and continuously review audit logs and risk assessment outputs to stay survey-ready in 2026.

FAQs.

What are the essential HIPAA safeguards for home health agencies?

You need strong administrative, physical, and technical safeguards that work together. Designate officers, maintain current policies, and run a living risk assessment. Control facilities and paper, encrypt devices, enforce access controls and MFA, and review audit logs routinely. Train your workforce, manage Business Associate Agreements, and test contingency and incident response procedures.

How often should HIPAA staff training be conducted?

Provide training at hire and at least annually, with role-based refreshers when duties or systems change. Reinforce with short monthly or quarterly micro-trainings, phishing simulations, and scenario drills tied to your incident response procedures.

What steps are involved in incident reporting for HIPAA breaches?

Immediately contain the issue, activate your response team, and preserve evidence such as audit logs. Perform the four-factor risk assessment, determine if a breach occurred, and issue required notifications without unreasonable delay and no later than 60 days from discovery. Document root cause, corrective actions, and policy updates, then retrain as needed.

How can home health agencies ensure CMS survey readiness?

Maintain a ready binder with policies, the latest risk assessment, BAAs, training records, incident logs, and sample access logs. Stage demonstrations of access controls, encryption, and device management. Conduct mock surveys, address gaps with a Plan of Correction, and show sustained improvements with evidence.