HIPAA Compliance Checklist for Home Care Agencies
The HIPAA Journal says “there is no specific home health agency compliance checklist.” So we built one. This is the definitive, home-care-specific HIPAA compliance resource — covering administrative safeguards, caregiver field protocols, BAA requirements, and everything in between.
What is HIPAA and Why It Matters for Home Care
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes national standards for protecting sensitive patient health information. Home care agencies face unique challenges in meeting these requirements.
Privacy Rule
Governs how Protected Health Information (PHI) can be used and disclosed. Establishes patient rights to access their records and sets the "minimum necessary" standard — you should only access the PHI needed for the task at hand.
Security Rule
Requires administrative, physical, and technical safeguards to protect electronic PHI (ePHI). Mandates risk assessments, access controls, encryption, audit trails, and workforce training. These safeguards form the backbone of this checklist.
Breach Notification Rule
Requires notification to affected individuals, HHS, and (for large breaches) the media within 60 days of discovering a breach of unsecured PHI. Applies to both covered entities and their Business Associates.
Why Home Care is Uniquely Challenging for HIPAA
Unlike hospitals and clinics, home care agencies send caregivers into uncontrolled environments every day. This creates HIPAA risks that no other healthcare setting faces.
Caregivers in the field
Staff carry PHI on mobile devices to patient homes where you cannot control the physical security environment.
Mobile devices everywhere
Phones and tablets used for documentation can be lost, stolen, or accessed by unauthorized individuals in a patient's home.
Family members present
Care is delivered in homes where family members, neighbors, and visitors may overhear conversations or see information about other patients.
Shared living spaces
Patient homes are not secure facilities. Documents can be seen by anyone in the household, and devices may be used in common areas.
HIPAA Penalty Structure
HIPAA violations carry significant financial penalties, and the Office for Civil Rights (OCR) actively investigates complaints and conducts audits. Penalties are assessed per violation, and multiple violations can stack rapidly.
Tier 1
Unaware
$100 – $50,000
Tier 2
Reasonable cause
$1,000 – $50,000
Tier 3
Willful neglect (corrected)
$10,000 – $50,000
Tier 4
Willful neglect (not corrected)
$50,000 per violation
Annual maximum: $1.5 million per violation category. Criminal penalties can reach up to 10 years of imprisonment for offenses committed with intent to sell PHI.
HHS HIPAA PortalThe HIPAA Compliance Checklist
Work through each category below. Click a category to expand it and check off items as you verify compliance. Every item includes detailed guidance specific to home care agency operations.
Common HIPAA Violations in Home Care
These are the most frequently cited HIPAA violations specific to home care agencies. Each one is entirely preventable with the right policies and technology.
Texting patient information through regular SMS
Standard text messages travel over unencrypted carrier networks and are stored on multiple servers. Even an innocent text like "Mrs. Johnson's appointment is at 3pm, she needs help with medication" contains PHI.
Leaving care plans visible in car dashboards
Paper care plans left on car seats or dashboards are visible to anyone who walks by. A parking lot theft or even a photo through the windshield can expose multiple patients' PHI.
Discussing patients with family without proper authorization
Just because a person is a family member does not mean they are authorized to receive PHI. An adult child calling about their parent's care must be verified against the patient's authorization list.
Failing to encrypt mobile devices
A lost or stolen phone without encryption is an automatic HIPAA breach if it contained any PHI — even a single patient name in a text message. With encryption enabled, the same situation may not constitute a breach.
No Business Associate Agreement with software vendors
Using any software that handles PHI without a signed BAA is a HIPAA violation — even if no breach occurs. This applies to your home care platform, your cloud storage, your billing service, and even your email provider if it handles PHI.
Shared logins and insufficient access controls
When multiple employees share a single login, there is no way to track who accessed what PHI. This violates the audit trail requirement and makes breach investigation nearly impossible. Every user needs their own credentials.
HIPAA Compliance Resources
Official sources and reference materials for staying current on HIPAA requirements.
HHS HIPAA Portal
Official U.S. Department of Health and Human Services HIPAA information, guidance documents, and regulatory text.
HIPAA Journal
Comprehensive HIPAA news, guides, and compliance resources updated regularly.
OCR Breach Portal
The official HHS breach reporting portal and public database of reported breaches affecting 500+ individuals.
AveeCare HIPAA Compliance
Learn about AveeCare's HIPAA compliance measures, security architecture, and data protection practices.
AveeCare is built for HIPAA compliance from the ground up
AES-256 encryption at rest and in transit, AWS cloud hosting with a signed BAA, role-based access controls, comprehensive audit trails, HIPAA-compliant built-in messaging, and a signed Business Associate Agreement included with every account.
Disclaimer
This checklist is for educational purposes only. It is not legal advice, and it does not constitute a guarantee of HIPAA compliance. HIPAA requirements are complex and subject to interpretation by the Office for Civil Rights (OCR). Consult a qualified healthcare compliance attorney for guidance specific to your agency's operations, state laws, and contractual obligations. This resource is current as of March 2026 and may not reflect subsequent regulatory changes.