The complete preparation checklist for home care agencies facing state licensing surveys, Medicare audits, HIPAA reviews, and accreditation surveys. Interactive tools, document checklists, and proven strategies to stay audit-ready year-round.
Compliance audits are not optional administrative hurdles—they are the primary mechanism regulators use to ensure home care agencies deliver safe, effective, and legally compliant care. Modern home care software with built-in compliance tracking can significantly reduce audit risk by automating documentation and alerting you to gaps in real time. In recent years, enforcement has intensified significantly. The HHS Office of Inspector General (OIG) conducted multiple provider compliance audits in 2025 alone, with findings ranging from documentation gaps to billing overpayments totaling tens of thousands of dollars per agency.
The agencies that succeed are not the ones that scramble to prepare when a survey is announced. They are the ones that build what compliance professionals call a “culture of compliance”—where meticulous documentation, proactive monitoring, and continuous improvement are woven into daily operations. Care home management software that enforces documentation standards at the point of care is the most effective way to build this culture.
Maximum HIPAA penalty per violation (willful neglect)
CMS civil monetary penalty for serious Medicare violations
Of OIG-audited agencies had at least one billing compliance finding in 2025
Beyond financial penalties, audit failures can trigger loss of Medicare/Medicaid certification (cutting off your largest revenue streams), public reporting of deficiencies (damaging referral relationships), increased scrutiny and more frequent follow-up surveys, and in severe cases, permanent exclusion from federal healthcare programs. Prevention is always cheaper than correction.
Answer these 20 questions honestly to identify compliance gaps before an auditor does. Your responses will generate a risk score by category with prioritized action items. This assessment covers the 10 core areas that auditors evaluate across all audit types.
All state and local business licenses are current and displayed as required.
Check expiration dates on every license, permit, and certificate of authority. Many states require licenses to be displayed prominently in the office.
Agency has a current NPI number and all required federal/state registrations.
Your NPI, state Medicaid provider enrollment, and Medicare certification (if applicable) must all be active and up to date.
A designated Privacy Officer is documented and has completed HIPAA training.
Your agency must designate a Privacy Officer responsible for policy enforcement. This designation must be in writing and the individual must be trained.
A Security Risk Assessment has been completed within the past 12 months.
Annual risk assessments are the single most-cited HIPAA deficiency. Document all identified risks, their likelihood, and your mitigation strategies.
All personnel files contain completed background checks performed before hire.
Every employee who provides direct care must have a criminal background check, OIG exclusion check, and state abuse registry check on file before their start date.
Current CPR certifications, licenses, and credentials are on file for all staff.
Verify that no certifications have lapsed. Track expiration dates proactively and ensure renewals are filed before the prior certification expires.
Every active client has a current, signed care plan or plan of care on file.
Care plans must be individualized, reviewed at required intervals, and signed by the client or authorized representative and the supervising nurse or administrator.
Visit notes are complete, signed, and match the authorized care plan for every visit.
Auditors compare visit notes to the care plan task-by-task. Services documented must align with services authorized. Missing or incomplete notes are a leading cause of audit findings.
Billed services match documented services for every claim submitted in the past 90 days.
Conduct a self-audit of a random sample of claims against visit documentation. Any mismatch between billed and documented services is a compliance risk.
EVV records are complete, accurate, and reconciled with billing data.
Under the 21st Century Cures Act, EVV is the primary source of truth. Ensure clock-in/out times, GPS data, and service codes are all consistent with claims.
An emergency preparedness plan is documented, reviewed annually, and accessible to all staff.
Your plan must address natural disasters, pandemics, utility failures, and communication plans for staff and clients during emergencies.
Infection control policies are current, and staff have been trained within the past 12 months.
Post-COVID, infection control is scrutinized heavily. Document policies, PPE availability, and training dates for all field and office staff.
All caregivers have completed the required 12 hours of annual in-service training.
Federal and most state regulations require 12 hours of continuing education per year for home health aides and personal care aides. Track hours and topics for every employee.
HIPAA training records with dates, content, and attendee signatures are on file for all staff.
Every employee who handles PHI must receive HIPAA training at hire and annually thereafter. Maintain signed attendance sheets documenting topic, date, and trainer.
An incident reporting system is in place and all required incidents have been reported within mandated timeframes.
State regulations specify which incidents must be reported and within what timeframe (typically 24-72 hours). Ensure your agency has a clear process for identifying, documenting, and reporting incidents.
Incident reports include root cause analysis and documented corrective actions.
It is not enough to file a report. Auditors look for evidence that the agency investigated each incident, identified the root cause, and implemented measures to prevent recurrence.
The agency conducts internal quality audits of a sample of client records at least quarterly.
A proactive quality assurance program demonstrates to regulators that your agency self-monitors. Document your audit methodology, sample size, findings, and corrective actions.
Client satisfaction surveys are conducted regularly and results are documented with action plans.
Most accreditation bodies require ongoing satisfaction measurement. Document survey results, identify trends, and maintain written action plans for areas below benchmark.
A written grievance policy is in place and has been communicated to all clients and staff.
Clients must know how to file a complaint. Your policy should include intake procedures, investigation timelines, resolution steps, and appeal rights. Provide the policy in writing at intake.
All grievances received in the past 12 months have been investigated, resolved, and documented.
Auditors will request your grievance log. Every complaint must show: date received, nature of complaint, investigation steps, resolution, date closed, and follow-up actions.
Home care agencies face up to eight distinct types of audits, each with its own focus, frequency, and consequences. Click any card to expand the details, including what the audit reviews, what happens if you fail, and how to prepare.
A pre-populated 12-month compliance calendar with the recurring deadlines every home care agency must track. Click any month to view its deadlines, add your agency-specific dates (license renewals, insurance renewals, etc.), and remove items that do not apply. Build your personalized annual compliance timeline.
Every document an auditor may request, organized by category. Check off items as you verify they are current, complete, and accessible. Track your document readiness percentage by category and overall. Your agency's documentation is its primary defense during any audit.
Based on data from state licensing surveys, OIG provider compliance audits, and accreditation survey outcomes, these are the ten most frequently cited deficiencies in home care compliance audits. Each includes the impact level and a specific prevention strategy.
Visit notes that do not align with authorized care plans, missing signatures, undocumented tasks, or care plans that have not been updated at required intervals.
Implement software that requires visit note completion before a caregiver can clock out. Use structured templates that map to care plan tasks so nothing is missed. Conduct monthly random audits of 10% of visit documentation.
Caregiver licenses, CPR certifications, or background checks that have expired or were never completed before the employee's start date.
Use automated credential tracking with alerts 90, 60, and 30 days before expiration. Never allow a caregiver to begin working until all pre-hire checks are completed and documented. Run monthly OIG/SAM exclusion checks for all staff.
Failure to conduct an annual Security Risk Assessment, or conducting one that is incomplete, undocumented, or lacks follow-through on identified vulnerabilities.
Schedule your SRA for the same month every year. Use the HHS SRA Tool or a qualified third-party assessor. Document all identified risks and maintain a written mitigation plan with deadlines and responsible parties.
Claims submitted for services that were not documented, services billed at incorrect rates, or EVV data that does not match the corresponding claim.
Reconcile EVV records with claims before submission. Implement a pre-billing quality assurance process that compares visit documentation to claim data. Use home care management software with built-in claim scrubbing.
Policies that reference old regulations, have not been reviewed within the required timeframe, or do not exist for mandated topic areas.
Schedule an annual policy review cycle. Assign each policy section to a responsible party. Date-stamp every review and revision. Ensure staff sign acknowledgment forms when policies are updated.
Lack of documented orientation training, missing annual in-service hours, or no evidence that staff completed required topic-specific training (HIPAA, infection control, FWA).
Use a learning management system (LMS) that tracks completion automatically. Maintain signed attendance sheets for in-person training. Track cumulative hours per employee against the 12-hour annual requirement.
Incidents that were reported but lack investigation notes, root cause analysis, or documented corrective actions. Or incidents that were never reported at all.
Train all staff on what constitutes a reportable incident. Use a standardized incident report form that includes mandatory fields for investigation findings and corrective actions. Establish a 24-hour internal reporting deadline.
Agencies that cannot demonstrate an active quality assurance or performance improvement program with measurable outcomes and documented evidence.
Establish at least two QAPI projects per year with defined metrics, data collection, analysis, and documented improvement outcomes. Present QAPI reports to leadership quarterly.
Clients who were not informed of their right to file a grievance, missing grievance logs, or complaints that were received but never investigated or resolved.
Provide the grievance policy in writing at intake and post it in the office. Maintain a grievance log that tracks every complaint from receipt through resolution. Set a maximum 30-day resolution timeframe.
No documented emergency plan, staff unaware of emergency procedures, or no evidence of drill exercises to test the plan.
Develop a comprehensive emergency preparedness plan covering all hazards. Conduct at least two drills per year (one tabletop, one functional). Document drill participation, findings, and improvements made.
When the auditor arrives, your preparation will be tested. How you manage the audit itself can significantly influence the outcome. Here is a structured approach to handling audit day with professionalism and confidence.
Assign one person (and one backup) to escort the auditor throughout the visit. This person should know where every document is stored, be able to answer procedural questions, and serve as the single point of contact. Having a designated coordinator prevents conflicting information from multiple staff members.
Prepare a quiet, private room with access to a computer, printer, and all key files. Pre-stage commonly requested documents: personnel file index, client roster, policy manual, training logs, and your most recent internal audit report. Having everything accessible shows preparedness and saves time.
Hold a brief all-hands meeting (or send a written notice) explaining that an audit is underway. Instruct staff to be honest, professional, and concise. They should answer exactly what is asked and not volunteer additional information. Remind them to refer complex questions to the survey coordinator rather than guessing.
Never withhold documents, make excuses, or become defensive. If you cannot locate a document immediately, say so and commit to a specific timeframe for producing it. Auditors note cooperation levels, and agencies that are forthcoming and organized tend to receive more favorable treatment when borderline findings are at issue.
Assign someone to document every question asked, every document requested, and every comment made by the auditor. These notes are critical for preparing your Plan of Correction and for understanding which areas need improvement. Record the auditor's name, credentials, and the survey ID number.
At the conclusion of the audit, request a verbal summary of preliminary findings. Ask clarifying questions about any cited deficiency. Understand the timeline for receiving the formal Statement of Deficiencies and the deadline for your Plan of Correction. This is your opportunity to provide additional context or documentation that may resolve borderline issues.
If deficiencies are cited, you will be required to submit a Plan of Correction (POC) within a specified timeframe (typically 10 business days). A strong POC demonstrates to regulators that your agency takes findings seriously and has a concrete plan to achieve and maintain compliance. Here is the framework every effective POC follows.
Restate the specific regulatory requirement that was not met and the surveyor's finding in your own words to demonstrate you understand the issue.
Example:
"The agency failed to maintain current CPR certifications for 3 of 15 direct care staff reviewed, as required by [State Regulation Section]."
Describe what was done immediately to correct the specific instances identified during the audit.
Example:
"The three identified staff members were removed from the schedule pending recertification. All three completed CPR recertification by [date]. Updated certificates are now on file."
Identify why the deficiency occurred. Go deeper than surface-level explanations to find the systemic cause.
Example:
"Investigation revealed that our manual credential tracking spreadsheet was not being updated consistently. No automated alerts were in place for upcoming expirations."
Describe the process or system changes being implemented to prevent recurrence across the entire agency, not just for the specific instances found.
Example:
"We have implemented automated credential tracking in our home care management system with alerts at 90, 60, and 30 days before expiration. A monthly compliance report now flags all credentials expiring within 60 days."
Define how you will monitor the corrective action to ensure sustained compliance, including who is responsible, what they will check, and how often.
Example:
"The Compliance Officer will run a monthly credential status report and present findings to the Administrator. Any expired or near-expiring credentials will be flagged immediately with documented follow-up."
Provide a realistic date by which all corrective actions will be fully implemented. This must be within the timeframe specified by the auditing body.
Example:
"All systemic corrective actions will be fully implemented by [date], within the 30-day correction window specified."
Never submit a POC that simply states “staff were retrained” or “policy was updated.” Surveyors want to see evidence that you identified the systemic root cause, implemented process-level changes (not just one-time fixes), and established ongoing monitoring. The strongest POCs reference specific system capabilities, named responsible parties, and measurable monitoring metrics.
HHS Office of Inspector General
Provider compliance audit reports for Medicare home health agencies, fraud enforcement data, and Work Plan priorities.
Centers for Medicare & Medicaid Services
Conditions of Participation, State Operations Manual, survey protocols, and quality reporting requirements for home health agencies.
HHS Office for Civil Rights
HIPAA enforcement data, breach report statistics, penalty tiers, and compliance guidance for covered entities.
Community Health Accreditation Partner
Accreditation standards, compliance monitor publications, and home care survey preparation guidance.
Accreditation Commission for Health Care
Home health and home care accreditation standards, common survey findings, and compliance resources.
State Departments of Health
State-specific licensing regulations, survey deficiency data, and home care agency compliance requirements.
AveeCare's care home management software automates the compliance tracking that leads to audit failures. Credential expiration alerts, EVV compliance monitoring, documentation enforcement, and real-time compliance dashboards keep your agency survey-ready every day — not just when an auditor is at the door.
Information in this guide is compiled from publicly available data published by the HHS Office of Inspector General, Centers for Medicare & Medicaid Services, HHS Office for Civil Rights, CHAP, ACHC, and various state Departments of Health. Specific regulatory requirements, penalty amounts, and compliance timeframes may vary by state and are subject to change.
This guide is provided for informational and educational purposes only. It does not constitute legal, regulatory, or compliance advice. Home care agencies should consult with qualified legal counsel, compliance consultants, and their state licensing agency to ensure full compliance with all applicable regulations.
Last updated: March 2026. AveeCare reviews and updates regulatory compliance information annually.