There are roughly 11,500 Medicare-certified home health agencies and over 6,000 hospice providers operating in the United States. Every one of them is a covered entity under HIPAA. And every one of them faces a compliance challenge that hospitals and physician offices don’t: the care happens in places you don’t control.
When a home health aide walks into a patient’s home, the controlled environment disappears. There are no locked server rooms, no badge-access doors, no IT department down the hall. There’s a nurse with a tablet, a stack of paper forms, and a family that wants to know what’s going on with their loved one. Every visit creates HIPAA exposure that a clinic-based practice simply doesn’t face.
Most HIPAA compliance guidance is written for office settings — where the biggest risk is an unlocked workstation or a misdirected fax. Home health and hospice agencies need guidance that reflects how care actually gets delivered in the field. This is that guide.
Why Home Health and Hospice Faces Unique HIPAA Challenges
The fundamental problem is environmental control. In a clinic, you decide who walks through the door, where the computers are positioned, how the network is configured, and who has physical access to records. In home health, your staff are guests in someone else’s home, driving between visits in their personal vehicles, communicating over cellular networks, and working alongside family members who may or may not have authorization to receive health information.
This isn’t a theoretical risk. OCR has consistently investigated and penalized home health providers for HIPAA failures. In 2014, Hospice of North Idaho paid $50,000 to settle allegations that an unencrypted laptop containing ePHI for 441 patients was stolen from an employee’s car. This was one of the first enforcement actions targeting a hospice provider, and it established a clear precedent: small organizations and field-based care are not exempt from enforcement.
More recently, OCR’s investigations into home health agencies have frequently revealed the same pattern — a breach incident exposes an underlying lack of risk analysis, incomplete policies, and no systematic approach to managing the security challenges inherent in mobile, field-based care delivery.
Mobile Devices in the Field
This is the single biggest HIPAA risk area for home health and hospice agencies. Your clinical staff carry devices — smartphones, tablets, laptops — into patient homes every day. Those devices access, store, and transmit ePHI. And in many agencies, those devices belong to the employee, not the organization.
The BYOD Problem
Bring-your-own-device policies are common in home health because the economics make it difficult to issue agency-owned devices to every field clinician. But BYOD creates serious compliance gaps:
- No control over device security settings. You can require a passcode, but can you verify it’s actually enabled? Can you enforce encryption? Can you remotely wipe the device if the employee is terminated or the phone is stolen?
- Comingled personal and clinical data. When patient information lives on the same device where a clinician stores personal photos, text messages, and third-party apps, the attack surface expands dramatically.
- No standardized software. Different employees use different operating systems, different app versions, and different cloud backup settings — some of which may automatically sync patient data to personal cloud accounts.
If your agency allows BYOD, you need a written mobile device policy that specifies encryption requirements, passcode standards, remote wipe capabilities, prohibited applications, and procedures for lost or stolen devices. The policy needs teeth — not just recommendations, but enforceable requirements with documented acknowledgment from every employee.
If your agency issues devices, the compliance burden is more manageable but not eliminated. You still need device inventory tracking, encryption verification, patch management, and access termination procedures when staff leave.
Point-of-Care Documentation
Most home health agencies use electronic visit verification (EVV) systems and point-of-care documentation tools that run on mobile devices. These systems access patient demographics, visit schedules, care plans, medication lists, and clinical notes — all ePHI.
What you need to verify:
- Is the connection between the mobile app and your backend systems encrypted (TLS/SSL)?
- Does the app store any patient data locally on the device, and if so, is it encrypted at rest?
- Does each clinician have unique login credentials, or are shared accounts in use?
- What happens to locally cached data when a session ends or the app is closed?
- Do you have a BAA with the EVV/documentation vendor?
Patient Data on Personal Devices
Beyond the formal clinical applications, there’s an informal layer of HIPAA risk that home health agencies struggle with: staff using personal device features to communicate about patients.
Text Messaging
Clinicians text each other about patients constantly. Shift handoffs, medication questions, scheduling changes, clinical observations — these conversations happen over iMessage, SMS, and WhatsApp, and they frequently include patient names, addresses, diagnoses, and treatment details. Every one of those messages is unsecured ePHI on a personal device.
The solution isn’t to tell clinicians to stop communicating. It’s to provide a HIPAA-compliant communication platform — encrypted messaging with access controls, audit logging, and remote wipe capability — and to make it clear that standard text messaging for patient information is prohibited. Document the policy, train on it, and enforce it.
Clinical Photography
Wound care documentation is a core function in home health. Clinicians routinely photograph wounds to track healing progress. If those photos are taken with a personal phone’s camera, they’re stored in the device’s photo library — mixed in with vacation pictures, potentially backed up to iCloud or Google Photos, and accessible to anyone who picks up the unlocked phone.
Every wound photo that includes identifiable information (and a photo taken in a patient’s home inherently includes contextual identifiers) is PHI. Your agency needs a policy that specifies how clinical photos are captured, where they’re stored, how they’re transmitted to the medical record, and when they’re deleted from the device. Purpose-built clinical photography apps that bypass the device’s native photo library and encrypt images immediately are available and should be standard.
Caregiver Access Controls
A typical home health agency employs a mix of RNs, LPNs, home health aides, physical therapists, occupational therapists, speech therapists, medical social workers, and administrative staff. Each role needs different levels of access to patient information.
The compliance challenge is twofold:
Role-based access in practice. Your EHR and documentation systems need to enforce role-based access controls so that a home health aide sees the care plan and visit schedule, but not the full clinical record that the RN needs. In practice, many agencies use a one-size-fits-all access model because configuring granular permissions is time-consuming and the vendor’s default settings provide broad access.
Access termination at scale. Home health and hospice agencies experience significant staff turnover — industry averages run between 20-30% annually for clinical staff, and significantly higher for aides. Every departure requires immediate access termination across every system: EHR, EVV, email, secure messaging, scheduling, and any other platform that touches ePHI. Delayed termination — the clinician who left two weeks ago but still has active login credentials — is one of the most common findings in HIPAA audits.
Not sure where your access controls stand? Take the free HIPAA assessment to identify gaps.
Paper Records in Patient Homes
Home health hasn’t fully escaped paper. Many agencies still use paper sign-in sheets at patient homes, leave printed care plans or medication lists at the bedside for family reference, and maintain paper-based aide communication logs in the home.
Every one of those documents contains PHI. And unlike paper records in a locked filing cabinet at your office, these documents sit in a patient’s home — accessible to visitors, other service providers, cleaning staff, and anyone else who walks through the door.
What you need to address:
- Minimum necessary standard. Care plans left in the home should include only the information necessary for care delivery. A full clinical history is not appropriate for a bedside binder.
- Patient/family acknowledgment. Document that the patient (or authorized representative) understands that paper records in the home are their responsibility to safeguard.
- Retrieval procedures. When a patient discharges or care transitions, what happens to the paper records in the home? You need a documented process for retrieval or destruction.
- Sign-in sheets. If multiple caregivers or service providers sign into the same sheet, each person can see who else has visited. Depending on the context, this can disclose information about the patient’s care. Consider individual sign-in logs rather than shared sheets.
Vehicle Security
Your clinicians’ cars are mobile offices. On any given day, a home health nurse’s vehicle may contain a laptop, a tablet, printed patient schedules, supply bags labeled with patient information, and paper records in transit. A car break-in becomes a potential HIPAA breach.
The Hospice of North Idaho case referenced earlier involved exactly this scenario — PHI on a laptop stolen from a vehicle. OCR’s position is clear: if your workforce uses vehicles to transport devices or records containing PHI, your security policies must address vehicle security.
Practical requirements:
- Devices must never be left visible in a vehicle. Locked trunks or covered cargo areas are minimum requirements.
- Paper records should not be left in vehicles overnight. If records must be transported, they should be brought inside at the end of the day.
- Device encryption is your backstop. If a laptop is stolen from a car but the hard drive is fully encrypted, it may qualify for the breach notification safe harbor — meaning no notification is required because the data is rendered unusable.
- Your written policies must specifically address vehicle security, and staff must be trained on these procedures.
Family Member Access and Communication
In home health and hospice, family members are often present during care delivery. They ask questions, participate in care planning, and frequently serve as informal caregivers between visits. This creates a daily HIPAA navigation challenge that office-based providers rarely face.
Key considerations:
- Verify authorization. Before discussing a patient’s condition with a family member, clinicians need to verify that the patient has authorized disclosure to that person. This should be documented during intake and updated as needed.
- The personal representative exception. If a family member is the patient’s legal healthcare proxy or power of attorney, they have the same HIPAA access rights as the patient. Your staff need to understand this distinction and know how to verify it.
- Professional judgment in the home. HIPAA’s Privacy Rule permits disclosure to family members involved in a patient’s care when the patient is present and doesn’t object, or when the provider uses professional judgment to determine that disclosure is in the patient’s best interest. In a hospice setting, this comes up constantly — a spouse asks about medication changes, an adult child wants to understand the care plan. Your clinicians need training on when and how to exercise professional judgment under HIPAA.
- Conversations in shared spaces. In a patient’s home, there’s no private consultation room. Other family members, home aides, or visitors may be present. Clinicians should be trained to have sensitive conversations in the most private setting available and to be aware of who can overhear.
Coordination with Multiple Providers
Home health and hospice agencies don’t operate in isolation. A single patient’s care may involve the referring physician, a hospital, a pharmacy, a durable medical equipment supplier, a laboratory, a contracted therapy provider, and the patient’s insurance company. Each of these relationships involves PHI exchange, and each one requires a framework for secure communication.
Business Associate Agreements. Any vendor or provider that handles PHI on your behalf needs a signed BAA. Common home health BAA relationships include:
- EHR and documentation software vendors
- EVV system providers
- Billing and coding services
- Cloud storage and backup providers
- IT support companies
- Contracted therapy providers (if they’re not direct employees)
- Answering services that take patient calls after hours
- Staffing agencies providing temporary clinical staff
- Telehealth platform providers
- Medical supply companies that receive patient-specific orders
Treatment, payment, and healthcare operations. HIPAA permits sharing PHI without patient authorization for treatment, payment, and healthcare operations purposes. Your clinicians need to understand this so they’re not over-restricting information flow to other treating providers. Delayed clinical communication due to HIPAA confusion is a patient safety issue.
Remote Workforce Training
Every HIPAA-covered entity must train its workforce, document that training, and retrain when policies change. For home health and hospice agencies, this is operationally harder than it sounds.
Your clinicians are in the field all day. They don’t sit in an office where you can schedule a lunch-and-learn. They may work part-time, per diem, or through staffing agencies. Many home health aides are hourly employees who don’t check email regularly.
What OCR expects to see:
- Documented initial training for every workforce member, including the date, content covered, and a signed acknowledgment. “We went over it during orientation” without documentation is insufficient.
- Ongoing training when policies change, when new risks emerge, or at regular intervals (annually at minimum).
- Role-specific content. A home health aide needs different training than an RN or an office administrator. Generic one-size-fits-all training misses the field-specific scenarios — vehicle security, family communication, mobile device handling — that actually matter for home health staff.
- Training for temporary and contracted staff. If you use a staffing agency, those clinicians need HIPAA training specific to your agency’s policies, not just whatever general training the staffing company provided.
The agencies that handle this well use online training platforms that clinicians can complete on their phones between visits, with automatic tracking and completion documentation. The agencies that get into trouble use paper sign-off sheets that get lost, or verbal training sessions with no documentation at all.
The 2026 HIPAA Security Rule Changes: What Home Health Agencies Need to Know
The proposed 2026 HIPAA Security Rule update — expected to be finalized around mid-2026 — will hit home health agencies particularly hard. Several of the proposed changes directly target the security challenges inherent in mobile, distributed workforces.
Key proposed changes relevant to home health:
- Elimination of “addressable” vs. “required.” Under the current rule, some safeguards are “addressable,” meaning you can document why you chose not to implement them. Many home health agencies have used this flexibility to avoid implementing controls that are difficult in a field-based setting. Under the proposed rule, every specification would be required. No exceptions, no documented alternatives.
- Mandatory encryption everywhere. All ePHI must be encrypted at rest and in transit. For home health agencies with BYOD policies, this means every personal device that touches patient data must have verified encryption enabled. For agencies using older EHR systems or point-of-care tools that don’t support encryption, this could force software changes.
- Multi-factor authentication required. MFA for every system that accesses ePHI. Clinicians logging into the EHR on a tablet in a patient’s home will need a second authentication factor. This is manageable with modern tools but requires planning and rollout across a distributed workforce.
- Technology asset inventory. A complete, maintained inventory of every device, system, and application that creates, receives, maintains, or transmits ePHI. For agencies with BYOD and dozens of field clinicians, building and maintaining this inventory is a significant effort.
- 72-hour incident notification to HHS. The proposed rule would require notification to HHS within 72 hours of activating your incident response plan. This compressed timeline means your incident response procedures need to be tested and ready, not theoretical.
Read the full breakdown: 2026 HIPAA Security Rule Changes: What You Need to Know
Home Health & Hospice HIPAA Compliance Checklist
Use this checklist to evaluate your agency’s current compliance posture. This is not exhaustive — it covers the areas where home health and hospice agencies most commonly have gaps.
Mobile Device Security
- Written mobile device policy covering both agency-issued and personal (BYOD) devices
- Encryption verified on all devices that access ePHI
- Passcode/biometric lock required on all devices
- Remote wipe capability enabled for all devices with ePHI access
- Clinical photography policy in place — no patient photos in personal camera rolls
- Prohibited use of standard text messaging for PHI — compliant messaging platform deployed
Access Controls
- Unique login credentials for every workforce member (no shared accounts)
- Role-based access configured in EHR and documentation systems
- Documented access termination procedure executed within 24 hours of separation
- Active user access list reviewed at least quarterly
Vehicle and Field Security
- Written vehicle security policy for devices and paper records
- Staff trained on securing PHI in vehicles (trunk storage, no overnight storage)
- Paper records in patient homes limited to minimum necessary information
- Retrieval or destruction procedures for paper records at discharge
Business Associate Agreements
- BAA inventory maintained — every vendor that touches PHI identified
- Signed BAA on file for every identified business associate
- BAAs reviewed and updated annually or at contract renewal
- BAA coverage for staffing agencies, answering services, and IT support
Workforce Training
- Initial HIPAA training documented for all workforce members including aides and contractors
- Annual refresher training with documented completion
- Role-specific training content for field staff vs. office staff
- Training covers home health-specific scenarios: vehicle security, family communication, mobile devices
Risk Assessment
- Security risk assessment completed within the past 12 months
- Risk assessment covers mobile devices, field operations, and BYOD
- Technology asset inventory current and complete
- Identified risks have documented mitigation plans with timelines
Incident Response
- Written incident response plan in place
- Staff know how to report a suspected breach (including lost/stolen devices)
- Response plan tested or tabletop-exercised within the past year
- Plan accounts for the proposed 72-hour HHS notification requirement
Want the full 93-point checklist? Download it here
How ComplyMD Helps Home Health and Hospice Agencies
Home health and hospice agencies face every HIPAA challenge that office-based practices face, plus a set of risks that are uniquely difficult to manage — mobile devices, remote workforces, BYOD, vehicle security, family communication, and coordination across multiple providers. Managing all of this with spreadsheets, Word documents, and paper files doesn’t work when your workforce is distributed across a service area and your staff turns over every year.
ComplyMD is built to handle the compliance challenges that home health agencies actually face:
- Risk assessments that account for mobile devices, field operations, BYOD, and the specific threat landscape of distributed care delivery
- Policy generation tailored to home health and hospice operations — not generic templates written for a physician’s office
- Training tracking that works for a mobile workforce — online completion, automatic documentation, role-specific content, and easy onboarding for new hires and temporary staff
- BAA management that keeps every vendor relationship tracked, documented, and current
- Continuous compliance monitoring so your compliance posture doesn’t decay between annual assessments
The agencies that get into trouble with OCR aren’t the ones that tried and fell short. They’re the ones that never built a systematic compliance program because the operational complexity felt overwhelming. ComplyMD turns that complexity into a manageable system.
See where your agency stands today: 93-Point HIPAA Compliance Checklist