Is Your Home Care Agency Actually HIPAA Compliant? Here's How to Know for Sure

A home care agency in the Midwest received a $150,000 fine — not because of a data breach, but because a caregiver texted a client's medication information over an unsecured personal phone. One text. Six figures gone.
HIPAA violations in home care are more common than most agency owners realize, and the penalties are steep. According to the U.S. Department of Health and Human Services (HHS), OCR (Office for Civil Rights) resolved over 30,000 HIPAA complaints in the past decade, with civil penalties ranging from $100 to $50,000 per violation, capped at $1.9 million annually per violation category.
The good news? Most HIPAA violations are preventable. Whether you're building your compliance program from scratch or doing a long-overdue audit, this checklist will help you identify gaps, protect your clients, and keep your agency on the right side of federal law.
Understanding HIPAA's Relevance to Home Care Agencies

First, let's establish something important: if your agency bills Medicare, Medicaid, or private insurance, you are a covered entity under HIPAA. That means the full weight of the Health Insurance Portability and Accountability Act applies to you.
Even if you're a private-pay only agency, many states have their own data privacy laws modeled after HIPAA — and clients increasingly expect their health information to be handled with care. Building HIPAA-compliant habits protects your agency's reputation regardless of your payer mix.
HIPAA compliance for home care agencies centers on three main rules:
- The Privacy Rule — governs how Protected Health Information (PHI) can be used and disclosed
- The Security Rule — sets standards for protecting electronic PHI (ePHI)
- The Breach Notification Rule — requires agencies to notify clients and HHS if a data breach occurs
Now, let's walk through each area of your compliance program with a practical, actionable checklist.
✅ Section 1: Administrative Safeguards

Administrative safeguards are the policies, procedures, and training programs that form the backbone of your HIPAA compliance program. This is where most agencies have the biggest gaps.
Designate a HIPAA Privacy and Security Officer
Every covered entity must designate at least one person responsible for HIPAA compliance. In a small agency, this is often the owner or administrator. In larger agencies, it may be a dedicated compliance officer. Either way, the role needs to be formally assigned and documented.
- ☐ A Privacy Officer is designated and documented in writing
- ☐ A Security Officer is designated (can be the same person in small agencies)
- ☐ Contact information for both officers is available to staff
Develop and Maintain Written HIPAA Policies
- ☐ Written Privacy Policies and Procedures are in place and dated
- ☐ Policies cover minimum necessary use — staff only access PHI they need for their job
- ☐ Policies address how clients can access and amend their own records
- ☐ Policies are reviewed and updated at least annually
Conduct Ongoing Staff Training
This is one of the most cited deficiencies in HIPAA audits. Training cannot be a one-time event during onboarding — it must be ongoing.
- ☐ All employees receive HIPAA training at hire
- ☐ Annual refresher training is documented for all staff
- ☐ Training records (dates, topics, attendee signatures) are retained for at least 6 years
- ☐ Caregivers are specifically trained on mobile device use and texting policies
Conduct a Risk Analysis
A formal, documented risk analysis is required by HIPAA — not optional. Many agencies skip this, which is a serious compliance gap.
- ☐ A written risk analysis identifying potential threats to ePHI has been completed
- ☐ A risk management plan is in place to address identified vulnerabilities
- ☐ Risk analysis is updated when significant operational or technology changes occur
✅ Section 2: Physical Safeguards
Physical safeguards govern the physical environments where PHI is stored and accessed — including your office, employees' homes, and clients' homes.
- ☐ Office areas where PHI is discussed or stored are secured from unauthorized access
- ☐ Paper records containing PHI are stored in locked cabinets
- ☐ Computer screens displaying ePHI are not visible to unauthorized visitors
- ☐ A clear desk policy is enforced — PHI is not left unattended on desks or in vehicles
- ☐ Paper documents with PHI are shredded (not simply thrown away)
- ☐ Workstations have screen locks that activate after a period of inactivity
- ☐ When a caregiver leaves the agency, physical access (keys, badges) is immediately revoked
Pro Tip: Client homes present unique challenges. Remind caregivers never to discuss a client's health information within earshot of neighbors, other household members who aren't authorized, or in public spaces. A quick verbal reminder in a grocery store can constitute a HIPAA violation.
✅ Section 3: Technical Safeguards for Electronic PHI
This is where home care agencies are increasingly vulnerable — and where modern technology makes compliance significantly easier. ePHI includes anything stored or transmitted digitally: scheduling apps, billing software, electronic visit verification (EVV) records, and even text messages.
Access Controls
- ☐ Each user has a unique login — no shared passwords or usernames
- ☐ Access to ePHI is role-based (caregivers only see their client's information)
- ☐ User access is immediately terminated when an employee is discharged
- ☐ Multi-factor authentication (MFA) is enabled on systems that contain ePHI
Transmission Security
- ☐ ePHI is only transmitted over encrypted connections (TLS/SSL)
- ☐ Caregivers are prohibited from texting PHI over personal SMS apps
- ☐ Email containing PHI is encrypted before sending
- ☐ Any mobile apps used for care coordination are HIPAA-compliant and covered by a BAA
Audit Controls
- ☐ Your software logs who accessed, modified, or transmitted ePHI and when
- ☐ Audit logs are reviewed periodically for unusual activity
- ☐ Automatic logoff is enabled on devices used to access ePHI
Platforms like BridgeCare OS are built with HIPAA compliance in mind — offering encrypted data storage, role-based access controls, and audit-ready records so your agency doesn't have to cobble together compliance from multiple unsecured tools.
✅ Section 4: Business Associate Agreements (BAAs)
Any third-party vendor that handles ePHI on your behalf is considered a Business Associate under HIPAA — and you are legally required to have a signed Business Associate Agreement (BAA) with each one.
This includes:
- Your billing company or clearinghouse
- Your scheduling and EVV software provider
- Your cloud storage provider (Google Drive, Dropbox, etc.)
- Your EHR or home care management platform
- Your email provider (if used to transmit PHI)
- Any IT support or managed services company
- ☐ A current, signed BAA is on file for every Business Associate
- ☐ BAAs are reviewed when vendor contracts are renewed
- ☐ A list of all Business Associates is maintained and kept current
Warning: Many small agencies unknowingly violate HIPAA by storing client files in Google Drive or Dropbox without a BAA in place. Both Google and Microsoft offer HIPAA-compliant tiers with BAAs — but you must proactively execute that agreement. The free versions do not qualify.
✅ Section 5: Client Rights and Notice of Privacy Practices
Your clients have specific rights under HIPAA, and your agency is required to inform them of those rights in writing.
- ☐ A Notice of Privacy Practices (NPP) has been drafted and reviewed by a legal professional
- ☐ All new clients receive the NPP at the start of services
- ☐ Clients sign an acknowledgment that they received the NPP
- ☐ The NPP is posted in your office (if you have a physical location)
- ☐ A process exists for clients to request access to or amendment of their records
- ☐ A process exists for clients to file a complaint — and complaints are documented
✅ Section 6: Breach Response Planning
Despite best efforts, breaches can happen. What matters almost as much as prevention is having a clear, documented plan for how you'll respond.
- ☐ A written Breach Response Plan is in place
- ☐ Staff know how to identify and report a potential breach immediately
- ☐ Breaches affecting 500+ individuals in a state must be reported to HHS and prominent local media within 60 days
- ☐ Smaller breaches must be logged and reported to HHS in an annual summary
- ☐ Affected individuals are notified within 60 days of discovering a breach
- ☐ Breach incident reports are retained for at least 6 years
Common HIPAA Mistakes Home Care Agencies Make
Even well-intentioned agencies slip up in predictable ways. Watch out for these frequent pitfalls:
- Using personal texting apps for care coordination — This is the single most common HIPAA issue in home care. Establish a secure, HIPAA-compliant communication channel for all care-related messaging.
- Skipping the risk analysis — This is a required document, not a nice-to-have. If you're audited and can't produce one, you're in trouble.
- Failing to terminate access immediately — When a caregiver leaves your agency, their login credentials and system access must be revoked the same day.
- Treating HIPAA training as a one-time checkbox — Annual training and documentation are required. "We trained them when they were hired" isn't sufficient.
- Missing BAAs with software vendors — Review every tool your agency uses and confirm you have a signed BAA in place.
How Technology Can Simplify HIPAA Compliance
Manual HIPAA compliance — paper logs, spreadsheets, and scattered policies — creates risk. The more your operations move to purpose-built, HIPAA-compliant home care software, the easier it becomes to maintain and demonstrate compliance.
A well-designed platform handles many technical safeguards automatically: encrypted data transmission, role-based access, automatic session timeouts, and detailed audit logs. That means fewer manual controls you have to maintain and less surface area for human error.
If you're currently using a patchwork of consumer-grade tools, or if your software provider can't produce a signed BAA, it may be time to reconsider your technology stack. BridgeCare OS offers a fully HIPAA-compliant platform built specifically for home care agencies — with all the documentation, access controls, and audit capabilities your compliance program requires.
Final Thoughts: HIPAA Compliance Is an Ongoing Practice, Not a One-Time Project
HIPAA compliance isn't something you complete once and forget about. It's a living program that requires regular training, annual risk assessments, updated policies, and consistent enforcement of your procedures. The agencies that get into trouble are usually the ones that treated compliance as a box to check during startup — and then let it gather dust.
Use this checklist as a starting point for an honest audit of where your agency stands today. Identify your gaps, prioritize the highest-risk areas first, and build from there. Your clients trust you with some of the most sensitive information in their lives — and building a culture of privacy and security is one of the most important things you can do as an agency leader.
The cost of getting HIPAA right is far lower than the cost of getting it wrong.
Ready to modernize your home care agency?
BridgeCare OS unites scheduling, EVV, billing, and family transparency on one platform. Start your 14-day free trial — no credit card required.
Start Free Trial →