Cyber One Solutions logo.
Get Support

HIPAA Compliance for Home Health Agencies

Compliance / HIPAA

HIPAA Compliance for Home Health Agencies.

Home health, in-home care, and visiting-nurse agencies are HIPAA covered entities. Every visit creates and moves electronic protected health information: diagnoses, medications, plans of care, and insurance and Medicaid data. The HIPAA Security Rule at 45 CFR Part 164 requires you to protect that information with administrative, physical, and technical safeguards, and the Breach Notification Rule sets what happens when it is exposed. What makes home health distinct is that the information does not stay in an office. It travels with a mobile workforce into patients' homes and out in the field.

Cyber One Solutions supports your compliance program end to end. That covers the security risk analysis, the written safeguards, encryption and management of the laptops, tablets, and phones your field staff carry, secure access to your EHR and electronic visit verification systems, and the breach-notification process. We support your compliance rather than assume it. Your agency remains the covered entity, and we do not guarantee a regulatory outcome.

What You Get
A completed HIPAA Security Rule risk analysis (SRA) with a risk management plan that pairs each finding with a control.
Administrative, physical, and technical safeguards implemented across 45 CFR Part 164.
Full-disk encryption and mobile device management on the laptops, tablets, and phones your field staff carry into homes.
Role-based access, multi-factor authentication, and secure remote access to your EHR and electronic visit verification systems over any network.
Business associate agreements in place with the vendors that handle your ePHI, including a signed BAA with Cyber One Solutions.
A contingency plan, incident response process, and breach-notification workflow ready for HHS OCR and affected individuals.
What the Rule Requires

The HIPAA Security Rule, Mapped to Your Home Health Agency.

The Security Rule at 45 CFR Part 164 organizes its protections into administrative, physical, and technical safeguards, and its implementation specifications are either required or addressable. Addressable does not mean optional. These are the core elements every covered home health agency must put in place, written around a workforce that carries ePHI into patients' homes. Each one is paired with the work Cyber One Solutions supports against it.

Security Risk Analysis (SRA)

A documented HIPAA Security Rule risk analysis of the confidentiality, integrity, and availability of the electronic protected health information across your EHR, electronic visit verification, scheduling, and field-device systems. It pairs each identified risk with the safeguard that addresses it. The risk analysis is the foundation the rest of the program is built on and is required under 45 CFR 164.308(a)(1).

Administrative Safeguards

The policies, workforce training, access management, and sanction and review processes required under 45 CFR 164.308. For home health this is where a large, distributed, and often high-turnover field workforce is provisioned, trained, and deprovisioned in a documented way.

Physical Safeguards

Facility access controls plus workstation and device security under 45 CFR 164.310. For an agency this reaches well beyond the office to the laptops, tablets, and phones that leave it every day, including procedures for secure device disposal and media reuse.

Technical Safeguards

Access controls, audit controls, integrity controls, person or entity authentication, and transmission security under 45 CFR 164.312. In practice this is unique-user access, multi-factor authentication, encryption of ePHI in transit and at rest, and logging of who reached which record.

Business Associate Agreements & Vendor Management

The Privacy and Security Rules require a business associate agreement with every vendor that creates, receives, maintains, or transmits ePHI on your behalf. That includes your EHR, electronic visit verification, clearinghouse, and IT partners. Cyber One Solutions is a business associate and signs a BAA with you.

Contingency Plan & Breach Notification

A data backup, disaster recovery, and emergency-mode operations plan under 45 CFR 164.308(a)(7), plus the Breach Notification Rule process under 45 CFR 164.400-414. If unsecured ePHI is breached, you must notify affected individuals and HHS, and for larger breaches the media, within the required timelines.

Why It Applies to Home Health Agencies

In-home care runs on ePHI that travels with your field staff.

A home health agency is a HIPAA covered entity. It creates, receives, maintains, and transmits protected health information every time a nurse, therapist, or aide documents a visit. The Security Rule requires the agency to protect the electronic form of that information, and the reality of in-home care is that the information leaves the building with the people who deliver the care.

Home health agencies are covered entities, not bystanders.

An agency that furnishes and bills for home health, in-home care, or visiting-nurse services is a covered health care provider under HIPAA. The Privacy Rule, the Security Rule, and the Breach Notification Rule all apply to it directly.

The protected health information at stake includes diagnoses, medications, plans of care, visit notes, and insurance and Medicaid identifiers. That is exactly the information the Security Rule is written to protect, and the obligation exists whether or not you have ever had an incident.

Your workforce carries ePHI into homes and out in the field.

The defining feature of home health is a mobile workforce. Laptops, tablets, and phones go into patients' homes, and staff reach the EHR and electronic visit verification systems over untrusted home Wi-Fi and cellular networks. A lost or stolen unencrypted device is one of the most common causes of a home health breach, which makes device encryption the single highest-value control in the program.

Cyber One Solutions deploys full-disk encryption and mobile device management (MDM) across the fleet. MDM enforces encryption, screen locks, and remote wipe, keeps operating systems patched, and separates agency data from personal use. Encrypted ePHI also carries a practical benefit: under HHS guidance, properly encrypted information that is lost or stolen generally is not a reportable breach.

A large, distributed workforce needs disciplined access management and training.

Home health agencies often run high headcount and high turnover across many locations. Every hire, transfer, and departure is an access event, so unique logins, least-privilege roles, multi-factor authentication, and prompt deprovisioning matter more here than in a single-office practice.

Workforce training is an administrative safeguard in its own right. Field staff need to know how to handle PHI correctly inside a patient's home, how to recognize phishing, and what to do the moment a device goes missing. We build the access management and the training so both are documented rather than assumed.

A lost device can become a reportable breach.

The Breach Notification Rule covers unsecured ePHI, which in practice means information that is not encrypted to the HHS standard. If unsecured ePHI is breached, you must notify each affected individual without unreasonable delay and no later than 60 days, notify HHS, and, for a breach affecting 500 or more residents of a state or jurisdiction, notify prominent media within the same window.

This is where encryption and preparation pay off. Encrypting the devices that leave your office reduces the chance that a loss ever becomes a reportable breach, and a written incident response and breach-notification workflow means a real event is handled inside the deadline rather than improvised. Cyber One Solutions builds that workflow and defines what a breach means for your field devices, EHR, and EVV systems.

Frequently asked questions.

What counts as ePHI in a home health setting?

Electronic protected health information is any individually identifiable health information your agency holds or transmits in electronic form. In home health that includes EHR visit notes, plans of care, medication lists, diagnoses, referral and physician orders, insurance and Medicaid identifiers, and the data captured by electronic visit verification. If it identifies a patient and relates to their care, condition, or payment, and it lives on a device, server, or cloud system, it is ePHI and the Security Rule applies to it.

Does electronic visit verification (EVV) create HIPAA obligations?

Yes. EVV systems capture the patient, the caregiver, the service, and the time and location of each visit, which is protected health information. The EVV platform is typically a business associate, so you need a business associate agreement with it, and the devices your staff use to record visits fall under your physical and technical safeguards. We fold EVV into the risk analysis, put the BAA in place, and secure the devices and access paths that reach it.

Our field staff use their own phones. Is that allowed under HIPAA?

HIPAA does not ban personal devices, but it does require you to safeguard any ePHI they touch. A bring-your-own-device arrangement is workable only with controls: enrollment in mobile device management, encryption, a screen lock, the ability to remotely wipe agency data, and a written policy staff acknowledge. We assess the risk of BYOD for your agency and either secure it properly or move field staff to managed devices, and we document the decision either way.

Common Questions

HIPAA Compliance for Home Health Agencies, Answered.

Common questions from home health, in-home care, and visiting-nurse agencies working out what HIPAA requires and how to protect ePHI that travels with their field staff.

Don't see your question?
Our team answers questions like these every day, no sales pitch attached.
Ask a Question