The HIPAA Checklist Every Home Care Agency Needs Before Going Digital

Going digital is no longer optional for home care agencies — but doing it wrong can cost you everything.

The promise of digital transformation is real: streamlined scheduling, automated billing, real-time caregiver tracking, electronic visit verification (EVV), and centralized patient records. Agencies that embrace technology are cutting costs, reducing errors, and delivering better care.

But there's a catch.

In healthcare, "going digital" without a proper compliance foundation is like building a house on sand. One breach, one audit, one disgruntled employee — and suddenly you're facing fines that start at $100 per violation and can climb to $1.9 million per year, per violation category. The Office for Civil Rights (OCR) doesn't care that you didn't know. Ignorance isn't a defense under HIPAA.

The good news: compliance isn't as complicated as it sounds — if you know what to look for before you start.

This checklist is designed specifically for home care agencies preparing to digitize their operations. Work through it carefully. If you can check every box, you're in a strong position. If you can't — that's exactly where a trusted technology partner comes in.

First, Understand What You're Protecting

Before any checklist, you need to understand the core of HIPAA compliance: Protected Health Information (PHI).

PHI is any information that can identify a patient and relates to their health condition, treatment, or payment. In home care, this includes:

  • Patient names, addresses, phone numbers, and Social Security numbers

  • Diagnosis codes and medical histories

  • Medication records and treatment plans

  • Scheduling records tied to specific patients

  • Billing and insurance information

  • EVV data (location, time, caregiver, service rendered)

  • Any photos or videos involving a patient

The moment this data touches a digital system — an app, a cloud server, an email — HIPAA applies. Full stop.

Part 1: Administrative Safeguards

Administrative safeguards are the policies, procedures, and training frameworks that govern how your team handles PHI. Most breaches don't start with a hacker — they start with a confused employee.

1. Designate a HIPAA Privacy Officer and Security Officer

Every covered entity must have named individuals responsible for HIPAA compliance. In small agencies, this is often the same person wearing two hats. What matters is that someone owns this — with documented authority and accountability.

Privacy Officer: Oversees policies for accessing and using PHI

Security Officer: Oversees the technical and physical security of ePHI (electronic PHI)

Before going digital: Both roles must be assigned in writing before any new software is deployed. If these roles are vacant, fill them first.

2. Conduct a Formal Risk Assessment

This is the single most important step — and the most commonly skipped. Under 45 CFR §164.308(a)(1), a Security Risk Assessment (SRA) is not optional. It's a legal requirement.

An SRA identifies:

  • Where PHI lives in your organization (devices, apps, paper files, third-party systems)

  • How it flows between systems and people

  • What threats exist (unauthorized access, device theft, ransomware, human error)

  • Your current vulnerabilities

  • The likelihood and impact of each risk

When you go digital, your risk surface changes dramatically. Your SRA must be updated before and after any major technology change.

Tool: The HHS Office of the National Coordinator provides a free Security Risk Assessment Tool built for small and mid-size healthcare organizations.

3. Document All Policies and Procedures

HIPAA requires written policies covering:

  • Who can access PHI and under what circumstances

  • How PHI is transmitted (internal and external)

  • Sanctions for employees who violate policies

  • How you handle access termination (when an employee leaves)

  • Breach notification procedures

  • Password and device management policies

These don't need to be 200-page legal documents — but they do need to exist, be accessible to staff, and be reviewed at least annually.

4. Train Every Employee — Before They Touch Any System

HIPAA training is mandatory. Not optional. Not "when you get around to it."

Every workforce member who has access to PHI — including caregivers using EVV apps — must be trained before they use any digital system. Training must cover:

  • What PHI is and how to protect it

  • How to use your specific systems securely (passwords, logging out, not sharing credentials)

  • What to do if they suspect a breach

  • The consequences of non-compliance

Document every training session: who was trained, when, and what was covered. If OCR audits you, they will ask for these records.

5. Establish a Workforce Access Management Process

Not everyone in your agency needs access to everything. HIPAA requires "minimum necessary" access — meaning employees should only see the PHI they need to do their job.

Before digitizing, map out:

  • Which roles need access to which data

  • Who can create, read, update, or delete patient records

  • How access is granted when someone is hired and revoked when they leave

Red flag: If your current plan is to give everyone the same login, stop. That's a compliance failure waiting to happen.

Part 2: Technical Safeguards

Technical safeguards are the security controls built into your software and systems. When evaluating any digital tool for your agency — scheduling software, EVV, billing platforms, communication apps — these are the questions you must ask.

6. Ensure All Software Supports Encryption

Any system storing or transmitting ePHI must encrypt that data:

  • At rest: Data stored on servers, devices, or in the cloud must be encrypted (AES-256 is the current standard)

  • In transit: Data moving between systems, apps, or users must use TLS 1.2 or higher

Ask every vendor directly: "Is patient data encrypted at rest and in transit?" If they can't answer clearly, that's a red flag.

7. Require Unique User Credentials and Multi-Factor Authentication (MFA)

Shared passwords are a HIPAA violation waiting to happen. Every user who accesses ePHI must have:

  • A unique username and password

  • A strong password policy (minimum length, complexity, expiration)

  • Multi-factor authentication (MFA) — a second verification step, like a code sent to their phone

MFA alone blocks over 99% of automated credential attacks. If a system your vendor is proposing doesn't support MFA, it's not enterprise-ready for healthcare.

8. Implement Automatic Session Timeouts

Any device or application that accesses ePHI must automatically log out after a period of inactivity. This is especially important for:

  • Caregiver mobile devices left unattended in a patient's home

  • Office computers in shared workspaces

  • Tablets used for intake or documentation

Most compliant platforms allow you to configure timeout periods. Set them. Enforce them.

9. Maintain Audit Logs

Your digital systems must track who accessed what, when, and what they did with it. This is called an audit log or audit trail.

Audit logs serve two purposes:

  • They deter internal misuse (employees know their actions are tracked)

  • They are essential evidence in the event of a breach or OCR audit

Before deploying any software, verify: Does it generate audit logs? How long are they retained? Can you export them?

10. Have a Device Management Plan

Home care is a mobile-first business. Caregivers use phones and tablets in patient homes, in transit, and in public places. Every device that touches ePHI is a potential breach point.

Your device management plan should cover:

  • Whether caregivers use agency-owned or personal devices (BYOD)

  • How devices are enrolled in a Mobile Device Management (MDM) system

  • Whether devices can be remotely wiped if lost or stolen

  • Rules about installing third-party apps on devices used for work

  • What happens to devices when a caregiver is terminated

If you don't have an MDM solution in place before going digital, this is a critical gap.

Part 3: Physical Safeguards

Physical safeguards address the real-world, tangible security of your systems and the spaces where ePHI is accessed or stored.

11. Secure Your Office Workstations

Any workstation used to access ePHI must be physically secured:

  • Positioned so screens aren't visible to unauthorized visitors or passersby

  • Equipped with screen locks when unattended

  • Located in areas where access can be controlled (locked rooms, key card access)

If you have a waiting area where patients or families come in — your staff computers should not be visible from that space.

12. Control Physical Access to Server Hardware

If you're running any on-premise servers or network equipment, they must be in a physically secured location — locked server room, locked cabinet, or similarly controlled space.

For most home care agencies going digital today, cloud-based solutions eliminate much of this risk by moving infrastructure responsibility to the vendor. But you still need to verify that your cloud vendor's data centers maintain appropriate physical controls.

13. Establish a Workstation Use Policy

Document policies for how workstations may be used. This includes:

  • Prohibition on accessing PHI from public Wi-Fi without a VPN

  • Rules about personal use on agency devices

  • Clean desk policies (no PHI left visible on desks or screens)

  • Rules about printing PHI (and how printed documents are disposed of)

Part 4: Business Associate Agreements (BAAs)

This is where many agencies make a critical — and costly — mistake.

14. Execute BAAs with Every Vendor That Touches PHI

Under HIPAA, any third-party organization that handles PHI on your behalf is a Business Associate. This includes:

  • Your EHR/EMR software vendor

  • Your scheduling software company

  • Your billing and clearinghouse services

  • Your cloud storage provider (Google Workspace, Microsoft 365, AWS, etc.)

  • Your EVV platform provider

  • Any IT support company that could access systems containing PHI

  • Your answering service or call center

Before you go live with any digital platform, you must have a signed Business Associate Agreement (BAA) with every vendor on this list. A BAA is a legal contract in which the vendor agrees to protect PHI in accordance with HIPAA requirements.

No BAA = No compliance. It doesn't matter how secure the vendor's platform is — without a signed BAA, you're out of compliance.

Ask every technology vendor before you sign: "Do you sign HIPAA Business Associate Agreements?" If the answer is no — or if they don't know what you're talking about — walk away.

15. Vet Your Vendors' Security Practices

A BAA is not a blank check. You're responsible for ensuring the vendors you work with have appropriate security controls in place. Before onboarding any technology provider, ask:

  • Are you SOC 2 Type II certified?

  • Do you conduct annual third-party security audits?

  • What is your breach notification process and timeline?

  • Where is data stored, and in which jurisdictions?

  • What is your data retention and deletion policy?

  • Do you subcontract to any other vendors who would also need BAAs?

Reputable healthcare technology vendors will have clear, documented answers to all of these questions. If they're evasive or unprepared — that tells you something.

Part 5: Breach Preparedness

No system is 100% breach-proof. What separates compliant agencies from negligent ones is having a plan in place before something goes wrong.

16. Define Your Breach Response Plan

HIPAA requires a documented breach notification procedure that outlines:

  • How you identify and confirm a potential breach

  • Who is responsible for leading the response

  • The internal notification chain (who gets notified first)

  • How you assess the scope and risk of the breach

  • Documentation requirements throughout the process

17. Understand Your Notification Obligations

If a breach occurs, HIPAA is very specific about what happens next:

  • Affected individuals must be notified within 60 days of discovering the breach

  • HHS must be notified — breaches affecting 500+ individuals in a state must also be reported to prominent media outlets

  • Notification must include what happened, what PHI was involved, what you're doing about it, and how individuals can protect themselves

Agencies that self-report breaches quickly and demonstrate good-faith compliance efforts typically fare far better in OCR investigations than those who delay or attempt to conceal incidents.

18. Establish Regular Backup and Recovery Procedures

Data loss is a HIPAA concern, not just an operational one. You must be able to restore ePHI in the event of a ransomware attack, hardware failure, or accidental deletion.

Your backup plan should include:

  • Automated, encrypted backups at least daily

  • Backups stored in a separate location from primary data (offsite or separate cloud region)

  • Documented and tested recovery procedures (a backup you've never tested is not a backup)

  • Defined Recovery Time Objectives (RTO) — how long can your agency operate without access to systems?

The Bottom Line: Compliance Is a Foundation, Not a Feature

Many agencies approach HIPAA compliance as a checkbox — something to deal with after the technology is already in place. That's backwards.

Compliance is the foundation on which your digital transformation is built. Get it right first, and technology becomes a powerful accelerator. Get it wrong, and every digital tool you deploy becomes a liability.

The agencies that navigate this successfully aren't necessarily the ones with the biggest IT budgets. They're the ones that partner with technology providers who understand healthcare from the inside — who speak HIPAA fluently, who ask the right questions before a single line of data is migrated, and who treat compliance as an ongoing commitment rather than a one-time project.

Going digital should be an opportunity, not a risk. With the right partner, it can be both secure and transformative.

Ready to start your compliance assessment? Contact us to schedule a free consultation.