HIPAA is the operating compliance regime that sits in parallel with the CMS Conditions of Participation an agency operates against under 42 CFR Part 484. The Privacy Rule, the Security Rule, and the Breach Notification Rule are not licensure rules — they apply to every covered entity health care provider that transmits health information electronically in connection with a HIPAA standard transaction, regardless of whether the agency is Medicare-certified, Medicaid-only, state-licensed home care, or an LHCSA. Once an agency runs a single 837 claim through a clearinghouse, submits an OASIS through iQIES, or eligibility-checks a patient through a payer portal, it is a HIPAA covered entity and the full Part 164 framework applies. The CoP at § 484.40 (release of patient identifiable OASIS information) and the OASIS data confidentiality rules described in our OASIS-E documentation guide are layered on top of the HIPAA framework — they do not replace it, and an agency that satisfies the CoPs without satisfying HIPAA is still exposed to OCR enforcement.

This walkthrough is for agency administrators writing or auditing the HIPAA portion of the policy and procedure manual, compliance officers preparing for an OCR investigation or an internal risk analysis, and founders who are configuring the technology stack and the business associate footprint before the first patient visit. For the federal CoP backbone the HIPAA program sits inside, see the 42 CFR Part 484 working guide; for the OASIS-specific confidentiality and submission rules at § 484.40 and § 484.45, see the OASIS-E documentation guide; and for state-level overlays where state law imposes additional patient privacy obligations on top of HIPAA, the California CDPH, New York Article 36, Texas HCSSA, and Florida Rule 59A-8 deep dives describe the state-specific layers operators have to map.

The Regulatory Map — Parts 160 and 164

HIPAA's administrative simplification rules are codified at 45 CFR Parts 160, 162, and 164. For privacy and security purposes, the operating texts are Part 160 (general administrative requirements, including the enforcement framework) and Part 164 (the substantive Privacy, Security, and Breach Notification Rules). The four Subparts of Part 164 are the structural map every agency operates against:

  • Subpart A — General Provisions (§§ 164.102–164.106). Statutory basis, applicability, and the relationship between the federal rules and state law (preemption is partial — state law that is more stringent than the federal floor is not preempted).
  • Subpart C — Security Standards for the Protection of Electronic Protected Health Information (§§ 164.302–164.318). The Security Rule. Applies to electronic PHI only.
  • Subpart D — Notification in the Case of Breach of Unsecured Protected Health Information (§§ 164.400–164.414). The Breach Notification Rule.
  • Subpart E — Privacy of Individually Identifiable Health Information (§§ 164.500–164.534). The Privacy Rule. Applies to PHI in any form — paper, oral, electronic.

Part 160 supplies the definitions a covered entity has to internalize ("covered entity," "business associate," "protected health information," "electronic protected health information," "subcontractor"), the enforcement procedures OCR follows, and the civil money penalty tiers. The four-tier penalty structure under § 160.404 — adjusted annually for inflation — runs from a "did not know" tier with a per-violation minimum to a "willful neglect, not corrected" tier with per-violation maximums in the tens of thousands of dollars and an annual cap that exceeds two million dollars per violation type. OCR also retains the option to refer cases to the Department of Justice for criminal prosecution under 42 U.S.C. § 1320d-6 where the conduct meets the statutory elements.

The Privacy Rule and the Security Rule do not sit on top of state law — they coexist with it. Section 1178 of the Social Security Act and 45 CFR § 160.203 establish a general federal preemption for "contrary" state law, with explicit exceptions for state law that (1) is more stringent than the federal rule, (2) is necessary for state public health or fraud and abuse oversight, or (3) addresses controlled substances. State medical-record-confidentiality statutes that are more protective than HIPAA — including California's Confidentiality of Medical Information Act and New York's various sector-specific privacy provisions — apply alongside HIPAA, and an agency operating in those states must comply with both the federal and state floors.

Privacy Rule (Part 164 Subpart E) in the Home Setting

The Privacy Rule governs use and disclosure of PHI in any form — written, oral, electronic. Most of the operational obligations live in §§ 164.500 through 164.534, and the application to home health is meaningfully different from a hospital application because the "site" of care is the patient's residence, the caregiving relationship is sustained, and the workforce is mobile.

§ 164.502 — Uses and disclosures: General rules. A covered entity may not use or disclose PHI except as the rule permits or requires. The two pillars of the Privacy Rule are the treatment-payment-operations (TPO) permission at § 164.506 and the minimum-necessary standard at § 164.502(b). The minimum-necessary standard is more relevant in a home-health context than most hospital compliance programs realize: a scheduling coordinator who can see a full clinical record when she needs only the patient's address and visit window has more access than the standard permits, and a CRM or scheduling tool that exposes diagnosis and visit notes to billing staff who do not need them is a § 164.502(b) finding waiting to happen. The fix is role-based access in the EHR and the scheduling system, not a written policy that says staff "should" only access what they need.

§ 164.506 — Uses and disclosures to carry out treatment, payment, or health care operations. The TPO permission is what allows the agency's clinical and billing staff to use PHI without a separate authorization. Coordination of care with the ordering practitioner, the durable medical equipment vendor, the hospice receiving a transfer, and the receiving inpatient facility are all "treatment" disclosures that do not require authorization. The error mode in home health is the opposite of the hospital error mode — caregivers undershare with the ordering practitioner because the TPO permission has not been internalized, and care coordination suffers as a result.

§ 164.508 — Uses and disclosures for which an authorization is required. The non-TPO disclosures require a written authorization from the individual or the individual's personal representative. Marketing communications, sales of PHI, and most disclosures of psychotherapy notes are all authorization disclosures. Two scenarios that come up specifically in home health: (1) a marketing communication to former patients or referral sources that names a specific patient, and (2) an agency that wants to use a patient testimonial in marketing materials. Both require a § 164.508 authorization.

§ 164.510 — Uses and disclosures requiring an opportunity for the individual to agree or object. The most home-health-relevant Standard. Section 164.510(b) governs disclosures to family members, other relatives, close personal friends, or any other person the patient identifies as involved in the patient's care or payment. The covered entity may, on the basis of professional judgment, share with such persons PHI directly relevant to that person's involvement in care, provided the patient has the opportunity to object or, if incapacitated, the agency reasonably infers the patient would not object. The home setting makes this Standard live every visit: the daughter who answers the door, the spouse who lives in the same household, the home health aide from another agency providing personal care services, and the housekeeper who passes through during a visit are all third parties whose access to the patient's information has to be calibrated against § 164.510. The right operating posture is a documented "involved persons" list in the clinical record that names the family members and caregivers the patient has authorized to receive information, updated at admission and at significant change in condition.

§ 164.512 — Uses and disclosures for which an authorization or opportunity to agree or object is not required. The public-interest exceptions: required by law, public health activities, victims of abuse and neglect, judicial and administrative proceedings, law enforcement, decedents, organ donation, research, and serious threat to health or safety. Home health agencies trip on § 164.512(c) more than on any other subsection — the abuse and neglect reporting permission. State adult protective services laws often impose mandatory reporting obligations on home health staff, and the agency's HIPAA policy has to grant the disclosure permission that lets the clinician make the report; an agency policy that does not authorize the § 164.512(c) disclosure puts the clinician in conflict with state mandatory-reporting law.

§ 164.520 — Notice of privacy practices. The covered entity must provide a written notice describing the agency's uses and disclosures of PHI, the patient's rights, and the agency's duties under the Privacy Rule. For home health, the notice is delivered at the first visit (rather than the hospital's "first service delivery" point), and the agency must make a good faith effort to obtain the patient's written acknowledgment of receipt. The notice is more than a courtesy form — it is the document that grounds the patient's rights to access, amend, and account for disclosures of PHI. The notice has to be paired with the State Operations Manual Appendix B-driven patient rights notice required under § 484.50, but the two notices serve different purposes and a single combined document satisfies neither cleanly. Most agencies maintain them as separate adjacent forms in the intake packet.

§§ 164.522–164.528 — Patient rights. The right to request restrictions, the right to confidential communications, the right of access (§ 164.524), the right to amendment (§ 164.526), and the right to an accounting of disclosures (§ 164.528). The right of access is the most enforced in the post-2019 OCR era — the HIPAA Right of Access Initiative has produced dozens of settlements with covered entities that failed to provide records within the 30-day window (with one extension permitted). Home health agencies receive fewer right-of-access requests than hospitals do, but the volume rises after a complex case or a discharge with a poor outcome, and the 30-day clock is hard.

§ 164.530 — Administrative requirements. The Privacy Rule's "infrastructure" Standard. Designated privacy official, training of all workforce members on the Privacy Rule policies and procedures appropriate to their role, safeguards against incidental disclosures, complaint process, sanctions for workforce members who violate policy, mitigation of harm from improper uses or disclosures, prohibition on retaliation, and the policy-and-procedure documentation requirement at § 164.530(i). The privacy official can be the same person as the security official under § 164.308(a)(2); in small agencies, the administrator or clinical manager often holds both roles, with the formal designation documented in the policy manual.

Security Rule (Part 164 Subpart C) — Administrative, Physical, Technical Safeguards

The Security Rule applies to electronic PHI only. It is structured around three categories of safeguards plus a documentation Standard, each codified as a Standard with one or more implementation specifications. Under the rule as it operates in May 2026, implementation specifications are tagged either "required" (must be implemented as written) or "addressable" (must be either implemented, or replaced with a documented equivalent measure that achieves the same objective, or documented as not reasonable and appropriate with the rationale recorded in the policy manual). The December 2024 Security Rule NPRM proposes to eliminate the "addressable" tier and make every implementation specification required with limited exceptions; that proposal is described in a later section.

§ 164.308 — Administrative safeguards. The largest of the three Subpart C Standards. Eight required Standards cover the management infrastructure of the security program:

  • Security management process (§ 164.308(a)(1)). The risk analysis (an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI) and the risk management process. The risk analysis is the single most important Security Rule artifact and the most frequently absent or inadequate finding in OCR enforcement actions. A home health agency's risk analysis has to address the home environment, the BYOD smartphone fleet, the EHR vendor, the clearinghouse, every business associate, and every workforce role with access to ePHI.
  • Assigned security responsibility (§ 164.308(a)(2)). A single named security official.
  • Workforce security (§ 164.308(a)(3)). Authorization and supervision of workforce members with access to ePHI, workforce clearance procedures, and termination procedures. Termination is the highest-risk subprocess in home health — a caregiver who leaves with credentials still active and a personal device still containing cached ePHI is a § 164.308(a)(3) finding.
  • Information access management (§ 164.308(a)(4)). Role-based access, access authorization, access establishment, and access modification.
  • Security awareness and training (§ 164.308(a)(5)). Security reminders, protection from malicious software, log-in monitoring, password management.
  • Security incident procedures (§ 164.308(a)(6)). Identification, response, and reporting of security incidents.
  • Contingency plan (§ 164.308(a)(7)). Data backup, disaster recovery, emergency mode operation, testing and revision, and applications and data criticality analysis.
  • Evaluation (§ 164.308(a)(8)). Periodic technical and nontechnical evaluation of the security program against the rule.
  • Business associate contracts (§ 164.308(b)). Written contracts with business associates that satisfy § 164.314(a) and § 164.504(e) — described in detail below.

§ 164.310 — Physical safeguards. Four Standards address the physical environment in which ePHI is stored and accessed:

  • Facility access controls (§ 164.310(a)(1)). Contingency operations, facility security plan, access control and validation procedures, and maintenance records.
  • Workstation use (§ 164.310(b)). Policies and procedures specifying the proper functions to be performed, the manner in which they are performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI.
  • Workstation security (§ 164.310(c)). Physical safeguards for workstations that access ePHI to restrict access to authorized users.
  • Device and media controls (§ 164.310(d)). Disposal of ePHI and the hardware on which it is stored, media re-use, accountability (track movement of hardware and media), and data backup and storage.

The Workstation Security Standard is where the home setting diverges sharply from the hospital setting: the "workstation" in home health is the caregiver's smartphone or tablet, used inside a patient's home, often visible to family members. The agency's workstation security policy has to address screen privacy, automatic locking, encryption at rest, the rules for downloading PHI to the device, and the device-recovery process when a caregiver loses or replaces the phone.

§ 164.312 — Technical safeguards. Five Standards address the technical controls applied to systems that store or transmit ePHI:

  • Access control (§ 164.312(a)(1)). Unique user identification, emergency access procedure, automatic logoff, and encryption and decryption (the last two are "addressable" under the May 2026 rule and proposed to be made required under the NPRM).
  • Audit controls (§ 164.312(b)). Hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
  • Integrity (§ 164.312(c)). Mechanisms to authenticate ePHI and to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
  • Person or entity authentication (§ 164.312(d)). Verification that a person or entity seeking access to ePHI is the one claimed.
  • Transmission security (§ 164.312(e)). Integrity controls and encryption of ePHI in transit (encryption is "addressable" under the current rule, with the NPRM proposing it become required).

§ 164.316 — Policies and procedures and documentation requirements. The covered entity must implement reasonable and appropriate policies and procedures, maintain the policies in written or electronic form, retain the documentation for six years from the date of its creation or the date when it was last in effect, whichever is later, and make the documentation available to those persons responsible for implementing the procedures. The six-year retention rule is one of the more frequently missed Security Rule requirements — agencies that retire a policy without preserving the predecessor lose the audit trail OCR investigators expect.

§ 164.314 — Organizational requirements. The Standard that pulls business associate contracts into the Security Rule and specifies the elements those contracts must include. Read in conjunction with § 164.504(e) (described below), § 164.314 ensures that ePHI handed off to a business associate continues to receive the same protections the covered entity is required to provide.

Caregiver Smartphones and BYOD — The Practical Controls

The single largest divergence between home health HIPAA practice and hospital HIPAA practice is the device fleet. Home health visits are documented on a phone or tablet in the patient's home, often a caregiver-owned device under a bring-your-own-device (BYOD) policy. The Security Rule does not prohibit BYOD; it does require that any device that creates, receives, maintains, or transmits ePHI be subject to the agency's administrative, physical, and technical safeguards. A defensible BYOD program for home health includes:

  • A written BYOD policy that defines the eligible devices, the operating system and version requirements, the agency's right to remote-wipe, and the workforce member's obligations on loss or replacement of the device.
  • A mobile device management (MDM) or mobile application management (MAM) deployment that enforces a device passcode, automatic locking, encryption at rest, and the ability to selectively wipe agency data without touching personal data.
  • A containerized agency app that holds clinical and scheduling data in an encrypted, agency-controlled space, separate from personal photos, contacts, and messaging.
  • SMS and messaging restrictions. Standard SMS is not encrypted in transit and is not a HIPAA-compliant channel for ePHI. Patient messaging must move to a secure channel — either inside the EHR or through a HIPAA-compliant messaging vendor under a BAA.
  • Photo and screenshot rules. Wound photographs and other clinical images taken with the device camera have to land in the EHR, not the device camera roll. The MDM policy should disable camera roll syncing for clinical images, and the workforce training should include the wound-photo workflow specifically.
  • A device-loss workflow. A 24-hour reporting requirement to the security official, immediate remote wipe of agency data, password reset on all agency systems, and a documented incident review entered into the security incident log under § 164.308(a)(6). The lost-phone scenario is a security incident regardless of whether the device was passcode-locked.
  • Termination workflow. A documented sequence — disable EHR account, revoke MDM enrollment, remote-wipe agency data, recover any agency-issued equipment — completed within a defined window and recorded in the personnel file. The termination workflow is explicitly required under § 164.308(a)(3)(ii)(C) (termination procedures).

For agencies that prefer a corporate-issued device fleet, the trade-off is upfront cost and inventory burden against a meaningfully reduced risk-analysis surface. A purely corporate-device program is the simpler HIPAA posture; a BYOD program is operationally cheaper and is what most home health agencies actually run.

Family Member Exposure and the Shared-Home Reality

The home is not a HIPAA-compliant facility. Family members live there, roommates pass through, other caregivers from other agencies overlap in the household, and the physical environment is not under the agency's control. The Privacy Rule's incidental-disclosure doctrine at § 164.502(a)(1)(iii) and the reasonable-safeguards Standard at § 164.530(c) recognize this reality and do not require the agency to eliminate every overheard conversation. They do require the agency to take "reasonable safeguards" to limit incidental disclosures and to avoid exposures that are reasonably avoidable.

Operationally, the home setting requires a small set of disciplines that hospital programs do not need:

  • Position the device away from third-party line of sight. Clinicians document with the screen oriented away from family members, roommates, and visitors. The MDM-enforced screen privacy and short auto-lock support this.
  • Clarify "involved persons" at admission. The clinical record names the family members and caregivers the patient has authorized to receive PHI under § 164.510(b) and identifies the persons who should not. The list is updated at significant change in condition and at each recertification.
  • Speak at a normal conversational volume during care discussions, not a hospital-corridor projection. Phone calls with the ordering practitioner happen out of earshot of household members where possible.
  • Manage paper purposefully. If paper notes go into the home (medication lists, plan-of-care excerpts, education handouts), they go in a way that does not become a privacy spill — placed in a defined location, not left on the kitchen counter or the front-hall table where a delivery person can read them.
  • Treat written PHI in the patient's clinical bag as ePHI's analog cousin. The bag is part of the agency's "facility" while it is in the caregiver's possession. Locked car storage when the caregiver is between visits, controlled access at the clinician's home, and a clean-up workflow at end of shift are reasonable safeguards under § 164.530(c).

The third-party-overlap scenario specific to home health — a personal-care aide from another agency on shift in the same household — requires explicit treatment. The personal-care aide is not part of the home health agency's workforce, has no need-to-know for the agency's ePHI, and is not entitled to access the clinical record. The clinical record stays in the EHR; if the second agency needs information for coordination of care, it flows through the formal § 164.506 treatment disclosure pathway with the patient's involvement, not through informal hand-offs.

Business Associate Agreements (§ 164.504(e)) — Required Elements

A business associate is a person or entity that, on behalf of a covered entity, performs or assists in performing a function or activity involving the use or disclosure of PHI, or provides services to the covered entity that involve the use or disclosure of PHI (45 CFR § 160.103). For home health, the typical business-associate footprint includes:

  • The EHR vendor
  • The electronic visit verification (EVV) vendor or EVV aggregator
  • The telehealth platform
  • The scheduling and routing software vendor
  • The billing service or RCM vendor
  • The clearinghouse for 837/835 transactions
  • The HHCAHPS survey vendor
  • The OASIS submission utility (if separate from the EHR)
  • The cloud storage and backup provider
  • The IT managed service provider
  • The shredding and document-destruction vendor
  • The answering service or call center
  • The payroll provider (if it receives any PHI tied to specific patients)
  • The lawyers, accountants, and consultants who receive PHI in connection with their services

Section 164.504(e) requires the covered entity to have a written contract with each business associate that contains specific elements. Under § 164.314(a), the same contract requirements apply to the Security Rule's coverage of ePHI. The required elements:

  • Establish the permitted and required uses and disclosures of PHI by the business associate. The contract must not authorize the business associate to use or further disclose PHI in a manner that would violate the Privacy Rule if done by the covered entity itself.
  • Provide that the business associate will not use or further disclose PHI other than as permitted or required by the contract or as required by law.
  • Require the business associate to use appropriate safeguards and, with respect to ePHI, to comply with Subpart C (the Security Rule) — implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI.
  • Require the business associate to report to the covered entity any use or disclosure of PHI not provided for by the contract of which it becomes aware, including breaches of unsecured PHI as required by § 164.410.
  • Require the business associate to ensure that any subcontractors to whom it provides PHI agree to the same restrictions and conditions that apply to the business associate.
  • Require the business associate to make available PHI to the covered entity to satisfy the individual's right of access under § 164.524, the right of amendment under § 164.526, and the right of an accounting of disclosures under § 164.528.
  • Require the business associate, to the extent it is to carry out a covered entity's obligation, to comply with the Privacy Rule requirements that apply to the covered entity.
  • Make available the business associate's internal practices, books, and records to the Secretary of HHS for purposes of determining the covered entity's compliance.
  • Require the business associate to return or destroy all PHI received from the covered entity at termination of the contract, if feasible. If not feasible, the contract must extend the protections to the information and limit further uses and disclosures to those purposes that make return or destruction infeasible.
  • Authorize the covered entity to terminate the contract if it determines the business associate has violated a material term.

Two operational realities a home health compliance lead has to internalize. First, the HHS Sample Business Associate Agreement on the OCR website is a starting template, not a finished document — it has to be specialized to the actual data flow with each vendor, including the named permitted uses, the breach-notification timeline, the indemnification provisions (which HIPAA does not require but most covered entities want), and the cyber-insurance representation. Second, an EVV aggregator or scheduling vendor that says "we are not a business associate, we just transmit data" is almost always wrong. The HITECH Act of 2009 and the Omnibus Rule of 2013 expanded the business-associate definition to include any entity that "creates, receives, maintains, or transmits" PHI on behalf of a covered entity. A vendor that holds ePHI on its servers — even briefly — is a business associate, and the agency must have a BAA in place before any production data flows.

BAAs With Home-Health-Specific Vendors — Where the Gaps Are

The vendor categories where BAAs most often fail to cover the actual data flow:

Electronic Visit Verification (EVV) vendors and state EVV aggregators. The 21st Century Cures Act EVV mandate (in effect for personal care services since 2020 and home health services since 2023, with state-level implementation variation) requires agencies to capture electronic verification of every visit and transmit data to the state Medicaid program through a designated aggregator. The data flow includes patient identifiers, date and time of service, service type, and service location — all PHI. Both the EVV vendor and the state aggregator are business associates, and the agency must have a BAA with the EVV vendor; the state aggregator's relationship is typically governed by a state-issued participation agreement that references the BAA terms.

Telehealth platforms. The temporary OCR enforcement-discretion notice that allowed certain non-public-facing video applications to be used during the COVID-19 public health emergency expired on August 9, 2023. Since the expiration, every telehealth platform used by a home health agency must be covered by a BAA. Consumer products without a HIPAA-compliant business associate offering — most of the consumer videoconferencing products in the form a household uses them — are not appropriate for clinical telehealth.

Scheduling and routing software. The scheduling tool sees the patient's address, the visit window, the service type, and frequently the diagnosis code. It is a business associate, and the BAA has to be in place before any patient is loaded into the schedule.

Billing and RCM services. The most consistently understood BAA relationship — the billing service is plainly a business associate. The gap to watch is the chain of subcontractors the billing service uses (offshore data-entry, claims-scrubbing tools, denial-management vendors). Section 164.504(e)(1)(ii)(D) requires the business associate to ensure subcontractors agree to the same restrictions, but only the billing service can document that for its subcontractors. Ask for the subcontractor BAA chain in writing during procurement.

Cloud and SaaS infrastructure. The cloud hyperscalers (AWS, Microsoft Azure, Google Cloud) all offer HIPAA-compliant services under a covered entity-signed BAA, but the BAA covers only certain services within the platform. A new product the engineering team enables without checking the BAA scope can move ePHI into a service that is not BAA-covered. The agency's procurement process has to include a BAA-scope check at every new SaaS deployment.

Answering services and call centers. Where a call center handles after-hours calls and creates a clinical note based on the call, the call center is a business associate. Where the call center merely records that a call came in and forwards it without taking PHI, it may not be — but the cleaner posture is to assume BA status and put a BAA in place.

HIPAA-compliant fax, secure email, and document delivery vendors. All business associates. Standard outbound fax to a known clinician number is treated as TPO disclosure; the fax vendor that handles the transmission is a business associate.

Breach Notification Rule (Part 164 Subpart D) — The 60-Day Clock

Subpart D imposes a notification regime that runs to the affected individuals, the Secretary of HHS, and in some cases the media. The regulatory anchors:

§ 164.402 — Definitions. A "breach" is the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI. The rule presumes a breach when an impermissible use or disclosure occurs, unless the covered entity demonstrates a low probability of compromise through a documented four-factor risk assessment that addresses (1) the nature and extent of the PHI involved, (2) the unauthorized person who used the PHI or to whom the disclosure was made, (3) whether the PHI was actually acquired or viewed, and (4) the extent to which the risk to the PHI has been mitigated.

§ 164.404 — Notification to individuals. The covered entity must provide notice to each affected individual without unreasonable delay and in no case later than 60 calendar days after the breach is discovered. Discovery is the first day on which the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or agent of the covered entity. The notice must be in plain language and must include a description of the breach, the types of PHI involved, the steps the individual should take to protect themselves, what the covered entity is doing to investigate and mitigate, and contact information for the individual to ask questions. Written notification by first-class mail is the default; email is permitted if the individual has agreed to receive electronic notice. Substitute notice is required where direct notice is infeasible.

§ 164.406 — Notification to the media. Where the breach involves more than 500 residents of a state or jurisdiction, the covered entity must notify prominent media outlets serving the state or jurisdiction without unreasonable delay and in no case later than 60 days after discovery.

§ 164.408 — Notification to the Secretary. The covered entity must notify HHS of every breach. For breaches involving 500 or more individuals, notification is contemporaneous with the individual notification (within 60 days) and the breach is posted on the OCR public "wall of shame" portal at hhs.gov/ocr/breach. For breaches involving fewer than 500 individuals, the covered entity may submit an annual log within 60 days of the end of the calendar year.

§ 164.410 — Notification by a business associate. A business associate that experiences a breach must notify the covered entity without unreasonable delay and in no case later than 60 days after discovery. The covered entity's 60-day clock typically starts at the business associate's notification, but the BAA can shorten the business associate's reporting timeline (most agencies negotiate 24-, 48-, or 72-hour notification provisions in the BAA so the covered entity has time to investigate before the individual-notification clock expires).

§ 164.412 — Law enforcement delay. Where a law enforcement official states that notification would impede a criminal investigation or cause damage to national security, the covered entity may delay notification for the period the official requests in writing or, if the request is oral, for no longer than 30 days from the oral statement.

The operational discipline a home health breach response requires: a documented incident workflow that triggers within 24 hours of any suspected breach, a four-factor risk assessment template prepared in advance and reviewable by counsel, a notification packet with the § 164.404(c) content elements pre-built and customizable, a list of state media outlets keyed to the state of residence of any affected individual, and a queue process to file the OCR breach portal submission within the 60-day window. Most home health breaches discovered to date have involved a lost or stolen device, a misdirected fax, an email sent to the wrong recipient, or a billing-vendor misconfiguration that exposed records — all incidents the agency can rehearse against in advance.

The December 2024 Security Rule NPRM — What's Likely to Land

On December 27, 2024, OCR published a Notice of Proposed Rulemaking titled "HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information," with the formal Federal Register publication on January 6, 2025. The comment period closed on March 7, 2025, and the rule remains in proposed form as of May 2026, with the regulated industry watching for a final rule under the current administration. The NPRM is the first comprehensive update to the Security Rule since the Omnibus Final Rule of 2013, and it changes the Security Rule's posture meaningfully.

The proposals an agency should plan against:

  • Eliminate the "addressable" implementation specification tier. Every implementation specification would become required, with limited exceptions. The most consequential effect is on encryption: encryption of ePHI at rest and in transit is "addressable" under the May 2026 rule, and the NPRM proposes to make it required.
  • Mandate multifactor authentication for access to systems containing ePHI, with limited exceptions for technical infeasibility documented in the policy manual.
  • Require an annual risk analysis with specified content — a written assessment that addresses the confidentiality, integrity, and availability of ePHI, the threats and vulnerabilities, the likelihood and impact of each threat, and the existing controls.
  • Require an asset inventory and a network map of the systems that create, receive, maintain, or transmit ePHI, updated at least annually.
  • Mandate vulnerability scanning at least every six months and penetration testing at least annually.
  • Require workforce member access reviews at least every twelve months.
  • Require audit log review at least monthly with documented procedures.
  • Specify backup and recovery time objectives with a maximum 72-hour recovery target for critical systems.
  • Strengthen the business-associate compliance verification — covered entities would be expected to obtain written verification from each business associate at least annually that the business associate has performed a risk analysis and is implementing the required Security Rule safeguards.
  • Establish a 60-day effective date and a 180-day compliance date from the final rule publication.

The NPRM represents a meaningful uplift in baseline security posture and most aggressively affects smaller agencies that have operated with the addressable-encryption and addressable-MFA flexibility. Agencies that have not already deployed encryption-at-rest, MFA on the EHR and email, an MDM-enforced device baseline, monthly audit-log review, and annual penetration testing should treat the NPRM as a planning document and begin closing the gaps now — even before a final rule. The proposals are aligned with what cyber insurers, large payer audit programs, and state attorneys general already expect, and most of them are operationally useful regardless of whether the rule is finalized in its current form.

OCR Enforcement Patterns and What They Predict

OCR publishes its resolution agreements and civil money penalty notices on the HHS website, and the patterns visible in the post-2019 enforcement record are informative for home health operators:

Risk analysis failures. The single most common finding in OCR enforcement actions is an absent, inadequate, or untested risk analysis under § 164.308(a)(1)(ii)(A). The Security Risk Analysis Initiative OCR launched in 2024 produced multiple settlements within its first six months in which the underlying violation was the absence of a current risk analysis at the time of the breach. A home health agency that cannot produce a written risk analysis dated within the last twelve months and signed by the security official is operating against the most-cited Security Rule failure mode in the OCR record.

Right-of-access failures. The HIPAA Right of Access Initiative has produced dozens of settlements since 2019 with covered entities — including a 2024 settlement with Concentra for $112,500 over a right-of-access violation — that failed to provide records within the 30-day window. Most of the settlements involve relatively small fines but uniformly impose a corrective action plan, an OCR-monitored two-year compliance period, and the reputational cost of a published resolution agreement.

Lost or stolen devices. Older settlements (the Lifespan Health System, Catholic Health Care Services, and Concentra Health Services cases) involved unencrypted laptops or thumb drives that were lost or stolen, with breach notifications spanning thousands to tens of thousands of individuals. The lesson — encryption-at-rest is the single largest controllable variable in device-loss exposure — has carried into every subsequent enforcement cycle, and an agency that does not encrypt agency-owned devices and enforce encrypted-container policies on BYOD devices is running a known-bad posture.

Business-associate misconfigurations. Several recent settlements have involved covered entities whose business associates exposed ePHI through cloud misconfiguration, default-credential failure, or unsecured API endpoints. The covered entity's exposure is twofold: the breach notification obligation runs through the covered entity, and OCR can investigate the covered entity's BAA execution and ongoing oversight independently of any action against the business associate.

Long-term and post-acute care providers. The 2024 OCR settlements with Cadia Healthcare Facilities (skilled nursing and rehabilitation in Delaware, $182,000 plus a two-year corrective action plan) and Deer Oaks (behavioral health serving long-term care residents, $225,000 plus a two-year CAP) signal that OCR is paying attention to the post-acute care market. A home health agency operating in the same regulatory neighborhood should expect the same standard of risk analysis, workforce training, and technical safeguards OCR is applying to the broader post-acute setting.

Home-health-specific OCR enforcement actions are less common in the published record than hospital and health-plan actions, partly because the breach-portal threshold of 500 individuals is harder for a single home health agency to cross. The implication is not that home health is unenforced — small breaches still trigger investigation, and the four-tier penalty framework still applies — but that OCR's most visible cases tend to involve larger entities. A home health operator who reads the published enforcement record and concludes "they are not coming for us" is misreading the signal.

P&P Manual Structure That Maps to HIPAA

The most efficient HIPAA section of an agency's policy and procedure manual is structured to mirror Subparts C, D, and E and to cross-reference each policy to the regulatory citation it implements. A workable section structure:

  • Section H1 — Privacy program governance. Designation of the privacy official and the security official, the workforce training program, the sanctions policy, the complaint process, the mitigation policy, the prohibition on retaliation. Maps to § 164.530.
  • Section H2 — Notice of privacy practices. The current notice, the workflow for distribution at first visit, the acknowledgment-of-receipt log, and the revision procedure. Maps to § 164.520.
  • Section H3 — Uses and disclosures. The TPO permission, the minimum-necessary policy, the authorization workflow for non-TPO disclosures, the involved-persons policy under § 164.510, and the public-interest exceptions under § 164.512 (including the abuse-and-neglect reporting permission). Maps to §§ 164.502, 164.506, 164.508, 164.510, 164.512.
  • Section H4 — Patient rights. The right of access workflow with the 30-day clock, the amendment workflow, the accounting-of-disclosures log, the request-for-restrictions process, and the confidential-communications process. Maps to §§ 164.522–164.528.
  • Section H5 — Risk analysis and risk management. The current annual risk analysis, the asset inventory, the threat-and-vulnerability register, the corrective action plan, and the remediation tracking log. Maps to § 164.308(a)(1).
  • Section H6 — Workforce security and access management. The role-based access matrix, the access-establishment procedure, the access-modification procedure, and the termination workflow. Maps to §§ 164.308(a)(3) and 164.308(a)(4).
  • Section H7 — Training and awareness. The new-hire HIPAA training, the annual refresher, the role-specific training for the security official and the privacy official, and the training records. Maps to § 164.308(a)(5) and § 164.530(b).
  • Section H8 — Security incident and breach response. The incident detection and response workflow, the four-factor risk assessment template, the breach notification packet, the OCR breach portal submission process, and the law-enforcement-delay procedure. Maps to § 164.308(a)(6) and Subpart D.
  • Section H9 — Contingency and disaster recovery. The data backup plan, the disaster recovery plan, the emergency mode operation plan, the testing and revision schedule, and the applications-and-data criticality analysis. Maps to § 164.308(a)(7).
  • Section H10 — Physical safeguards. The facility access control policy, the workstation use policy, the workstation security policy (with home-setting specialization), and the device-and-media-controls policy. Maps to § 164.310.
  • Section H11 — Technical safeguards. The access control configuration, the audit log review schedule, the integrity controls, the authentication policy (with the MFA standard), and the transmission security policy (with the encryption-in-transit standard). Maps to § 164.312.
  • Section H12 — BYOD and mobile device policy. The BYOD eligibility rules, the MDM enrollment requirement, the lost-device workflow, the secure messaging rules, the photograph and screenshot rules, and the personal-data-vs-agency-data separation. Maps to § 164.310 and § 164.312.
  • Section H13 — Business associate management. The BAA template, the vendor inventory, the procurement-time BAA check, the annual BA verification process, and the termination-of-BAA workflow. Maps to §§ 164.308(b), 164.314(a), 164.504(e).
  • Section H14 — Documentation and retention. The six-year retention rule, the policy-revision log, and the historical-version archive. Maps to § 164.316(b).
  • Section H15 — State law overlay. Where the agency operates in California, New York, Texas, or any other state with a more-stringent state privacy or medical-confidentiality regime, the state-specific overlay rules and the references to the state statutes. Maps to § 160.203 (preemption) plus state law.

The manual should pair every policy with the artifact that demonstrates it is operating. A § 164.308(a)(5) training policy is paired with the training roster, the curriculum, and the dated completion records. A § 164.308(a)(1) risk analysis policy is paired with the actual annual risk analysis document. A § 164.504(e) BAA policy is paired with the vendor inventory and the executed BAAs. OCR investigators ask for the artifact, not just the policy.

HIPAA, the CoPs, and the OASIS Confidentiality Rule

One source of confusion in home health compliance is the relationship between HIPAA, the CMS Conditions of Participation, and the OASIS-specific confidentiality rule at 42 CFR § 484.40. They run in parallel and reinforce each other rather than replace each other:

  • HIPAA is the federal floor for privacy and security of all PHI, regardless of payer. It applies to every covered entity HHA.
  • The CoPs at § 484.40 and § 484.50 impose CMS-specific obligations layered on top of HIPAA — most notably the prohibition on releasing patient-identifiable OASIS data and the patient rights notice content described in our CoP working guide.
  • State licensure rules can impose additional obligations — California's CMIA, New York's mental-health and HIV-specific provisions, Texas's medical-records statutes, Florida's patient-records confidentiality rules — that are not preempted to the extent they are more stringent than HIPAA.

An agency operating in multiple states reads the rules as a stack: federal HIPAA at the floor, federal CMS CoP layered on, and the most-stringent state rule for each state of operation on top. Most state surveyor and OCR investigator findings in the post-2018 record cite either the most stringent state rule or the HIPAA Standard with a state-rule cross-reference; the agency that satisfies HIPAA without auditing its state-rule overlay can still be found out of compliance.

Authoritative Sources

The primary regulatory and official sources every covered entity HHA should bookmark and revisit at least annually:

Verify the version of the rule current on the date you are writing or updating policy. eCFR is updated continuously as final rules take effect; OCR periodically issues guidance documents that interpret existing standards; and the December 2024 NPRM remains in proposed form, with the regulated industry watching for a final rule under the current administration.

The Bottom Line

HIPAA in home health is operationally different from HIPAA in a hospital setting because the workforce is mobile, the workstation is a phone, the facility is the patient's home, and the business-associate footprint extends across EVV vendors, telehealth platforms, scheduling tools, and billing services that hospitals manage at a different scale. The substantive rules — the Privacy Rule's TPO permission and minimum-necessary standard, the Security Rule's three-safeguard framework, the § 164.504(e) BAA elements, and the 60-day breach notification clock — are the same. The application is what differs.

Operators who succeed at HIPAA in this setting treat the risk analysis as a living document and refresh it at least annually, encrypt every device and every transmission rather than relying on the addressable-encryption flexibility, run a defensible BYOD program with MDM and a containerized agency app, document the involved-persons list at admission for every patient to honor § 164.510, audit the business-associate inventory at procurement and at least annually, retain six years of policy versions, and rehearse the breach-response workflow before an actual incident triggers the 60-day clock. Operators who stumble are usually the ones who treated HIPAA as a training video they show new hires, who have no current risk analysis, who rely on the addressable-encryption flexibility for a device fleet that crosses state lines and household boundaries, or who discover at OCR investigation that the BAA inventory is partial and the workforce-termination workflow has gaps.

If you want a structured way to assess your HIPAA program against the same logic an OCR investigator or an internal auditor would use, start with our compliance readiness assessment. It walks the same Privacy Rule and Security Rule Standards an investigator would, scores your gaps, and produces an action list ordered by exposure. For the federal CoP layer that overlays HIPAA, the 42 CFR Part 484 working guide describes the survey instrument that pairs with the HIPAA program; for the OASIS-specific confidentiality rule at § 484.40 and the iQIES submission process, see the OASIS-E documentation guide; and for the state-specific overlays, the California CDPH, New York Article 36, Texas HCSSA, Florida Rule 59A-8, Ohio ODH, and Pennsylvania Chapter 601 deep dives describe the most-stringent state rules that sit on top of the federal floor.