HIPAA in Home Health & Hospice: Understanding Basics & Privacy Rules

How do you keep your home health or hospice agency compliant with HIPAA—without drowning in legal jargon or fear of penalties? What are the exact steps you need to take to protect patient privacy in home-based care settings, where the risks often feel higher?

HIPAA compliance can feel overwhelming, especially when care is happening in patients' homes, not a facility. At the Home Health Consultant, we specialize in guiding home health and hospice agencies through establishing a framework for ongoing compliance. This includes everything from HIPAA, to infection control plans, and beyond. 

In this guide, we’ll break down the most important HIPAA rules every home health and hospice provider must follow. By the end of this article, you’ll know

• what counts as a HIPAA violation
• how to handle family & caregiver disclosures
• how to protect patient information on mobile devices
• how to respond to a HIPAA breach

By the end, you’ll know how to protect your patients and your reputation from HIPAA violations.

What Is HIPAA and How Can It Be Challenging for Home Health and Hospice Agencies?

HIPAA is a federal law that protects patient health information. It applies to all healthcare providers. This includes home health and hospice agencies. You handle sensitive patient data, so you must follow HIPAA’s rules. 

Home-based care presents unique privacy challenges​. Your staff works in patient homes and on the road. They are not in a controlled facility environment. That means there is more risk of accidental disclosures. Information can be lost or exposed if you’re not careful.

Protecting patient privacy isn’t just a legal obligation. It is essential to maintaining trust. Families entrust you with intimate health details. A privacy breach can shatter that trust. If you break a patient or their family’s trust, you lose a client, and potential referrals that could have come from a good review.

HIPAA violations can also result in hefty fines​. According to the U.S. Department of Health & Human Services, (HHS), a hospice in Idaho paid a $50,000 fine. What caused the HIPAA violation? A single stolen laptop. No one wants their agency to be the next breach headline.

What Is the HIPAA Privacy Rule and How Does It Apply in Home Health and Hospice?

Under the HIPAA Privacy Rule, some disclosures are allowed without written consent. You can share information for treatment, payment, and health care operations​. For example, you can discuss a patient’s case with their doctor or send records for billing without special permission. You may also disclose protected health information (PHI) when required by law. This could be to report suspected abuse or neglect.

In all other cases, you must get the patient's permission first. In many situations, that means having the patient sign a written authorization form​. A patient can also request that you not share certain information or not share with specific people. You must respect those wishes​.

What Are the HIPAA Rules About Family and Caregiver Disclosures?

Often, family members are involved in a patient’s care. Under HIPAA, you may discuss a patient's information with family members involved in their care if the patient agrees or does not object​. 

If the patient is present and capable, ask their permission before sharing information in front of others. If the patient is incapacitated or not around, you can use your professional judgment. HIPAA allows sharing with family if it is in the patient’s best interest​. That doesn’t mean all family. If the patient is unable to express a preference, but there is a primary caregiver, consider their preferences for sharing as well.

However, if a patient previously said not to share information with certain people, you must honor that choice. Even after a patient has passed away, their privacy wishes still apply. For example, you might talk to a deceased patient’s family about billing. But you cannot share medical details if the patient had asked you not to.

Another crucial point: never share patient information with unauthorized people. You cannot talk about patients with your own friends or on social media. HIPAA strictly forbids revealing any patient-identifiable information without authorization​.

How Should Home Health & Hospice Agencies Protect Patient Info on Mobile Devices?

Privacy is about who can know patient information. The Security Rule is about how you protect that information. The HIPAA Security Rule requires safeguarding all electronic protected health information (ePHI). It covers any patient information stored or sent electronically. 

This means ensuring the confidentiality, integrity, and availability of patient data. In practical terms, you must take steps to prevent unauthorized access. You also need to protect against loss or theft of patient data.

For home care teams, much of security is about mobile devices and remote work. Your team might use laptops, tablets, or smartphones to access records or communicate. These devices must be secured to prevent a data breach.

For more actionable steps you can take to remain HIPAA compliant on mobile devices and more, read the next article in our HIPAA series by clicking below.

What Should You Do If There’s a HIPAA Breach in Your Agency?

Despite your best efforts, mistakes or accidents can happen. A nurse might lose a tablet. Or an email with PHI might go to the wrong person. If something goes wrong, act quickly. You must notify affected patients and federal authorities when PHI is exposed (a “breach”). Under HIPAA’s Breach Notification Rule, this is mandatory.

For large breaches (involving 500 or more people), you must alert HHS within 60 days​. Smaller breaches must still be documented and eventually reported to HHS (usually in an annual report)​. In all cases, you also must inform the impacted patients promptly (typically within 60 days of discovering the breach).

When a breach happens, focus on immediately containing the issue. For example, if an email goes to the wrong person, contact them right away. Ask them to delete it immediately. If a laptop is lost, remotely wipe it if possible. Then follow your breach response plan: notify the right parties and document everything you did.

After a breach, QAPI it. Analyze what went wrong and fix the underlying issue. Look for and identify other vulnerable records and quickly secure them. Conduct and document a HIPAA orientation or inservice with all staff, especially anyone involved in the breach. Update your policies or training if needed to prevent it from happening again. Surveyors will want to know what you’ve done to address the problem.

We already mentioned a small hospice being fined $50k for a minor breach. Large health systems have faced fines in the millions. For a small agency, even a modest fine and the cost of cleanup can be devastating.

For what it's worth, showing you had proper safeguards and responded quickly can reduce penalties. Regulators often consider whether you took HIPAA seriously or ignored it. The bottom line: preventing breaches is far better than dealing with them after the fact. That’s why all the above steps, from training to secure tech, matter so much.

HIPAA isn’t just about checking a legal box. It’s about protecting the trust that patients and families place in your care.

Why Understanding HIPAA Basics is Essential for Every Home Health & Hospice Agency

With home health and hospice settings presenting unique privacy challenges, it’s essential to understand the core rules of HIPAA and how they apply to everyday scenarios.

By getting these basics right, especially around the Privacy Rule and mobile device safeguards, you lay the groundwork for strong, consistent compliance. But it’s not enough to just know the basics.

Ready to take the next step? In the second part of this series, we walk you through the actionable steps, staff training strategies, and BAA rules that keep your agency HIPAA-compliant in practice—not just on paper.

'HIPAA Compliance in Home Health & Hospice:
Practical Steps, Staff Training, and BAAs'
(Publishing on 4/18)

*This article was written in consultation with Mariam Treystman.

*Disclaimer: The content provided in this article is not intended to be, nor should it be construed as, legal, financial, or professional advice. No consultant-client relationship is established by engaging with this content. You should seek the advice of a qualified attorney, financial advisor, or other professional regarding any legal or business matters. The consultant assumes no liability for any actions taken based on the information provided.