Non-medical home care agencies don’t provide clinical treatment, but they handle deeply personal information about their clients. A caregiver knows where a client lives, their medical history, their family situation, what medications they take, and how they spend their day. That information is protected by HIPAA (the federal Health Insurance Portability and Accountability Act), and HIPAA home care compliance applies regardless of whether your agency provides nursing care.
Many non-medical home care providers believe HIPAA doesn’t apply to them because they’re not hospitals or doctor’s offices. That’s a costly misunderstanding. HIPAA applies to any organization that handles Protected Health Information (PHI) about clients or staff. Non-compliance can result in fines up to $1.5 million per violation category per year, plus state audits and loss of Medicaid provider status. More importantly, breaches damage your reputation and your clients’ trust. The good news is that HIPAA compliance is achievable for non-medical home care agencies. It requires clear policies, staff training, secure systems, and ongoing attention.
Establish Written Policies and Business Associate Agreements
Your first step is creating written HIPAA policies specific to your agency. These policies should cover how PHI is collected, stored, accessed, used, and disposed of. They should specify who has access to client information and under what circumstances. They should outline what happens if a staff member violates the policy.
A sample policy might read: “Client information including names, addresses, medical history, and care notes will be stored only in secure, password-protected systems. Staff will access only the information necessary for their job. Any loss or unauthorized access must be reported to the HIPAA Officer within 24 hours.”
If your agency uses external vendors — a payroll company, a background check service, a scheduling software provider — those vendors are called Business Associates under HIPAA. You must have a written Business Associate Agreement (BAA) with each one. The BAA specifies how the vendor will protect PHI, what they can do with it, and what happens if there’s a breach. Many vendors now provide these automatically, but you’re responsible for ensuring they exist and are up to date.
Control Who Accesses Client Information
Access control means limiting who sees client information and under what circumstances. A caregiver needs to know their assigned client’s care plan and medical history. The scheduler needs to know which clients are assigned to which caregivers and on what dates. But a caregiver working with one client shouldn’t have access to another client’s file. A receptionist doesn’t need to see clinical notes.
Many agencies still keep paper records in filing cabinets or share digital folders where everyone has access to everything. This creates unnecessary risk. Instead, set up your systems so staff can access only what they need for their role. If you use software with role-based access controls, caregivers see only their assigned clients, supervisors see their team’s clients, billing staff see relevant records for invoicing, and so on.
Document who has access to what. If there’s a breach, you’ll need to know which staff members could have accessed the compromised information. Regulators will ask for this documentation.
Require HIPAA Training for All Staff
Every employee should complete HIPAA training. This isn’t a one-time event. New hires need it before they access any client information. Existing staff should have refresher training at least annually. The training should cover what PHI is, how your agency protects it, what staff should do if they see suspicious activity, and what to do if they accidentally breach confidentiality.
Make the training concrete and scenario-based. Instead of abstract rules, give examples: “If a client’s family member calls and asks for their mother’s care notes, what do you do?” The answer is: you don’t give information to anyone unless the client has explicitly authorized them. You verify their identity and check your client authorization list. If they’re not listed, you politely decline and offer to take a message for the client.
Protect Client Information in Physical and Digital Spaces
Paper records pose a real risk. A file left on a desk, a clipboard in the back of a caregiver’s car, a care plan printed and forgotten at a client’s house — all of these are potential breaches. Minimize paper records where possible. When you do keep paper, store it in a locked cabinet with limited access. Dispose of paper securely using a shredder or a secure destruction service.
Digital records need equally strong protection. Use password-protected systems with encryption. Never share passwords or use one generic login for a whole team. If a staff member leaves, deactivate their access immediately. Don’t leave sensitive documents open on screens where clients or visitors can see them. If staff work remotely or use electronic visit verification (EVV) apps, they should use secure, VPN-protected networks and HIPAA-compliant applications.
Text messages and email are common vulnerabilities in home care. A caregiver texts a supervisor saying “Client had a fall and is bleeding, calling 911.” That text contains PHI and reveals sensitive health information. Instead, caregivers should use secure, HIPAA-compliant communication within your software system or call directly rather than texting.
Create a Breach Response and Notification Plan
Despite your best efforts, a breach might happen. Your response matters. You need a documented breach response plan that specifies what to do immediately, how to notify affected clients, and how to report to regulators.
If there’s a breach, act fast. Immediately secure the information that was exposed. If a staff member accessed client records without authorization, disable their access and investigate. If there’s been a data breach due to a security flaw, document the timeline and what was exposed.
You must notify affected clients without unreasonable delay and no later than 60 days after discovery of a breach. The notification should explain what happened, what information was involved, what steps you’re taking to address it, and what clients should do to protect themselves. If the breach affected more than 500 people, you also must notify the media and the U.S. Department of Health and Human Services.
Maintain Records and Audit Your HIPAA Home Care Compliance
HIPAA requires you to maintain records of staff training, access logs, breach notifications, and policy updates. Keep these for at least six years. Some agencies use a dedicated HIPAA Officer or Compliance Coordinator to oversee this documentation. Software with built-in audit trails makes this simpler by automatically logging who accessed what and when.
Periodically audit your compliance. Are caregivers still texting sensitive information? Are files being locked properly? Has there been staff turnover without access being revoked? Are Business Associate Agreements current? This doesn’t require a formal outside audit every year, but regular internal check-ins catch problems before they become violations.
Protect Your Clients’ Privacy and Your Agency’s Reputation
HIPAA compliance isn’t about checking boxes. It protects your clients’ privacy and your agency’s reputation. Clients trust you with intimate details of their lives. That trust is earned through real protection, not just policies. When a breach happens, the damage goes far beyond fines. Clients leave. Referrals dry up. Your best staff question whether they want to work there. The cost of rebuilding is much higher than the cost of getting it right upfront.
Non-medical home care agencies can achieve strong HIPAA compliance with clear policies, trained staff, secure systems, and ongoing attention. ShiftCare’s HIPAA-compliant care management platform includes role-based access controls, secure messaging, encrypted data storage, and built-in audit trails. Start your free trial today. See how ShiftCare helps you maintain HIPAA compliance while reducing administrative burden.
