HIPAA for Home Health Aides

Home health aides do something almost no other healthcare worker does: they create, read, and transport PHI inside a private residence and between residences in their own vehicle. The Privacy and Security Rules still apply in full. This guide explains how the rules translate from the clinic to the home setting.

What home health aides need to know about HIPAA

Training under 45 CFR § 164.530(b). Home health aides are workforce members of the home health agency. The agency must train every aide on its privacy policies and procedures as appropriate for the role, document the training, and retain that documentation for six years.

Physical safeguards under 45 CFR § 164.310. The Security Rule’s physical safeguards - facility access controls, workstation use, workstation security, and device and media controls - apply wherever ePHI lives. In home health, that includes the patient’s home, the aide’s vehicle, and any device on which care notes are recorded.

Permitted disclosures to family under 45 CFR § 164.510(b). A family member in the home is not automatically an authorized recipient. Disclosure is permitted only when the patient agrees, has been given the opportunity to object and has not objected, or the aide can reasonably infer the patient does not object - and only for information directly relevant to that family member’s involvement in care.

PHI home health aides commonly encounter

The data an aide touches across a single shift typically includes:

• Care plans and visit notes documented on an agency tablet or paper form.
• Medication lists, blood pressure logs, glucose readings, and weight measurements.
• Wound photos taken with an agency-issued device.
• Patient demographic data on the routing app or schedule.
• Diagnosis information shared during handoff with a nurse or therapist.
• Insurance and Medicare/Medicaid identifiers on intake paperwork.
• Voicemail or text from the agency referencing patients by name or address.

Each of these items, in any form that links back to a patient, is PHI under 45 CFR § 164.514 and must be safeguarded accordingly.

High-risk situations for home health aides

Other family members overhearing. Care discussions in the kitchen, living room, or shared bedroom often happen with adult children, spouses, or roommates within earshot. Unless the patient has agreed, do not discuss diagnosis, mental health status, or medication changes in front of others. Move to a private area or wait until the family member steps out.

Lost or stolen mobile devices. A tablet left in a passenger seat is one of the most common breach scenarios in home health. Every agency-issued device must be encrypted, lockable, remote-wipeable, and reported the moment it is unaccounted for. The aide’s responsibility is to report the loss promptly so the privacy officer can run the breach risk assessment required by the Breach Notification Rule.

Paper charts in the vehicle. A binder of visit notes left visible on a car seat, or a folder that slides out when a door is opened, is a physical safeguard failure under 45 CFR § 164.310(d). Paper PHI in transit should be in a closed, opaque container, kept out of sight, and never left in an unattended vehicle longer than necessary.

Personal phones used for caregiver communication. Texting another aide “I’m running late to Mrs. so-and-so” from a personal phone puts PHI on an unsanctioned device, in an unsanctioned messaging app, with no audit trail. Use only agency-approved communication tools - and never personal email - for anything that identifies a patient.

HIPAA compliance checklist for home health aides

1. Carry only the agency-issued device for documentation; lock the screen any time you step away, even inside the patient’s home.
2. Before discussing diagnosis, mental health, or medications in front of a family member, confirm the patient has not objected to that family member’s involvement under 45 CFR § 164.510(b).
3. Transport paper notes in a closed, opaque folder; never leave PHI visible in a vehicle, and never leave PHI in an unattended vehicle overnight.
4. Use only agency-approved messaging or email for caregiver-to-caregiver communication; never copy patient information to personal phone, email, or cloud storage.
5. Report lost or stolen devices, lost paper records, and any suspected unauthorized disclosure to your supervisor the same day so the agency can run the required breach risk assessment.

Training documentation requirements

Under 45 CFR § 164.530(b)(1), the agency must train each home health aide on the policies and procedures with respect to PHI as necessary and appropriate for the aide’s function. Training must be provided to new aides within a reasonable period of starting, when policies or procedures materially change, and on a periodic basis thereafter.

The agency must document that training was provided and retain the documentation for six years from the date of creation or last effective date, whichever is later, under 45 CFR § 164.530(j). For field staff, training records should also note any device-issuance acknowledgment, mobile device policy receipt, and signed acceptable-use form.

For a structured view of training across roles see the annual HIPAA training requirements guide and the workforce training hub.

If your home health agency is still managing aide training records, device acknowledgments, and incident logs across email and spreadsheets, PHIGuard consolidates them into one platform with published plan details and the audit trail home health surveyors look for.