HIPAA compliance for home health agencies: mobile workforce, devices, and ePHI

Home health agencies face HIPAA obligations across a distributed, mobile workforce with unique ePHI exposure points. Here is what the Privacy Rule, Security Rule, and device management requirements mean for an agency with field staff.

By CoreFolio

Published May 20, 2026Verified May 20, 20266-minute read

Home health agencies carry the full weight of HIPAA compliance with a workforce that is never in one place. Field nurses, physical therapists, home health aides, and occupational therapists move through dozens of patient homes each week, carrying devices containing protected health information (PHI) into environments entirely outside the agency’s physical control.

The HIPAA Security Rule was designed primarily with office environments in mind. Applying it to a mobile workforce requires deliberate attention to the areas where standard office-based compliance assumptions break down.

Covered entity status

A home health agency that provides nursing, therapy, or aide services and bills Medicare, Medicaid, or private insurance electronically is a covered entity under 45 CFR § 160.103. The Privacy Rule, Security Rule, and Breach Notification Rule all apply in full.

The mobile device problem

The Security Rule’s physical safeguard requirements (45 CFR § 164.310) extend to every device that accesses ePHI — wherever that device is located. For home health agencies, the relevant devices include:

Agency-issued tablets or laptops used for clinical documentation
Agency-issued phones used for scheduling and patient communication
Personal phones used by field staff if the agency permits BYOD access to any ePHI system (EHR, scheduling platform, secure messaging)
Portable medical devices that store patient data if connected to agency networks

Required device controls for any device accessing ePHI:

Encryption at rest (Addressable — effectively required): All devices must have full-disk encryption enabled. For iOS devices, this is enabled by default when a passcode is set. For Android devices, it must be explicitly enabled in settings. For Windows laptops, BitLocker or equivalent. For Mac laptops, FileVault. Unencrypted devices carrying ePHI are one of the most reliably prosecuted HIPAA violations — the loss of an unencrypted laptop is automatically a reportable breach regardless of whether the data was accessed.

Multi-factor authentication (MFA) for EHR and ePHI system access: Under the current Security Rule, MFA is addressable. Given that field staff access EHR systems from home networks, patient home networks, and mobile data connections — environments the agency does not control — MFA is nearly always the only reasonable and appropriate authentication safeguard. The 2026 NPRM proposes making MFA required.

Remote wipe capability: Agencies must be able to remotely wipe any device containing ePHI if it is lost or stolen. For agency-owned devices, this requires a mobile device management (MDM) solution. For BYOD devices, the MDM or containerization solution must provide remote wipe of the business container without wiping the employee’s personal data.

Automatic session timeout: EHR and ePHI applications on field devices must be configured to terminate sessions after inactivity — a device left at a patient’s home or in a vehicle should not display ePHI to anyone who picks it up.

Physical security of devices: Field staff must be trained not to leave devices unattended in vehicles (even locked), in public spaces, or visible in home environments with multiple occupants. The agency’s workstation security policy (45 CFR § 164.310(c)) must address these scenarios.

Bring-your-own-device (BYOD) policy

Many small home health agencies allow field staff to use personal smartphones for scheduling, communication, and EHR access because issuing devices to every field employee is expensive. BYOD is not prohibited by HIPAA, but it requires a formal policy with specific controls.

A BYOD policy for home health must address:

Which personal devices are permitted to access agency ePHI systems (minimum OS version, encryption requirement, screen lock requirement)
What agency software is required to be installed (MDM agent, secure messaging app, EHR app)
What the agency can and cannot do to the personal device (read limitation — the MDM should manage only the business container, not personal data)
Remote wipe scope — what happens to personal data in the event of a security incident (a well-designed BYOD MDM wipes only the business container)
Prohibition on standard SMS, WhatsApp, and consumer email for ePHI communication
Requirement that the device be reported lost or stolen immediately

The BYOD policy must be in writing, distributed to all field staff, and signed. Training on the policy must be documented.

Communication safeguards for field staff

Field staff communication creates persistent compliance risk because the informal communication habits of a mobile workforce are difficult to govern:

Common violations:

Texting a colleague or supervisor a patient’s name and condition via standard SMS to coordinate care
Photographing a patient’s wound or medication list on a personal phone and sending via iMessage or WhatsApp
Emailing clinical notes from a personal Gmail account to the office EHR
Discussing patient cases on social media or via consumer messaging apps

Required safeguards:

A secure messaging platform with a BAA for all clinical communication (patient status, coordination, care notes)
Prohibition on consumer apps for any communication involving PHI
A clear, written policy specifying approved channels
Training with documentation that all field staff have completed it
A sanction policy for violations

Risk analysis in a home health context

The risk analysis (45 CFR § 164.308(a)(1)(ii)(A)) for a home health agency must account for the mobile context:

Network environments. Field staff connect from patient home Wi-Fi networks, mobile data connections, and occasionally public Wi-Fi. Each environment has different security characteristics. The risk analysis must address the risk that ePHI transmitted from these environments could be intercepted or exposed.

Device inventory. All devices accessing ePHI — agency-owned and BYOD — must be inventoried, and their encryption and configuration status must be verified. The 2026 NPRM proposes a formal technology asset inventory requirement; current best practice is to maintain one now.

Third-party data sharing. Home health agencies often share clinical data with referring physicians, hospital discharge teams, managed care organizations, and state health departments. Each exchange must be analyzed for PHI exposure risk and covered by appropriate safeguards and BAAs.

Staff turnover. Home health agencies often have high field staff turnover. The risk analysis must address whether access revocation procedures are consistently executed when field employees leave — including recovery of agency devices and revocation of all EHR and email credentials.

Key business associate relationships

Home health agencies frequently have business associates that are overlooked:

Electronic Visit Verification (EVV) systems — required for Medicaid home health services in most states; these platforms handle patient visit data and require BAAs
Remote patient monitoring platforms — if the agency uses RPM devices that transmit vital sign or other clinical data, the platform provider is a business associate
Referral management platforms — platforms that receive patient referral data from hospitals or physicians
Payroll and scheduling platforms — if the scheduling platform handles patient assignments that include diagnosis or clinical information, a BAA may be required

OCR enforcement in the home health sector

OCR has brought enforcement actions against home health agencies for both Security Rule failures (unencrypted devices, missing risk analyses) and Privacy Rule violations (disclosure of patient information without authorization). The distributed workforce model creates exposure that office-based practices do not face — every field employee is a potential breach point, and the agency is responsible for each of them.

The single most protective action a home health agency can take is to ensure that every device accessing ePHI is encrypted and enrolled in a mobile device management solution with remote wipe capability. An encrypted, remotely wipeable device does not create a reportable breach when it is lost.

Sources: 45 CFR § 160.103 (covered entity definition); 45 CFR § 164.308(a)(1)(ii)(A) (risk analysis); 45 CFR § 164.308(a)(3)(ii)(C) (termination procedures); 45 CFR § 164.310(b)(c) (workstation use and security); 45 CFR § 164.312(a)(2)(ii) (automatic logoff); 45 CFR § 164.402 (four-factor risk assessment); 90 Fed. Reg. 898 (HIPAA Security Rule NPRM, January 6, 2025); CMS Electronic Visit Verification requirements. Last verified May 20, 2026.

FAQ

Common questions

Are home health agencies covered entities under HIPAA?

Yes. A home health agency that furnishes health care services and transmits health information electronically in connection with covered transactions is a covered entity under 45 CFR § 160.103. Home health agencies billing Medicare or Medicaid electronically are covered entities subject to the Privacy Rule, Security Rule, and Breach Notification Rule.

What is the biggest HIPAA risk for home health agencies?

The distributed, mobile workforce is the primary risk. Field staff carry devices containing ePHI into environments the agency does not control — patient homes, vehicles, and public spaces. Unencrypted mobile devices, informal text and email communication with colleagues or patients, and inadequate device management are the most common sources of breach and enforcement exposure in the home health sector.

Can home health aides use personal phones to communicate about patients?

Only if the agency has implemented a formal BYOD policy with documented safeguards, trained staff on it, and confirmed that the communication channel (such as a secure messaging app with a BAA) meets HIPAA Security Rule requirements. Standard SMS, WhatsApp, iMessage, and unencrypted email on personal phones are not compliant for ePHI communication regardless of whether the device is personal or agency-owned.

What happens if a field staff member loses a device containing patient information?

The agency must immediately initiate remote wipe procedures, assess whether the lost device contained unencrypted PHI (if so, a potential breach has occurred), and conduct the four-factor risk assessment under 45 CFR § 164.402. If the PHI was unencrypted, notification obligations may be triggered. This scenario is why encryption and remote wipe capability are required elements of a home health device management program.

Keep learning

How-to
HIPAA physical safeguards for small practices: what the rule actually requires
Physical safeguards under 45 CFR § 164.310 govern how your practice controls physical access to ePHI — from workstations and server closets to portable devices and decommissioned hard drives. Here is every standard and what it means in a small-practice setting.
May 20, 20267-minute read
How-to
HIPAA administrative safeguards: the complete checklist for small practices
Administrative safeguards under 45 CFR § 164.308 are the most commonly cited standard in OCR enforcement actions. Here is every requirement, what 'addressable' actually means, and what a small practice must have documented.
May 20, 20268-minute read
How-to
HIPAA requirements for solo and small practices: what applies and what is scaled
HIPAA has no size exemption. A solo practitioner is a covered entity subject to the same Privacy Rule, Security Rule, and Breach Notification Rule as a large health system. Here is what that means in practice, what is scaled to size, and what is not.
May 20, 20267-minute read