Your aides document visits on tablets in patients' living rooms. HIPAA follows them there
Visit notes on a phone, care plan updates between shifts, medication lists in the car. When your team works in patients' homes, PHI travels with them everywhere. EZBunny covers the risks that come with care outside your office walls.
Train my home health teamHIPAA is the federal law that protects patient health information. Annual training is the industry standard.
Breaches affecting 500+ individuals are published on the HHS Breach Portal (the "Wall of Shame"), a permanent, public record. Training your team is the most effective way to avoid it.
And it gets stricter. States like California (CMIA) and Texas (HB 300) impose penalties beyond federal HIPAA. Your team needs to meet the highest standard.
25+ courses your home health team actually needs
Beyond HIPAA, your team needs OSHA safety training, fraud prevention, cybersecurity awareness, and state-specific compliance. EZBunny covers it all in one subscription.
Browse All Courses →The risks that travel with your field staff
$1.7M after a nurse's laptop was stolen from her car
Unencrypted visit schedules and medication lists for 400 homebound patients were on that laptop. The agency paid $1.7 million.
Aides and nurses train between visits
Audio-narrated lessons with knowledge checks your field staff finish on a phone or tablet between patient visits.
The agency tablet died, so they used their phone
Visit notes end up in a personal notes app. Patient photos land in a camera roll synced to iCloud. Nobody meant to break HIPAA, but the PHI is now on an unsecured device.
See every caregiver's status from the office
Your dashboard shows who's trained, who's overdue, and who just started, across every location and shift. Export a report for your accreditation surveyor in two clicks.
Morning aide texts evening aide about meds
Shift changes mean sharing patient updates. A text about a medication change, with the patient's name and dosage, is a potential breach sitting in someone's message history.
Field staff get reminded without you chasing them
New hire starts Monday? They get an invite. A caregiver's certificate expires next month? They get a nudge. You don't track anyone down.
Care plans riding around in the back seat
Paper records in open bags, left in unlocked cars, carried into coffee shops. Once PHI leaves your office, it's the hardest risk to control.
Certificates with built-in verification
Each certificate has a unique ID and public verification link. Auditors and surveyors can verify it in seconds using the unique ID or QR code. No phone calls needed.
One price for every aide, nurse, and coordinator in your agency
No per-seat charges. No hidden fees. Cancel anytime.
Beyond HIPAA: All the Training Home Health Agencies Need
HIPAA is just the start. Here's what home health teams also need.
OSHA Safety (Required)
Home health workers have occupational exposure to bloodborne pathogens in patient homes. Required: Bloodborne Pathogens, OSHA General Safety, HazCom, and Infection Control under CMS Conditions of Participation. These are enforced separately from HIPAA.
Fraud, Waste & Abuse (Required)
CMS requires FWA training for all Medicare-certified home health agencies under Conditions of Participation (42 CFR 484). Billing staff and administrators must complete FWA training - failure can result in Medicare decertification.
Emergency Preparedness (Required)
CMS requires emergency preparedness training for all Medicare-certified home health agencies under 42 CFR 484.102. Your team must know how to maintain continuity of care when natural disasters or other emergencies affect patients in their homes.
Cultural Competency & Age-Appropriate Care
Home health patients are predominantly elderly and often from diverse cultural backgrounds. If you operate in California or New York, Cultural Competency training is required for licensed clinical staff. Age-Appropriate Care helps your team provide respectful, person-centered care in the patient's home environment.
Advanced Healthcare Directives
Home health patients frequently have DNR orders, living wills, and healthcare proxies. Your team must know how to document, communicate, and respect advance directives. Handling this incorrectly creates both legal and clinical risk.
Mandatory Reporting (Required)
Home health workers visit vulnerable populations in unsupervised environments. Mandatory Reporting training ensures your aides, nurses, and therapists know how to recognize and report abuse, neglect, and exploitation - and understand their legal obligation to act.
Training by Role
Different roles need different courses. Here's a breakdown for home health teams.
| Role | Core Courses | Additional |
|---|---|---|
| Home Health Aide / CNA | HIPAA Privacy, Bloodborne Pathogens, Infection Control, Mandatory Reporting, OSHA General Safety, Sexual Harassment Prevention, Advanced Healthcare Directives | Age-Appropriate Care |
| Registered Nurse (field) | HIPAA Privacy & Security, Bloodborne Pathogens, Emergency Preparedness, Infection Control, Mandatory Reporting, OSHA General Safety, Sexual Harassment Prevention, Advanced Healthcare Directives | Telehealth Privacy if remote monitoring |
| Physical / Occupational Therapist | HIPAA Privacy & Security, Bloodborne Pathogens, Infection Control, Mandatory Reporting, OSHA General Safety, Sexual Harassment Prevention | |
| Care Coordinator | HIPAA Privacy & Security, CMS FWA, Mandatory Reporting, Medical Records, Sexual Harassment Prevention | |
| Billing Staff | HIPAA Privacy & Security, CMS FWA, Compliance & Ethics, Medical Records, Sexual Harassment Prevention | |
| Supervisory RN | HIPAA Privacy & Security, CMS FWA, Compliance & Ethics, Emergency Preparedness, Infection Control, Mandatory Reporting, Medical Records, Sexual Harassment Prevention | Cybersecurity |
| Agency Administrator | HIPAA Privacy & Security, CMS FWA, Compliance & Ethics, Emergency Preparedness, Mandatory Reporting, Medical Records, Sexual Harassment Prevention | Cybersecurity, Workplace Violence Prevention |
State-Specific Requirements
State-specific content currently covers CA, TX, FL, NY, and IL. Additional states may have requirements not listed here.
- If you operate in California: CMIA privacy training; cultural competency CE for licensed clinical staff (required in CA/NY); workplace violence prevention for hospital-based agencies (SB 553)
- If you operate in Texas: HB 300 privacy training within 90 days of hire - Texas penalties up to $1.5M per incident
- If you operate in Florida: HIV/AIDS training for applicable licensed practitioners per FL Statute 381.0034
- If you operate in New York: Infection control every 4 years for licensed clinical staff (PHL Section 239); cultural competency required for licensed providers; sexual harassment prevention annually
Proposed changes to the HIPAA Security Rule (expected 2026) may expand mobile device and cybersecurity requirements for home health agencies. Browse all 25+ courses →
HIPAA questions we hear from home health agencies
What are the HIPAA rules for mobile devices used in home health?
Every mobile device used for PHI must have encryption, strong passcodes, auto-lock, and remote wipe capability. Using personal devices requires a written BYOD policy. Staff should never store patient information in personal notes apps, text messages, or photo galleries.
Can home health aides document visits on personal phones?
Only if your agency has a written BYOD policy that meets HIPAA encryption and remote-wipe requirements. Visit notes should go directly into the agency's HIPAA-compliant EHR, never in personal notes, texts, or photos. If a personal device is lost, the agency must be able to remotely wipe PHI from it.
How should home health teams communicate about patients securely?
All patient communication must go through HIPAA-compliant, encrypted channels. Never use standard texts, personal email, or consumer apps. Use encrypted messaging platforms with audit trails and BAAs. For urgent verbal communication, confirm you're in a private setting and avoid using patient full names in voicemails.
What HIPAA training do home health aides need?
Every aide, nurse, therapist, and admin staff member who handles PHI must complete HIPAA training, no exceptions. Training must cover the Privacy Rule, Security Rule, and breach notification procedures. Training is required at hire and when policies change. Annual refresher training is a best practice and may be required by state regulations or accreditation bodies.
What are the HIPAA rules for transporting paper records?
Paper records must travel in locked containers, never be left in vehicles, and be returned or destroyed after use. Carry only the minimum records necessary for the visit. Lost or stolen paper records containing PHI must be reported as a potential breach.
How does HIPAA apply to OASIS assessments and care plans?
OASIS assessments, care plans, and all visit documentation are PHI that must be created and stored in HIPAA-compliant systems. When completing assessments in a patient's home, position your device so others cannot read the screen. Care plans shared between providers must go through secure channels with BAAs in place.
Cover your whole agency, office and field staff
Set up takes about 5 minutes. Try it free for 14 days.
Get started freeRegulatory Disclaimer
Training requirements vary by organization type, size, state, payer mix, and accreditation. This guide reflects common federal and state requirements as of April 2026 and is not legal advice. Consult your compliance officer or legal counsel for requirements specific to your organization. State-specific content currently covers CA, TX, FL, NY, and IL. Additional states may have requirements not listed here. Last reviewed: April 2026.