HIPAA Business Associate Agreement for Home Health Agencies
By BAA Generator Editorial · Updated Apr 19, 2026 · 5 min read
Key Takeaways
- ✓ Home health agencies are HIPAA covered entities with BAA obligations for all PHI-handling vendors
- ✓ Field staff using mobile apps and personal devices create unique BYOD compliance challenges
- ✓ Telehealth and remote monitoring platforms require BAAs — even when used by home health aides
- ✓ Subcontractor caregivers and therapy staffing agencies may require downstream BAAs under the Omnibus Rule
Home health agencies operate differently from clinic-based practices: care is delivered in patients' homes by field staff who use mobile devices to document visits, receive schedules, and access patient records remotely. This distributed model creates a larger and more complex vendor footprint than traditional practices — and more opportunities for BAA gaps to emerge.
Why Home Health Agencies Are Covered Entities
Home health agencies are healthcare providers under HIPAA. Those that transmit health information electronically in connection with Medicare or Medicaid claims are covered entities, subject to the full HIPAA Privacy and Security Rules. This includes:
- Medicare-certified home health agencies
- Medicaid home health waiver providers
- Private-pay home health agencies that submit claims electronically
- Pediatric home health and private duty nursing agencies
- Home infusion therapy providers
The Unique BAA Challenges in Home Health
Field Staff Using Mobile Devices
Home health aides, skilled nurses, and therapists typically use smartphones or tablets to document visits, check schedules, and communicate about patient care. If field staff access a mobile app that stores or transmits patient PHI, the app vendor is a business associate. This applies whether the device is agency-owned or personally owned (BYOD). The BYOD scenario doesn't transfer compliance responsibility away from the agency — it adds requirements around mobile device management (MDM) and BAA coverage for mobile app vendors.
Telehealth and Remote Monitoring
Remote patient monitoring platforms used for post-acute care at home — video visit platforms, vital sign monitoring tools, connected devices — all create vendor relationships that require BAAs. As agencies expand telehealth services, each new platform represents a new business associate relationship that needs a signed BAA under 45 CFR § 164.504(e).
Subcontractor Caregivers and Therapy Staffing
Under HIPAA's 2013 Omnibus Rule, subcontractors that create, receive, maintain, or transmit PHI on behalf of a business associate are themselves subject to HIPAA. If your agency uses independent contractor caregivers or therapy staffing agencies (for PT, OT, or SLP services) who access patient records through your systems, those contractors may be downstream business associates requiring BAAs. This is especially relevant for agencies that staff through third-party therapy companies.
Vendors Home Health Agencies Typically Need BAAs With
Home Health Software Platforms
Homecare Homebase, Brightree, KanTime, and MatrixCare are among the most widely deployed home health clinical management platforms. These systems hold patient care plans, visit notes, physician orders, and billing data. All provide BAAs — request them during contract setup and retain executed copies.
Electronic Visit Verification (EVV) Systems
EVV systems record the time, location, and service delivered during home visits and are required for Medicaid-funded personal care and home health services in most states. EVV platforms link caregiver identities to patient identities along with location data — this is PHI, and EVV vendors are business associates.
Scheduling and Dispatch Software
Scheduling software that assigns specific caregivers to specific patients creates records that link patient identities to care schedules — PHI. Scheduling systems that also generate clinical workflow data or integrate with EVV and billing platforms require BAAs.
Billing and Revenue Cycle Companies
Outside billing companies and revenue cycle management vendors that process Medicare, Medicaid, or private insurance claims handle patient names, diagnosis codes, and service records. BAAs are required before sharing any claim data. Review our guide on when a HIPAA BAA is required for the full vendor decision framework.
Payroll Systems Linked to Patient Schedules
Payroll systems that integrate with patient scheduling data — for example, generating caregiver pay based on patient visit records — may create a linkage between employee records and patient PHI. If your payroll vendor's system receives patient-identifying data as part of processing caregiver hours, a BAA may be required.
IT Support and Cloud Services
IT managed service providers with remote access to agency systems, and cloud backup or storage services used for patient records, are business associates. Confirm that your IT partner and cloud storage vendors have signed BAAs. See our resource on checking whether your vendor signs BAAs for a practical approach.
| Vendor Type | Example Vendors | BAA Required? |
|---|---|---|
| Home health software | Homecare Homebase, Brightree, KanTime, MatrixCare | Yes |
| EVV platform | Sandata, HHAeXchange, Netsmart EVV | Yes |
| Telehealth / remote monitoring | Telehealth platform vendors | Yes |
| Scheduling / dispatch | ClearCare, WellSky scheduling | Yes |
| Billing / RCM | Outsourced billing companies | Yes |
| IT support / MSP | Local or remote IT provider | Yes |
| Therapy subcontractors | PT/OT/SLP staffing agencies | Yes (if accessing PHI) |
Generate a BAA for your home health agency
Create a HIPAA-compliant Business Associate Agreement for your billing company, software vendor, or IT provider — free to start, no subscription required.
Generate BAA for Free →Frequently Asked Questions
Are home health agencies HIPAA covered entities?
Yes. Home health agencies are healthcare providers under HIPAA and covered entities when they transmit health information electronically in connection with Medicare, Medicaid, or insurance claims. They must execute BAAs with every vendor that creates, receives, maintains, or transmits PHI on their behalf under 45 CFR § 164.504(e).
Do mobile apps used by home health aides require BAAs?
Yes. Mobile apps used by field staff to access schedules, document visits, or communicate about patient care handle PHI and the app vendors are business associates. This applies whether the device is agency-owned or personally owned. The agency is responsible for ensuring BAAs are in place with all such app vendors.
What is a subcontractor BAA in home health?
Under HIPAA's Omnibus Rule, subcontractors who access PHI on behalf of a covered entity or business associate are downstream business associates themselves, directly subject to HIPAA. In home health, independent contractor caregivers or therapy staffing agencies who access patient records through your systems may require BAAs.
What home health software vendors require BAAs?
Homecare Homebase, Brightree, KanTime, and MatrixCare all provide BAAs. You also need BAAs with your EVV platform, telehealth vendors, scheduling software, billing companies, and IT support providers. Contact each vendor's compliance team if a BAA was not provided during initial contracting.