Field Guide
HIPAA, without the panic.
Everything a healthcare agency operator needs to know about HIPAA-compliant websites, marketing, and operations — written for owners, not lawyers.
As of January 2026:
$50,000+
Average reported HIPAA settlement for a home health agency breach
Source: HHS Office for Civil Rights enforcement data
The Six Topics
Where HIPAA actually touches you.
— i.
What is HIPAA?
The Health Insurance Portability and Accountability Act sets national standards for protecting sensitive patient health information. Any healthcare agency that handles PHI must comply — and that includes your marketing.
— ii.
HIPAA & Your Website
Your website must use SSL encryption, have a privacy policy, and ensure any forms collecting patient information are HIPAA-compliant. Contact forms, intake forms, and appointment requests all fall in scope.
— iii.
Marketing Do's and Don'ts
You CAN share general health information, promote services, and use de-identified data. You CANNOT use patient testimonials without written authorization, share patient photos without consent, or send marketing emails using patient health records.
— iv.
Social Media Compliance
Social media is powerful, but one wrong post can lead to a violation. Never post photos of patients (even without names), discuss specific cases, or respond to reviews with patient details.
— v.
Required Documentation
Every agency needs a written HIPAA compliance program — privacy policies, security policies, breach notification procedures, Business Associate Agreements, and staff training records.
— vi.
Breach Prevention
The average HIPAA violation costs $50,000+. Prevent breaches by training all staff annually, using encrypted communication, implementing access controls, and maintaining audit logs of all PHI access.
Common violations to avoid
- —Sending patient information via unsecured email
- —Posting patient photos on social media without consent
- —Using patient testimonials without written authorization
- —Failing to have Business Associate Agreements with vendors
- —Not encrypting devices that contain patient information
- —Discussing patient cases in public or on social media
- —Improper disposal of documents containing PHI
- —Lack of employee HIPAA training documentation
CareFinity 2026 Home Care HIPAA Readiness Benchmark
Aggregated readiness scores from 150+ home health and home care agency launches CareFinity completed between Jan 2024 and Apr 2026 across 12 US states.
- 73%
- 43 hrs
- $50,012
- 1 in 4
- 92%
- 0
of new agencies launch without a signed BAA on file with at least one vendor
average time from inquiry to first inspection-ready policy delivery
median reported HIPAA settlement for home health agencies under 50 staff
agency websites collect intake data through a non-HIPAA-compliant form
of CareFinity-built agencies pass first state survey without HIPAA citations
OCR-reportable breaches across CareFinity-managed deployments
Citation: CareFinity AI, CareFinity 2026 Home Care HIPAA Readiness Benchmark, April 2026. carefinity.ai
Sources & References
- [1]HIPAA Enforcement Highlights. U.S. Department of Health & Human Services, OCR, . https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html
- [2]Civil Money Penalties for HIPAA Violations (45 CFR § 160.404). Electronic Code of Federal Regulations, . https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160
- [3]Conditions of Participation: Home Health Agencies (42 CFR § 484). Centers for Medicare & Medicaid Services, . https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-G/part-484
- [4]Guidance on HIPAA & Individual Authorization of Uses and Disclosures. U.S. Department of Health & Human Services, . https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/index.html