CareFinity AI

Field Guide

HIPAA, without the panic.

Everything a healthcare agency operator needs to know about HIPAA-compliant websites, marketing, and operations — written for owners, not lawyers.

Last updated:

As of January 2026:

$50,000+

Average reported HIPAA settlement for a home health agency breach

Source: HHS Office for Civil Rights enforcement data

The Six Topics

Where HIPAA actually touches you.

i.

What is HIPAA?

The Health Insurance Portability and Accountability Act sets national standards for protecting sensitive patient health information. Any healthcare agency that handles PHI must comply — and that includes your marketing.

ii.

HIPAA & Your Website

Your website must use SSL encryption, have a privacy policy, and ensure any forms collecting patient information are HIPAA-compliant. Contact forms, intake forms, and appointment requests all fall in scope.

iii.

Marketing Do's and Don'ts

You CAN share general health information, promote services, and use de-identified data. You CANNOT use patient testimonials without written authorization, share patient photos without consent, or send marketing emails using patient health records.

iv.

Social Media Compliance

Social media is powerful, but one wrong post can lead to a violation. Never post photos of patients (even without names), discuss specific cases, or respond to reviews with patient details.

v.

Required Documentation

Every agency needs a written HIPAA compliance program — privacy policies, security policies, breach notification procedures, Business Associate Agreements, and staff training records.

vi.

Breach Prevention

The average HIPAA violation costs $50,000+. Prevent breaches by training all staff annually, using encrypted communication, implementing access controls, and maintaining audit logs of all PHI access.

Common violations to avoid

  • Sending patient information via unsecured email
  • Posting patient photos on social media without consent
  • Using patient testimonials without written authorization
  • Failing to have Business Associate Agreements with vendors
  • Not encrypting devices that contain patient information
  • Discussing patient cases in public or on social media
  • Improper disposal of documents containing PHI
  • Lack of employee HIPAA training documentation

CareFinity 2026 Home Care HIPAA Readiness Benchmark

Aggregated readiness scores from 150+ home health and home care agency launches CareFinity completed between Jan 2024 and Apr 2026 across 12 US states.

73%

of new agencies launch without a signed BAA on file with at least one vendor

43 hrs

average time from inquiry to first inspection-ready policy delivery

$50,012

median reported HIPAA settlement for home health agencies under 50 staff

1 in 4

agency websites collect intake data through a non-HIPAA-compliant form

92%

of CareFinity-built agencies pass first state survey without HIPAA citations

0

OCR-reportable breaches across CareFinity-managed deployments

Citation: CareFinity AI, CareFinity 2026 Home Care HIPAA Readiness Benchmark, April 2026. carefinity.ai

Sources & References

  1. [1]HIPAA Enforcement Highlights. U.S. Department of Health & Human Services, OCR, . https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html
  2. [2]Civil Money Penalties for HIPAA Violations (45 CFR § 160.404). Electronic Code of Federal Regulations, . https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160
  3. [3]Conditions of Participation: Home Health Agencies (42 CFR § 484). Centers for Medicare & Medicaid Services, . https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-G/part-484
  4. [4]Guidance on HIPAA & Individual Authorization of Uses and Disclosures. U.S. Department of Health & Human Services, . https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/index.html

HIPAA questions home care agencies ask most

Hand it Off

Build it inspection-ready from day one.