Home Health Compliance Checklist for 2026

Compliance in home health is not one thing. It is a collection of overlapping obligations—federal, state, payer-specific—that all need to be satisfied simultaneously. Missing one can trigger consequences that cascade across the others.

This checklist covers the core compliance requirements for home health agencies in 2026. It is not exhaustive (state-specific requirements vary), but it covers the federal baseline that every agency must meet.

Monthly: OIG Exclusion Screening

Screen all employees against the OIG LEIE (updated around the 20th of each month — see recommended screening frequency)
Screen all employees against SAM.gov exclusion records
Screen all contractors and per diem staff against both databases
Screen all vendors who furnish or arrange items/services paid by federal programs
Document results of each screening cycle with date stamps
Investigate and document resolution of any potential matches
Retain screening records for a minimum of 10 years (OIG lookback period)

Why it matters: The Civil Monetary Penalties Law imposes up to $22,427 per item or service furnished by an excluded individual, plus treble damages. The obligation to screen is on the provider, and ignorance is not a defense.

Ongoing: Eligibility Verification

Verify Medicare/Medicaid eligibility for all patients at intake
Re-verify eligibility before each billing cycle
Implement a process to detect coverage lapses between billing cycles
Monitor Medicaid managed care plan assignments for changes
Flag patients approaching Medicaid redetermination dates
Verify Medicare Secondary Payer status when applicable
Document eligibility verification for each date of service

Why it matters: Billing for services provided to ineligible patients results in denied claims, recoupment demands, and potential False Claims Act liability. The 2023-2024 Medicaid unwinding demonstrated how quickly coverage status can change.

Per Hire: Pre-Employment Screening

OIG LEIE check before first day of employment
SAM.gov check before first day of employment
State licensing board verification
Criminal background check (per state requirements)
Reference verification
Verify professional credentials and certifications
Obtain and verify NPI for licensed clinicians
Document all pre-employment screening results in the employee's file

Why it matters: Pre-employment screening is the first line of defense. If you hire an excluded individual without checking, the liability clock starts on day one.

Quarterly: HIPAA Compliance Review

Review access logs for electronic health records
Audit user access levels (principle of least privilege)
Verify that terminated employees have been removed from all systems
Test backup and disaster recovery procedures
Review Business Associate Agreements for current vendors
Check that mobile devices used for patient care are encrypted and password-protected
Review incident response procedures with staff
Verify that patient data is not being stored on personal devices or unapproved cloud services

Why it matters: HIPAA violations carry penalties ranging from $100 to $50,000 per violation (per the HHS enforcement tiers), with a maximum of $1.5 million per violation category per year. OCR has increased enforcement against small healthcare providers.

Annually: Staff Training and Policy Review

HIPAA privacy and security training for all staff
Compliance program training (fraud, waste, and abuse)
OSHA workplace safety training
Infection control training and competency assessment
Review and update compliance policies and procedures
Review and update employee handbook for regulatory changes
Conduct risk assessment and update compliance work plan
Document all training with sign-in sheets and assessment results
Review corrective action plans from any previous audits or surveys

Why it matters: CMS Conditions of Participation require documented training programs. Surveyors routinely request training records, and deficiencies in training documentation are among the most common survey findings.

CMS Survey Readiness

Maintain a current organizational chart
Keep OASIS documentation current and accurate
Ensure care plans are signed and updated within required timeframes
Maintain supervisory visit documentation (aide supervision every 14 days)
Keep emergency preparedness plan current (reviewed and exercised annually)
Verify that all clinical protocols reflect current evidence-based practice
Maintain QAPI (Quality Assurance and Performance Improvement) documentation
Keep patient rights notices posted and distributed
Ensure grievance procedures are documented and accessible

Why it matters: CMS surveys can be unannounced. The time to prepare is before the surveyor arrives, not after. Agencies that maintain continuous readiness spend less time and money on corrective action plans.

Incident Reporting

Report adverse events per state reporting requirements
Document and investigate all patient complaints
Report suspected fraud, waste, or abuse through the compliance hotline
Report HIPAA breaches affecting 500+ individuals to OCR within 60 days
Report smaller HIPAA breaches to OCR in the annual log (by March 1)
Notify affected individuals of any breach within 60 days of discovery
Maintain an incident log with dates, descriptions, and resolutions

Why it matters: Unreported incidents become compliance violations. The cover-up is always worse than the incident. OIG's Self-Disclosure Protocol offers reduced penalties for providers that voluntarily report violations.

Automate What You Can

No compliance officer can execute this entire checklist manually every month without something falling through the cracks. The repeatable, data-driven tasks—OIG screening, eligibility verification, documentation—are exactly the tasks that should be automated.

ClientCare automates the OIG/LEIE and SAM.gov screening, eligibility verification, and audit trail documentation. You handle the judgment calls. We handle the data processing.