Home Health Agency Compliance Audit: A 10-Point Self-Assessment

Regulatory compliance isn't optional in home health care. One missed credential expiration, one incomplete background check, or one training documentation gap can trigger state fines, CMS sanctions, or worse—patient harm and lost reputation.

Yet most home health agencies manage compliance manually: spreadsheets, email reminders, sticky notes, and a prayer that nothing falls through the cracks. It works until it doesn't.

This checklist is a practical, no-nonsense framework to audit your agency's compliance posture right now. Use it monthly or quarterly to identify gaps before regulators (or auditors) do.

1. CMS Conditions of Participation (CoPs)

The baseline. If you're Medicare-certified, you're bound by 42 CFR § 484. These rules cover staffing, training, patient rights, infection control, quality assurance—the whole playbook.

Audit step: Pull your CMS Conditions of Participation manual (free at cms.gov). Spot-check these areas:

• Do you have written policies for each CoP?
• Are policies posted or accessible to staff?
• When were policies last reviewed? (CMS expects annual updates.)
• Do staff acknowledge they've read them? (signed acknowledgment required)

Red flag: Policies older than 12 months. Update them.

2. State Licensing & Renewal Deadlines

Every state requires home health agency licensure. License renewal windows vary (annual, biennial, quarterly). Missing a deadline can shut you down.

Audit step:

• Pull your current state license. Check expiration date.
• Verify the license is posted in your office (required in most states).
• Map renewal deadlines for the next 24 months into a calendar.
• Who owns renewal? That person should have a backup.

Red flag: License expires in <90 days and you haven't started the renewal application. State processing can take 30–60 days.

3. Employee Credential Verification

You cannot legally employ unlicensed staff without verifying their credentials first. RNs must have active licenses; CNAs need certification. Credential fraud exists—you must verify.

Audit step:

• Pull 3–5 random employee files from each discipline (RN, CNA, PT, etc.).
• Do files contain copies of active licenses/certifications?
• Are credential expiration dates recorded?
• When was each credential last verified? (Should be at hire + annually.)

Red flag: You're relying on what staff told you about their credentials. That's not verification. Verify against the state licensing board — it takes 5 minutes per person and protects you legally.

4. Background Checks & Screening

Federal law (42 CFR § 484.4) mandates criminal background checks for all home health employees. Many states add additional screening (abuse registry, sex offender registry).

Audit step:

• Does every employee have a documented background check in their file?
• Checks current? (CMS typically requires re-screening every 5 years; your state may require more frequent.)
• Are disqualifying offenses clearly documented and reviewed?
• Did you screen against your state's abuse registry AND the OIG exclusion list?

Red flag: You haven't checked the OIG exclusion list. It's free at oig.hhs.gov. Takes 10 minutes to cross-reference your staff. Required.

5. Staff Training & Orientation Documentation

CMS mandates annual training on infection control, patient rights, HIPAA, and safe practices. Documentation is required—verbal training doesn't count.

Audit step:

• Pull training records for 5 random employees.
• Do they show evidence of orientation training (infection control, patient rights, HIPAA, emergency procedures, OASIS)?
• Do records show annual competency assessments or skills validation?
• Are training dates recorded?
• For specialized services (wound care, diabetes management), do staff have competency validation?

Red flag: You conduct training but don't document it. If CMS audits and finds no records, it's as if training never happened—citations follow.

6. Incident Reporting & Investigation Process

Patient complaints, adverse events, and staff incidents must be documented and investigated. CMS wants to see a culture of safety.

Audit step:

• Do you have a written incident reporting process?
• In the last quarter, how many incidents were reported? (If zero, you might not be encouraging reporting.)
• Pull 2–3 incident files. Do they show date/time, description, corrective action, and follow-up?

Red flag: Incidents are reported verbally or via email, not tracked in a system. CMS auditors flag this immediately.

7. HIPAA Compliance & Data Security

Patient health information is sensitive. You're required to have written policies on access, storage, transmission, and breach response. HIPAA violations mean fines ($100–$50k+ per violation).

Audit step:

• Do you have written HIPAA policies? (Privacy, Security, Breach Notification—all three required.)
• Who has access to patient records? (Role-based access only.)
• How are records stored? (Locked cabinets, encrypted digital systems.)
• When was your last security risk assessment?
• Do employees sign HIPAA acknowledgment annually?

Red flag: Patient records on desks where visitors can see them. Patient information sent via unencrypted email. No access controls on databases.

8. Emergency Preparedness & Business Continuity

Your agency must have a plan for emergencies (power outages, natural disasters, cyber incidents, staff shortages). CMS auditors now focus on cyber and pandemic readiness.

Audit step:

• Do you have a written emergency preparedness plan?
• Does it cover evacuation, backup communications, data recovery, staff call-out, and patient continuity of care?
• When was the plan last tested or reviewed? (Should be annually.)

Red flag: A plan sitting in a drawer that hasn't been updated since 2019. Plans only work if staff know about them and they're tested.

9. Quality Assurance & Performance Metrics

CMS requires ongoing monitoring of patient outcomes, staff competency, and patient satisfaction. You need data, not assumptions.

Audit step:

• Do you collect metrics on patient outcomes, satisfaction scores, staff turnover, complaint trends, and audit findings?
• Who reviews these metrics? (Monthly? Quarterly?)
• When findings are identified, is there documented corrective action?

Red flag: You don't formally measure anything. CMS requires evidence of performance monitoring—this is non-negotiable.

10. Audit Readiness: Documentation Systems

When CMS or state regulators audit, they ask for specific documents. If your documentation is scattered across email, sticky notes, and someone's laptop, you're vulnerable.

Audit step: Can you locate these documents in under 5 minutes?

• Policies and procedures (current version, dated)
• Staff files (credential copies, background check, training records)
• Incident reports (last 12 months)
• Patient records (organized with audit trail)
• Infection control documentation

Red flag: When asked for a staff file, you gather documents from 4 different places. Regulators flag this as a documentation failure—sometimes counted as a citation itself.

The Next Step: Automate Compliance Tracking

Manual compliance audits are necessary, but they're reactive. By the time you audit, you might already be out of compliance.

Smarter agencies use compliance management software that tracks credential expiration dates, sends renewal reminders 90 days in advance, centralizes documentation, and generates audit reports on demand. CareQueue automates these workflows—staff credentials stay current, training documentation is timestamped automatically, and you're always ready for an audit.

But this checklist? Do it first. Right now. Today.

Try CareQueue free →