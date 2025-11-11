This article is a part of your HHCN+ Membership

As more home-based care providers rely on AI tools for both clinical advancements and operational streamlining, the importance of strong safeguards has become increasingly clear.

Companies, including First Choice Home Health & Hospice and Team Select Home Care, have developed AI policies that address patient data, cybersecurity and HIPAA compliance, among other potential concerns. Without such airtight policies, developed with state-specific regulations in mind, organizations risk financial penalties.

In general, Angelo Spinola, home health, home care and hospice chair at law firm Polsinelli, has seen an uptick in all kinds of home-based care clients reaching out to receive consultation while formulating AI policies.

“Whether it’s franchise systems or an independent [company] or one of the large strategics, this is an issue that everybody’s dealing with,” he told Home Health Care News.

At Team Select Home Care, the company has multiple AI-related policies in place. Many of these policies are focused on patient data, privacy and HIPAA, according to CEO Fred Johnson.

“AI companies will request, in some cases, unfettered access to your EMR, which is dangerous, and can, potentially, expose very sensitive patient information,” he told HHCN. “Our policy is, we never grant unrestricted EMR access. We use data minimization principles and ensure [patient health information] remains protected under HIPAA and industry best practices. No patient names are ever shared [to any external partners], and the tool runs completely outside of our EMR.”

Phoenix-based Team Select Home Care serves the medically complex pediatric population and seniors in the home. The company operates in 16 states and is one of the largest pediatric long-term care providers in the country.

Adopting AI tools can sometimes leave companies vulnerable, expanding the attack surface, so cybersecurity is another major focus of Team Select Home Care’s various policies.

“There’s just so much risk in cyber that — it’s one of the few things that could take down our business,” Johnson said. “When developing our AI policies, the data, in terms of availability, who can see it, what they can see, how protected it is, and so forth, is really like the first hurdle to pass. If we can’t pass that hurdle, we can’t go to the next step and do anything.”

Another major component of Team Select Home Care’s policies is the assurance that the company will never use AI tools to replace the medical judgment and decision-making of its clinicians.

Similar to Team Select Home Care, protecting patient health information and HIPAA compliance was top of mind for First Choice Home Health & Hospice when instituting AI technology. In this pursuit, the company avoids using general large language models (LLMs), like ChatGPT, when handling sensitive patient information, according to Beau Sorensen, chief operating officer of First Choice Home Health & Hospice.

Founded in 1996, Orem, Utah-based First Choice Home Health & Hospice serves the Wasatch Front region. In addition to its core home health and hospice offerings, the provider delivers a variety of Medicare Part B services, including outpatient therapy and Clinical Laboratory Improvement Amendments (CLIA) laboratory services.

The company also has a policy that any AI tool that touches its core business, patient care, must be vetted.

“It has to go through a vetting process where it is tested against existing solutions to determine if the AI is high enough quality, if it’s giving excellent results, and if it is ultimately something that will end up serving our patient population, and serving our clinicians better than the existing solution,” Sorensen told HHCN.

Sorensen emphasized the importance of having a policy that is constantly evolving.

“Your policy manual shouldn’t be something that you write in stone from the hand of God on Mount Sinai,” he said. “It should be something that you’re constantly looking at and evaluating and saying, ‘Does this policy still work for us?’ If not, what changes do we need to make to it?”

Ensuring compliance

When a home-based care company is in the process of creating an AI policy, providers must ensure compliance with disclosure regulations, according to Spinola.

“Different states have different requirements there,” he said. “If we’re using an AI monitoring device or somebody’s dealing with an AI agent, sometimes there’s a requirement that the client and the caregiver are put on notice, that they understand it’s an AI agent and consent to the use of these programs.”

Spinola also explained that some states have laws governing what entities are allowed to do with AI tools.

“In some cases, there’s a requirement for human oversight and review,” he said. “In some cases, it’s simply that the AI tool can’t do what a human can’t do from a discriminatory perspective, where there might be an adverse effect on a particular protected category of individuals,” he said.

There are several ways that home-based providers can end up in hot water without thorough AI policies.

“There could be HIPAA violations, privacy violations, issues with cybersecurity,” Spinola said. “There’s a variety of financial penalties associated with several of the state laws for failure to provide notice, or obtain consent, for not following these rules.”

When President Donald Trump took office, he revoked a 2023 executive order issued by Joe Biden that aimed to address AI-related risks. The means AI oversight is largely driven by state law rather than federal law.

States are frequently updating laws around AI usage. This means providers must closely follow rapidly evolving regulations.

Some providers operating in multiple states model their entire compliance program on the states with more restrictive laws and regulations, Spinola noted.

Ultimately, AI policies must be a top priority to maintain compliance and patient safety, Johnson said.

“AI can’t be a shadow IT function,” he said. “We have to maintain really strong, structured governance, similar to what you’d expect from clinical or cybersecurity.”