Medicare Compliance
42 CFR Part 484 defines the Conditions of Participation that every Medicare-certified home health agency must meet. This page breaks down each condition in plain language, explains what surveyors evaluate, identifies the most commonly cited deficiencies, and shows how Ordo maps to every requirement.
42 CFR Part 484 is the section of the Code of Federal Regulations that establishes the Conditions of Participation (CoPs) for home health agencies participating in the Medicare program. These conditions define the minimum health and safety standards that agencies must meet to receive Medicare reimbursement. In total, there are 15 Conditions of Participation — 10 in Subpart B and 5 in Subpart C. CMS contracts with state survey agencies to conduct compliance surveys. These surveys are completely unannounced — agencies receive zero advance notice.
Subpart B — Patient Care
Subpart B (§484.40–§484.80) defines the patient care standards every Medicare-certified home health agency must meet. Ordo loads all 10 CoPs as trackable compliance items.
Subpart C — Organizational Environment
Subpart C (§484.100–§484.115) defines the organizational standards for agency governance, compliance, and personnel. Ordo loads all 5 CoPs as trackable compliance items.
The HHA and any agent acting on behalf of the HHA in accordance with a written contract must ensure the confidentiality of all patient-identifiable information contained in the clinical record, including OASIS data. The agency may not release patient-identifiable OASIS information to the public. This requirement extends to all contractors and subcontractors who handle OASIS data on the agency's behalf — each must be bound by written agreements that enforce confidentiality protections.
Surveyors verify that the agency has policies and procedures governing the confidentiality of patient-identifiable OASIS data. They review contracts with agents and subcontractors for written confidentiality provisions. They assess whether staff who access OASIS data have been trained on confidentiality requirements and whether the agency has safeguards to prevent unauthorized release of patient-identifiable assessment information.
Contracts with agents or subcontractors that do not include written confidentiality provisions for OASIS data. Staff who handle OASIS data without documented training on confidentiality requirements. Lack of policies specifically addressing release restrictions for patient-identifiable OASIS information — as distinct from general HIPAA privacy policies.
Pre-loaded compliance items for OASIS data confidentiality policies, agent/contractor agreement verification, and staff training documentation. Evidence fields for attaching signed contractor agreements and staff training records. Attestation workflows for periodic review of OASIS data handling procedures.
The HHA must encode and electronically transmit each completed OASIS assessment to the CMS system within 30 days of completing the assessment. The encoded OASIS data must accurately reflect the patient's status at the time of assessment. The HHA must transmit data using electronic communications software that complies with the Federal Information Processing Standard (FIPS 140-2) and that conforms to CMS standard electronic record layout, edit specifications, and data dictionary. The agency must transmit a completed OASIS to the CMS system for all Medicare patients, Medicaid patients, and patients utilizing any federally funded health plan options that are part of the Medicare program.
Surveyors review the agency's OASIS transmission processes, including timeliness of submissions (within the 30-day window), accuracy of encoded data, and compliance with CMS-specified software and data format requirements. They verify that the agency has quality assurance processes for OASIS data accuracy and that all applicable patients (Medicare, Medicaid, and federal health plan patients) are included in OASIS reporting.
OASIS assessments not transmitted within the 30-day deadline. Data encoding errors that do not accurately reflect the patient's status at the time of assessment. Failure to submit OASIS data for all applicable patient populations (e.g., missing Medicaid patients). Software or transmission methods that do not meet FIPS 140-2 standards. Lack of internal review processes to verify OASIS data accuracy before submission.
Pre-loaded compliance items for OASIS encoding accuracy, 30-day transmission deadlines, software compliance verification, and data quality review processes. Trackable items for internal OASIS audit procedures. Evidence fields for documentation of submission confirmations and data validation checks.
Agencies must inform patients of their rights in advance of or during the initial evaluation visit, before care is provided. Patients must receive written notice of their rights in a language they understand, including the right to be informed about services, the right to participate in care planning, the right to voice grievances, and the right to be informed of agency policies on transfer and discharge.
Surveyors review patient records for evidence that rights were communicated. They conduct patient interviews to verify understanding. They look for documented grievance procedures and evidence that complaints were addressed.
Rights documentation that is generic rather than patient-specific. Patients who cannot recall being informed of their rights. Grievance procedures that exist on paper but lack documented follow-through.
Pre-loaded compliance items for each patient rights requirement under §484.50. Evidence fields for documentation of rights communication. Attestation workflows for staff training on patient rights procedures.
Each patient must receive a patient-specific, comprehensive assessment that evaluates the patient's physical, psychosocial, emotional, and functional needs. The initial assessment must be completed within required timeframes. The assessment must accurately reflect the patient's current health status, identify clinical and service needs, and include an evaluation of the patient's homebound status for Medicare eligibility purposes. Drug regimen review is required as part of the comprehensive assessment.
Surveyors review assessment documentation for completeness, timeliness, and individualization. They verify that assessments include medication reconciliation, functional status, cognitive assessment, and homebound determination. OASIS data accuracy is evaluated.
Medication regimen review is one of the most frequently cited deficiencies. Assessments that are template-driven without patient-specific findings. Initial assessments not completed within the required timeframe. Incomplete documentation of homebound status.
Pre-loaded compliance items for assessment requirements. Trackable items for medication regimen review documentation, initial assessment timeline compliance, and homebound status verification. Evidence fields for attaching completed assessment documentation.
Agencies must develop and implement an effective discharge planning process. Discharge summaries must include the patient's clinical status at discharge, services provided, goals achieved, and follow-up arrangements. The discharge summary must be sent to the patient's physician and any receiving facility in a timely manner.
Surveyors review discharge records for completeness. They check that discharge summaries include required elements, that follow-up arrangements are documented, and that physicians were notified.
Discharge documentation that is incomplete or missing. Rationale for discharge not clearly documented. Follow-up arrangements not communicated to the patient's physician. No evidence of patient/caregiver education about post-discharge care.
Pre-loaded compliance items for discharge planning requirements. Trackable items for discharge summary completion, physician notification, and follow-up arrangement documentation.
Every patient must have an individualized plan of care established and periodically reviewed by a physician. The plan must specify measurable outcomes and goals, identify the services to be provided, and include the frequency and duration of visits. Plans must be reviewed and updated at least every 60 days. All services must be coordinated across disciplines involved in the patient's care. The agency must provide written instructions to the patient and caregivers covering the care plan, visit schedule, and any changes to services.
This is the most heavily scrutinized CoP. Surveyors evaluate whether plans of care are individualized (not "cookie-cutter"), whether goals are measurable and patient-specific, whether plans are updated within the 60-day cycle, and whether patients received written instructions about their care.
Care plan content (individualization, measurable goals) and written instructions/communication are consistently the #1 and #2 most cited survey deficiencies across all accrediting bodies, per CHAP survey data from 2023–2025. Problems include: plans that don't reflect the comprehensive assessment findings, goals that are vague or unmeasurable, plans not updated timely, and patients who cannot describe their care plan or visit schedule.
Pre-loaded compliance items for each element of §484.60 — plan of care individualization, measurable goals, 60-day review cycle, written instructions, service coordination, and medication management. Due date automation for the 60-day review cycle. Evidence fields for documentation of plan updates and patient communication.
Agencies must develop, implement, and maintain an ongoing, data-driven QAPI program. The program must monitor the quality of care using objective measures, identify and prioritize quality problems, analyze the causes of problems, and implement corrective actions. The QAPI program must track adverse patient events, analyze infection data, and monitor patient satisfaction. The agency's governing body must be involved in QAPI oversight.
Surveyors review QAPI documentation for evidence of systematic data collection, trending, analysis, and action. They look for evidence that the QAPI program is ongoing (not just for survey preparation), that it addresses areas with identified deficiencies, and that governing body involvement is documented.
QAPI programs that exist on paper but lack evidence of ongoing activity. Data collected but not analyzed or trended. Problems identified without documented root cause analysis or corrective action. Governing body not involved in QAPI oversight.
Pre-loaded compliance items for QAPI program components. Incident trending data feeds QAPI reporting. Completion trend charts provide the data visualization surveyors expect. Evidence fields for QAPI meeting minutes, data analysis documentation, and corrective action records.
Agencies must maintain an infection prevention and control program that follows accepted standards of practice. The program must include surveillance, identification, prevention, control, and investigation of infections and communicable diseases. Staff must be trained on infection prevention. Infection data must be tracked, trended, and analyzed as part of the agency's QAPI program.
Surveyors review infection control policies, staff training records, infection tracking logs, and QAPI data related to infections. They evaluate whether the agency has processes for identifying, reporting, and responding to infections in the home setting.
Infection control programs that lack documented surveillance or trending. Staff training records incomplete or outdated. Infections not reported to physicians or tracked in QAPI data. Policies that don't address the unique infection control challenges of home-based care.
Pre-loaded compliance items for infection control program requirements. Staff training tracking for infection prevention education. Evidence fields for infection surveillance logs and trending documentation. Integration with QAPI compliance items for data analysis.
Skilled nursing, physical therapy, occupational therapy, speech-language pathology, and medical social services must be provided by qualified professionals. Services must be authorized in the plan of care, ordered by a physician, and delivered according to accepted standards of practice. Supervision of services must be documented.
Surveyors review clinical records for evidence that skilled services match the plan of care, that services are provided by qualified professionals, and that supervision is documented. They verify that physician orders support the services provided.
Documentation that doesn't support the skilled nature of services. Services provided without proper physician orders. Supervision documentation incomplete or missing.
Pre-loaded compliance items for skilled service standards. Credential tracking verifies that all professionals providing skilled services meet qualification requirements. Evidence fields for supervision documentation and physician order verification.
Home health aides must complete a training program of at least 75 hours (minimum 16 hours classroom, 16 hours supervised practical training) or pass a competency evaluation. Aides must be supervised by a registered nurse at least every 14 days during the first 60 days of care and every 60 days thereafter. Competency evaluations must be performed annually. Aides may only perform services that are ordered in the plan of care and within their scope of practice.
Surveyors pull aide personnel files to verify training completion, competency evaluations, and supervision records. They verify that aides are performing only tasks assigned in the plan of care.
Training records incomplete or not meeting the 75-hour requirement. Supervision not conducted within required timeframes. Annual competency evaluations missing or outdated. Aides performing tasks outside their documented scope.
Pre-loaded compliance items for aide training requirements, supervision schedules, and competency evaluations. Credential tracking for aide certifications with auto-expiry alerts. Do-not-schedule flags for aides with lapsed credentials or incomplete competency evaluations.
Agencies must comply with all applicable federal, state, and local laws related to the health and safety of patients. If state law requires licensure, the agency must be licensed. Agencies must have compliance programs and train staff on compliance obligations.
Surveyors verify state licensure, review compliance program documentation, and confirm that the agency is meeting all applicable legal requirements.
Compliance program documentation that is incomplete or outdated. Staff not trained on compliance obligations. State-specific requirements not addressed.
Pre-loaded compliance items for federal compliance obligations. Evidence fields for licensure verification, compliance program documentation, and staff training records.
Agencies must establish and maintain a comprehensive emergency preparedness program. This CoP, added via CMS-3178-F in September 2016, requires four core elements:
Surveyors review the emergency plan and verify it is based on a documented risk assessment. They check that the plan has been reviewed and updated within the past 2 years. They review training records to confirm all staff have received emergency preparedness training. They verify the existence and currency of the communication plan, and they review documentation of exercises and drills.
Emergency plans that are generic rather than based on a documented, agency-specific risk assessment. Plans not reviewed or updated within the required 2-year cycle. Training records that do not cover all staff, contractors, and volunteers. No documentation of emergency exercises or drills. Communication plans that lack required elements such as alternate communication methods or patient tracking procedures.
Pre-loaded compliance items for each of the four core elements — emergency plan, policies and procedures, communication plan, and training/testing. Due date automation for the 2-year review cycle on the emergency plan and communication plan. Credential tracking for staff emergency preparedness training completion. Evidence fields for risk assessment documentation, training records, and exercise/drill reports.
Agencies must have a clearly defined organizational structure with documented lines of authority. A governing body must have full legal authority and responsibility for the agency's operations, including service provision, fiscal management, and QAPI oversight. Administrative functions cannot be delegated to other agencies. The agency must maintain adequate staffing and resources.
Surveyors review organizational charts, governing body minutes, policy and procedure manuals, and evidence that the governing body exercises active oversight. They assess whether the agency has adequate staffing to meet patient needs.
Governing body oversight not documented. Organizational structure unclear. Policies and procedures outdated or not reflecting current operations. Administrative responsibilities delegated without proper documentation.
Pre-loaded compliance items for organizational and governance requirements. Document vault for policy and procedure management with version control. Evidence fields for governing body meeting documentation and organizational structure verification.
Agencies must maintain clinical records for all patients that contain accurate, complete information. Records must include the comprehensive assessment, plan of care, physician orders, visit notes, medication profiles, clinical findings, and discharge summaries. Records must be accessible to authorized personnel and maintained according to retention requirements.
Surveyors review patient records for completeness, accuracy, and organization. They verify that all required elements are present and that records are retrievable during the survey.
Records missing required elements. Records disorganized or difficult to retrieve. Documentation inconsistencies between assessment findings and plan of care. Records not maintained per retention requirements.
Pre-loaded compliance items for clinical record requirements. The audit packet builder verifies documentation completeness across all compliance items. Evidence fields for attestation that clinical record standards are being met.
All personnel providing patient care must meet qualifications appropriate to their role — including education, licensure, training, and experience requirements. Background checks are required. Qualifications must be documented in personnel files. Nurses must hold appropriate RN or LPN licensure. Aides must meet training requirements per §484.80.
Surveyors pull personnel files and verify licensure, certifications, background checks, and competency documentation. They cross-reference staff assignments with qualification records to ensure only qualified personnel are providing services.
Personnel files missing licensure verification. Background check documentation incomplete. Expired credentials without evidence of renewal. Staff assigned to patient care without documented qualifications.
Full credential tracking for every staff member — license type, issuing body, issue date, expiration date, and uploaded proof. Auto-expiry alerts at 90, 60, 30, 14, and 7 days. Do-not-schedule flags on expired credentials. Staff compliance heatmap for workforce-wide visibility.
§484.245 Home Health Quality Reporting Program (HH QRP) — The HH QRP is a Subpart D reporting requirement, not a Condition of Participation. It is not evaluated during on-site CoP surveys. However, agencies must submit required quality data to CMS to avoid payment reductions. Ordo includes pre-loaded compliance items for quality reporting obligations and data submission deadlines.
Every state has licensing, background check, training, and operational requirements that apply to home health agencies on top of federal Medicare standards. Ordo tracks both federal and state obligations in the same dashboard, the same workflow, and the same audit packet.
State licensing & regulatory requirements
State-specific agency licensing, personnel qualifications, supervision standards, and operational requirements — structured and tracked alongside your federal compliance items.
Background check & training requirements
State-mandated background check procedures, healthcare worker registry clearance, and specialized training requirements — tracked per worker in Ordo.
Federal + state in one dashboard
State and federal requirements in the same operational view as credentials, incidents, and policy reviews. No toggling between systems.
Ordo doesn't just track compliance items — it's built on the regulatory framework your agency is held to. All 15 Conditions of Participation, every common deficiency pattern, every evidence requirement is structured into the platform. Start your free trial and see exactly how it maps to your agency.