Declare Your Medical Privacy Intentions


Home Health Agencies

By federal mandate and without patient consent, 15 or more pages of personal, behavioral, and health information about most patients who receive home health services is collected and sent to the federal government by home health agencies (HHA). This data is first transmitted electronically to a State government database and then sent to the U.S. Department of Health and Human Services (HHS). The data is entered and resides permanently in a national database called OASIS (Outcome and ASsessment Information System) where it is available for use and disclosure—again without patient consent.

Data is collected on all non-maternity adults ages 18 and older, who obtain care from home health agencies that participate in the Medicare and Medicaid programs—whether the patient’s services are paid by private insurance, cash, Medicare or Medicaid. Only pregnant women, children, and those who receive only housekeeping services are excluded.

In 1987, Congress passed a law (Public Law 100-203, the 1987 Omnibus Budget Reconciliation Act) requiring HHS to develop a ‘standardized reproducible assessment instrument’ for the purpose of evaluating quality of care received by home health patients. The law specified that the survey be done by ‘the appropriate State or local agency’ that there be ‘reasonable steps to avoid giving notice of such a survey’ that the survey be done by an individual ‘who is not serving (or has not served within the previous 2 years) as a member of the staff’ of the home health agency, and that the survey be done ‘only with the consent of such individuals.’ (42 U.S.C. 1395bbb)

HHS followed few of these mandates when they published the rule requiring the data collection (42 CFR Part 484, Medicare and Medicaid Programs: Comprehensive Assessment and Use of the OASIS as Part of the Conditions of Participation for Home Health Agencies, January 25, 1999; as amended June 18, 1999). Instead, the “survey” is done on virtually all patients in Medicare-participating agencies, and home health agencies are expected to use their own staff to do it. After initially requiring no patient notification or consent, HHS responded to privacy concerns by requiring patients to be notified, but no consent is required. Collection began July 19, 1999 and transmission to state and federal government began August 18, 1999.


To gather data for the OASIS assessment, HHA staff (nurses and therapists) question and observe patients during the first visit, and at various intervals thereafter. Staff responses to the 95 required data items are recorded on multi-page forms. HHS requires financial data to be collected but, due to negative media attention, it is not yet transmitted. Certain assessments can be open to subjective bias, for example: “Behaviors Demonstrated at Least Twice a Week (Reported or Observed)” and “High Risk Factors” (heavy smoking, obesity, alcohol or drug dependency). At this time, data collected and transmitted includes:

  • behaviour
  • medical dignoses
  • emotional stability
  • prognosis/life expectancy
  • functional status
  • educational level
  • relationships/family
  • living arrangements
  • housing conditions
  • safety hazards

Demographic data (name, address, social security number) is also collected. However, for patients who are privately insured, pay cash, or whose care, for whatever reason, is not reimbursed by Medicare or Medicaid, the data will be transmitted minus four identifiers. Name, Social Security Number, Medicare number, and Medicaid number will be ‘masked’ by the home health agency. All other identifiers, many of which can be crossmatched with public databases to uncover individual identities, will not be masked. Address, age, sex, birth date, zip code, and other personal information will remain visible and available. The collected data can then be disclosed under federal ‘routine use’ provisions to seven (7) categories of entities:

  • The Department of Justice, court or adjudicatory body with an interest in litigation
  • Agency contractors or consultants hired for services related to the OASIS system of records
  • Federal and state oversight agencies for assessment of cost, effectiveness, and quality of care
  • Federal and state Medicare and Medicaid agencies
  • Peer Review Organizations to assess quality of care of individual providers and health care facilities
  • Individuals or organizations for research related to prevention of disease or disability, restoration or maintenance of health, or payment-related projects
  • A member of Congress or a Congressional staff member in response to an inquiry made at the written request of the constituent about whom the record is maintained. (Federal Register, June 18, 1999, Volume 64, Number 117, Notice of new system of records)


Separate declaration forms addressing additional health, financial, medical and personal data disclosures by banks, insurers, health care facilities, and health care, as allowed by the 2001 federal medical privacy rule and the 2000 Financial Modernization Act (Gramm-Leach-Bliley Act), are on the CCHC website: