HIPAA Compliance Checklist for Hospice Agencies: Policies, Training, and Documentation

A strong HIPAA compliance checklist helps your hospice protect PHI, align with the HIPAA Security Rule, and meet related obligations under the HITECH Act, 42 CFR Part 2, and CMS Conditions of Participation. Use this guide to build policies, train your workforce, and document what matters so you can prevent incidents and respond decisively when they occur.

Each section below translates regulatory requirements into practical, hospice-specific actions you can implement across home visits, inpatient units, and remote work settings, including your relationships with vendors through Business Associate Agreements.

Policies and Procedures

Core policies to formalize

• Privacy practices: permitted uses/disclosures, minimum necessary standard, patient rights, authorization and revocation, and Notice of Privacy Practices alignment with CMS Conditions of Participation.
• Security safeguards: administrative, physical, and technical controls required by the HIPAA Security Rule, including device and media controls, workstation security, and transmission security.
• Access and identity: unique IDs, multi-factor authentication, role-based access, emergency “break-glass” access, and account provisioning/termination.
• Communications: secure email/texting, telehealth, photography and video, and verification before disclosure (especially during home visits or phone updates).
• Data lifecycle: retention schedules, secure storage, disposal/shredding, backup/restore, and encryption standards for data at rest and in transit.
• Third parties: vendor risk management and up-to-date Business Associate Agreements defining PHI Protection, permitted uses, safeguards, and breach reporting duties.
• Special protections: 42 CFR Part 2-compliant processes for substance use disorder records, including separate consent and redisclosure restrictions.
• Workforce: sanction policies, acceptable use, bring‑your‑own‑device, remote work, and volunteer training expectations.

Hospice-specific considerations

• Field operations: secure transport of paper records, device hardening for laptops/tablets in vehicles, and protocols for care updates from patient homes.
• Family dynamics: identity verification and role-based disclosure when multiple caregivers request information.
• Emergency preparedness: downtime and disaster procedures that maintain patient care and privacy during outages or evacuations.

Checklist

• Current, approved policies with version control and executive sign-off.
• Procedure playbooks for routine workflows (admissions, after-hours calls, death pronouncements) and uncommon events (lost device, subpoena).
• BAA inventory mapped to systems where vendors touch ePHI.
• Documented alignment with the HITECH Act Breach Notification Requirements.

Workforce Training

Program design

Provide training during onboarding, at least annually, and whenever policies, systems, or risks change. Tailor modules by role (RNs, social workers, chaplains, bereavement staff, volunteers, billers, IT) and reinforce behavior through short refreshers and phishing simulations.

Essential topics

• What counts as PHI and the minimum necessary standard in hospice scenarios.
• Permitted disclosures, patient rights, and documentation practices during home and telephonic visits.
• Device security, secure messaging, and reporting lost/stolen devices immediately.
• Recognizing and reporting incidents, including suspected ransomware or misdirected faxes.
• 42 CFR Part 2 rules when handling SUD-related information.

Checklist

• Attendance logs, comprehension checks, and attestation records retained.
• Role-specific labs (e.g., redacting handoff notes, verifying caller identity).
• Volunteer orientation includes HIPAA Security Rule basics and privacy practices.

Documentation and Record Keeping

What to maintain

• Policies/procedures with revision history; HIPAA evaluations and Security Rule compliance evidence.
• Risk analyses, risk treatment plans, and status tracking.
• Training curricula, schedules, attendance, and attestation records.
• BAAs, vendor risk assessments, and system data-flow diagrams.
• Access control records, user role matrices, provisioning/termination logs, and MFA enrollment proofs.
• Device inventories, encryption status, backup/restore test results, and media disposal logs.
• Incident and breach logs, investigation files, and notifications sent under Breach Notification Requirements.
• Patient-facing artifacts: Notice of Privacy Practices acknowledgments, authorizations, and 42 CFR Part 2 consents when applicable.

Retention

Retain HIPAA-required documentation for at least six years from the date of creation or last effective date. For clinical records, follow state law and CMS Conditions of Participation, keeping the longest applicable period.

Checklist

• Centralized repository with access controls and audit trails.
• Quarterly spot-checks to confirm documents match actual practice.

Risk Assessment

How to perform and use it

Map where ePHI lives and moves, identify threats/vulnerabilities, and rate likelihood and impact. Prioritize a risk register, assign owners, and implement controls. Reassess after system changes and at least annually to satisfy the HIPAA Security Rule’s ongoing evaluation requirement.

Hospice-focused threats to consider

• Lost or stolen field devices, texting without secure apps, and PHI left in vehicles.
• Ransomware targeting EHR, e-prescribing, or scheduling systems.
• Vendor failures, misconfigured cloud storage, and insecure patient home networks during telehealth.
• Paper artifacts (face sheets, medication lists) handled outside the office.

Checklist

• Current data-flow diagram and system inventory.
• Documented risk methodology and scoring rubric.
• Actionable mitigation plan tied to budget and timelines.

Incident Response Plan

Plan structure

Define what constitutes a security incident and a breach, establish roles, 24/7 reporting channels, triage steps, containment, forensics, recovery, and post-incident review. Pre-draft communications and maintain legal counsel and vendor contacts for rapid coordination.

Notification and regulatory steps

• Conduct a breach risk assessment consistent with the HITECH Act to determine if there is a low probability that PHI was compromised.
• If notification is required, notify affected individuals without unreasonable delay and within applicable deadlines; notify HHS and, for large incidents, the media; track state-specific timelines.
• Ensure BAAs require prompt vendor reporting and cooperation; document all actions taken.
• Apply 42 CFR Part 2 safeguards when incidents involve SUD records.

Checklist

• Run at least one tabletop exercise annually (ransomware, misdirected fax, lost tablet).
• Maintain an incident log, decision matrices, and evidence preservation procedures.
• Use lessons learned to update policies, training, and technical controls.

Data Encryption

At rest

• Enable full-disk encryption on all laptops, tablets, and phones; encrypt servers, databases, and backups.
• Use well-vetted cryptography (e.g., FIPS 140-2 validated modules where feasible) and protect encryption keys separately.
• Block unencrypted removable media and enforce mobile device management for hospice-owned and BYOD devices.

In transit

• Use TLS for email transport and secure messaging for PHI; avoid standard SMS.
• Encrypt APIs, SFTP transfers, and telehealth sessions; establish VPN for remote administration.

Checklist

• Document encryption standards and key management procedures.
• Prohibit storing ePHI outside approved, encrypted systems.
• Test backup restoration regularly and confirm encrypted states in reports.

Access Control

Design and oversight

Apply least-privilege, role-based access tied to job duties. Require multi-factor authentication, unique user IDs, automatic logoff, and periodic access reviews. Prohibit shared accounts and promptly disable access at termination or role change.

Hospice operations

• Map roles for clinical, bereavement, spiritual care, administrative, and volunteer access to EHR modules.
• Restrict vendor access to scoped, time-bound sessions with monitoring.
• Define emergency “break-glass” use with alerts and retrospective audits.

Checklist

• Quarterly entitlement reviews and documentation of changes.
• Automated provisioning/termination integrated with HR processes.
• Audit log review cadence with escalation for anomalies.

Conclusion

This HIPAA compliance checklist gives your hospice a practical path to align policies and procedures, workforce training, documentation, risk assessment, incident response, encryption, and access control. By integrating the HIPAA Security Rule, HITECH Act, 42 CFR Part 2, and CMS Conditions of Participation, you strengthen PHI Protection, reduce risk, and improve readiness.

FAQs.

What are the key HIPAA policies hospice agencies must have?

Establish privacy and Security Rule policies, minimum necessary and patient rights procedures, secure communications, device and media controls, contingency and disaster recovery, access management, sanctions, and vendor management with current Business Associate Agreements. Include special processes for 42 CFR Part 2 records and documented Breach Notification Requirements.

How often should hospice agencies conduct HIPAA training?

Train during onboarding, at least annually, and whenever there are material changes to systems, policies, or risks. Provide role-specific modules, brief refreshers throughout the year, and targeted training after incidents or audits.

What documentation is required for HIPAA compliance?

Maintain policies with version history, risk analyses and mitigation plans, training materials and attendance, BAAs and vendor assessments, access control and device inventories, encryption and backup reports, incident/breach logs, and patient-facing forms (NPP acknowledgments, authorizations, and applicable 42 CFR Part 2 consents). Keep HIPAA-required records for a minimum of six years.

How should hospice agencies handle a data breach?

Activate your incident response plan: contain and investigate, perform a HITECH Act risk assessment, and determine notification obligations. Notify affected individuals (and HHS/media when required) without unreasonable delay, coordinate with business associates, document every step, and implement corrective actions to prevent recurrence.