HIPAA Considerations for Hospice Care Referrals: What Providers Need to Know

HIPAA Compliance in Hospice Care

Key principles for hospice settings

Hospices are Covered Entities under the HIPAA Privacy Rule and Security Rule, which protect the confidentiality, integrity, and availability of Protected Health Information (PHI). During referrals, you may use and disclose PHI for treatment, payment, and health care operations without an authorization, while applying the minimum necessary standard to non-treatment activities.

Your PHI Disclosure Policies should explain who may access referral data, how you verify requestors, and the safeguards you use when transmitting records. Align these policies with State Hospice Regulations that may be more stringent than HIPAA; when state law is stricter, it controls.

Referral workflow essentials

• Confirm identity and role of the receiving provider before sharing PHI.
• Capture the patient’s preferences and any privacy restrictions in writing.
• Limit disclosures to information relevant to hospice admission, care planning, and coordination.
• Use secure channels (e.g., encrypted email, secure portals) and document each disclosure.

Disclosure of PHI to Family Members

When and what you may share

You may share relevant PHI with a patient’s family, friends, or others involved in care or payment if the patient agrees, has not objected, or if you use professional judgment when the patient is incapacitated. Disclose only what is necessary for involvement in the patient’s hospice care or payment arrangements.

Personal representatives and verification

A legally authorized personal representative has the same access to PHI as the patient, unless an exception applies. Verify authority through appropriate documentation, and record the decision-making process. If a patient limits family access, honor those limits and reflect them in your PHI Disclosure Policies.

Practical examples

• Discussing symptom management with a designated caregiver present at the bedside.
• Confirming medication schedules with a relative who manages the patient’s pillbox.
• Declining to share sensitive details with a family member the patient has expressly excluded.

Disclosure of PHI After Patient's Death

Privacy continues after death

PHI remains protected for 50 years after the date of death. You may disclose PHI to the decedent’s personal representative, as you would to the patient, once authority is verified. Keep disclosures limited to the minimum necessary for the stated purpose.

Permitted disclosures without authorization

• To coroners, medical examiners, and funeral directors as needed to carry out their duties.
• To family members and others who were involved in the patient’s care or payment prior to death, limited to information relevant to their involvement.
• For public health and required reporting, consistent with applicable State Hospice Regulations.

Operational safeguards

Designate a point of contact for decedent requests, maintain a verification checklist, and log each disclosure. Avoid releasing details for obituaries or media inquiries without proper authorization.

Role of Volunteers in HIPAA Compliance

Volunteers are part of the workforce

Hospice volunteers are considered workforce members for HIPAA purposes. They must follow the same confidentiality standards as employees, including adherence to PHI Disclosure Policies and Security Rule safeguards appropriate to their roles.

Access control and training

• Provide role-based Workforce Training before volunteer duties begin and when roles change.
• Limit PHI access to what volunteers need to perform assigned tasks; many will need no EHR access.
• Require confidentiality agreements and define sanctions for violations.
• Ensure supervised use of paper materials and secure return or destruction of any temporary notes.

Restrictions on Marketing and Fundraising

Understanding marketing

Marketing is a communication that encourages the purchase or use of a product or service. In general, you need a valid patient authorization for marketing communications, especially if a third party provides remuneration. Limited exceptions exist for face-to-face communications or nominal promotional gifts.

Fundraising specifics for hospices

For fundraising, you may use certain information (such as basic demographics, dates of service, department of service, treating clinician, and outcome information like discharge status) without authorization. Every fundraising message must include a clear, simple way to opt out, and opting out cannot affect the patient’s access to hospice services.

Risk controls

• Pre-approve all marketing and fundraising content through compliance.
• Prohibit the sale of PHI or any use beyond stated purposes without explicit authorization.
• If using vendors, ensure they are Business Associates and bound by your PHI restrictions.

Business Associate Agreements

Who is a Business Associate?

Vendors that create, receive, maintain, or transmit PHI on your behalf—such as EHR providers, billing companies, cloud services, call centers, and certain fundraising vendors—are Business Associates. They must sign Business Associate Agreements (BAAs) before handling PHI.

Essential BAA terms

• Permitted and required uses/disclosures of PHI, including minimum necessary obligations.
• Safeguards aligned with the Security Rule, incident response, and breach notification timelines.
• Flow-down clauses requiring subcontractors to agree to the same protections.
• Return or destruction of PHI at termination and rights to audit or obtain compliance assurances.

Operational best practices

• Maintain an inventory of Business Associate Agreements tied to current services.
• Assess vendor security posture and document due diligence before onboarding.
• Prohibit secondary use of PHI for marketing or analytics unless expressly authorized.

Training and Documentation Requirements

Workforce Training

Provide Workforce Training to all staff and volunteers on privacy, security, and breach reporting—upon hire or engagement, when job functions change, and periodically thereafter. Tailor content to referral workflows so staff know how to apply the minimum necessary standard and verify requestors.

Policies, logs, and retention

Document your PHI Disclosure Policies, role-based access controls, risk analyses, and incident response plans. Retain HIPAA-required documentation for at least six years from the date of creation or last effective date, and follow any longer State Hospice Regulations on record retention.

Audit readiness

• Keep disclosure logs for referrals, family communications, and decedent requests.
• Test breach response and verify vendor contact paths at least annually.
• Use checklists for identity verification, consent status, and transmission security.

Conclusion

By grounding referrals in the HIPAA Privacy Rule, enforcing the minimum necessary standard, training your workforce (including volunteers), and controlling vendor access through Business Associate Agreements, you reduce risk while supporting compassionate, coordinated hospice care. Align these practices with State Hospice Regulations, and document what you do so you can demonstrate compliance when it counts.

FAQs

What PHI can be shared during hospice care referrals?

You may share PHI needed for treatment, payment, and health care operations with receiving providers without an authorization. Limit disclosures to information relevant to the referral—diagnoses, medications, allergies, advance directives, and recent clinical notes—and apply secure transmission. Document the disclosure and any patient preferences or restrictions.

How should hospice providers handle PHI after a patient's death?

PHI remains protected for 50 years after death. Verify the personal representative’s authority before releasing records, and disclose only the minimum necessary. You may share information with coroners, medical examiners, funeral directors, and, in limited scope, with family members involved in the patient’s care prior to death. Log each disclosure and retain documentation per policy.

Are volunteers required to comply with HIPAA in hospices?

Yes. Volunteers are part of the hospice workforce for HIPAA purposes. Provide role-based training, require confidentiality agreements, restrict access to PHI to what is needed for assigned tasks, and enforce sanctions for violations. Supervise activities closely and secure any temporary notes or materials.

What are the consequences of HIPAA violations in hospice marketing?

Improper marketing can trigger complaints, corrective action plans, reportable breaches, and significant civil penalties. Common pitfalls include using PHI without authorization, accepting third-party remuneration for promotions, weak opt-out processes in fundraising, and vendor misuse of data. Mitigate risk with pre-approval, clear opt-outs, and strong Business Associate Agreements.