HIPAA Requirements for Hospice Agencies: Compliance Checklist

Meeting HIPAA requirements in hospice care protects patients, families, and your organization. This compliance checklist explains how to safeguard Protected Health Information (PHI) under the HIPAA Privacy Rule, HIPAA Security Rule, and the Breach Notification Rule so you can operate confidently and ethically.

Use the sections below to validate your current practices, close gaps, and document proof of compliance tailored to hospice settings, including in‑home visits, interdisciplinary teams, and frequent coordination with external partners.

HIPAA Overview

What HIPAA covers

HIPAA applies to covered entities, including hospice agencies, and their business associates such as EHR vendors, pharmacies, DME suppliers, and billing services. It governs how you create, receive, maintain, use, and disclose PHI in any form—paper, verbal, or electronic (ePHI).

Core HIPAA rules to anchor your program

• HIPAA Privacy Rule: Sets standards for when PHI may be used or disclosed and the rights patients have over their PHI.
• HIPAA Security Rule: Requires Administrative Safeguards, Physical Safeguards, and Technical Safeguards to protect ePHI.
• Breach Notification Rule: Establishes how and when to notify individuals and authorities following a breach of unsecured PHI.

Minimum necessary and role-based access

Adopt the minimum necessary standard across workflows—ensure each team member accesses only the PHI needed for their role. Align EHR permissions and data-sharing protocols to clinical duties, billing tasks, and coordination with external providers.

Hospice Agencies Compliance

Organizational foundations

• Designate a Privacy Officer and a Security Officer to oversee HIPAA policies, risk management, and incident response.
• Publish and distribute a Notice of Privacy Practices (NPP) at admission; make it available upon request and post it prominently in offices.
• Execute and maintain Business Associate Agreements (BAAs) with all third parties that handle PHI.
• Implement a sanctions policy and workforce discipline for violations.

Hospice-specific operational controls

• Home visits: Protect discussions from being overheard, use privacy screens on mobile devices, and secure paper notes during travel.
• Family involvement: Verify identity and authority before sharing PHI; document patient preferences regarding disclosures to family or caregivers.
• Volunteers: Treat volunteers as workforce members for HIPAA purposes—screen, train, and monitor them like staff.
• Interdisciplinary team meetings: Share only the minimum necessary PHI and conduct meetings in private spaces or secure virtual platforms.
• After-death information: Apply HIPAA rules for decedents and respect any documented restrictions or state-specific requirements.

Privacy Rule Requirements

Permitted uses and disclosures

• Treatment, payment, and health care operations (TPO) without individual authorization, using the minimum necessary standard for non-treatment activities.
• Authorizations for non-TPO uses (e.g., marketing, fundraising beyond permissible limits), with a straightforward revocation process.
• Specific allowances (e.g., public health, law enforcement, averting serious threats) with careful verification and documentation.

Patient rights and your procedures

• Access and copies: Provide timely access to PHI in requested readable formats when feasible; document response times and denials with rationale.
• Amendments: Review requests, act within required timeframes, and append approved changes in the designated record set.
• Restrictions and confidential communications: Honor reasonable requests (e.g., alternate addresses, phone numbers) and record them in the EHR.
• Accounting of disclosures: Track non-TPO disclosures and make reports available upon request.

Practical privacy controls

• Identity verification before releasing PHI in person, by phone, or electronically.
• Reasonable safeguards to limit incidental disclosures (e.g., quiet conversations, limited waiting-room calls, secure fax/email practices).
• De-identification where feasible for analytics, training, or quality improvement.

Security Rule Requirements

Administrative Safeguards

• Risk analysis and ongoing risk management tailored to hospice workflows, systems, and devices used in the field.
• Workforce security and role-based access; rapid provisioning and deprovisioning tied to HR events.
• Security awareness: phishing simulations, device handling, secure messaging, and reporting procedures.
• Security incident response plan with defined severity levels, playbooks, and escalation paths.
• Contingency planning: data backups, disaster recovery, and emergency mode operations testing.
• Regular evaluations and vendor oversight; maintain BAAs and review third-party security controls.

Physical Safeguards

• Facility access controls for offices, file rooms, and networking closets; visitor logs where appropriate.
• Workstation use and security standards, including privacy screens and clean-desk policies.
• Device and media controls: inventory, secure storage during transport, and documented disposal or reuse procedures.
• Home-visit practices: keep devices on your person, avoid leaving PHI in vehicles, and secure printed materials between visits.

Technical Safeguards

• Access controls: unique user IDs, strong authentication (preferably MFA), automatic logoff, and session timeouts.
• Encryption for ePHI at rest on endpoints and in transit over networks and messaging tools.
• Audit controls: centralized logging, regular reviews of access logs, and alerts for anomalous activity.
• Integrity and transmission security: anti-malware, patch management, secure configurations, and trusted VPN for remote access.
• Mobile device management (MDM): remote wipe, app whitelisting, and configuration baselines for field devices.

Breach Notification Procedures

Identify, contain, and assess

• Immediately contain the incident (e.g., disable accounts, isolate systems, retrieve misdirected messages, recover lost devices if possible).
• Conduct a documented risk assessment considering the nature and extent of PHI, the unauthorized person, whether PHI was actually viewed/acquired, and the extent of mitigation.
• Decide whether a breach occurred and whether notification is required; record your rationale and evidence.

Notify and document

• Provide timely written notice to affected individuals with clear, plain-language explanations and recommended protective steps.
• Notify authorities as required and, when applicable, media outlets for large incidents; maintain an incident log for all events.
• Require business associates to report incidents to you promptly under the BAA; verify they assist with investigation and notification.
• Perform post-incident reviews: fix root causes, retrain staff, and update policies to prevent recurrence.

Staff Training and Awareness

Program design

• Train all workforce members—employees, contractors, and volunteers—on HIPAA basics and hospice-specific risks at onboarding and periodically thereafter.
• Deliver role-based modules for clinicians, social workers, chaplains, intake, billing, and IT support.
• Cover privacy practices, secure texting, identity verification, minimal necessary disclosures, and home-visit etiquette.
• Run phishing and lost-device drills; reinforce immediate reporting of suspected incidents.
• Track completion, score knowledge checks, and remediate knowledge gaps.

Everyday behaviors to reinforce

• Verify caller identity before sharing PHI; avoid discussing cases in public spaces.
• Lock screens, use strong passcodes, and store paper records securely during travel.
• Share PHI only through approved, encrypted channels; avoid personal email and unapproved apps.

Risk Assessment and Documentation

Risk analysis and management

• Inventory systems, devices, data flows, and vendors handling PHI; map where ePHI is created, received, maintained, or transmitted.
• Evaluate threats, vulnerabilities, and likelihood/impact; prioritize remediation with owners and target dates.
• Test controls (e.g., access reviews, backup restorations, log audits) and update plans after significant changes.

Evidence and recordkeeping

• Maintain policies, procedures, training logs, risk registers, incident reports, access audits, and BAA files.
• Record NPP distributions, patient rights requests and responses, and authorization forms.
• Keep decisions and rationales for breach determinations, including mitigation steps and notifications sent.

Conclusion

By aligning hospice workflows with the HIPAA Privacy Rule, HIPAA Security Rule, and the Breach Notification Rule—and documenting every control—you create a resilient program that protects PHI, sustains trust, and stands up to scrutiny. Use this compliance checklist to confirm safeguards, close gaps, and demonstrate ongoing due diligence.

FAQs

What are the key HIPAA requirements for hospice agencies?

Focus on four pillars: protect PHI under the HIPAA Privacy Rule; secure ePHI with Administrative, Physical, and Technical Safeguards under the HIPAA Security Rule; execute BAAs with vendors; and follow the Breach Notification Rule for incident response and notifications. Embed the minimum necessary standard, role-based access, patient rights, and continuous risk management across all operations.

How should hospice agencies handle a PHI breach?

Act immediately: contain the incident, preserve evidence, and perform a four-factor risk assessment. If a breach is confirmed, issue timely notices to affected individuals and required authorities, coordinate with business associates, and document every step. Afterward, fix root causes, retrain staff, and update policies to prevent recurrence.

What training is required for hospice staff under HIPAA?

Provide HIPAA training at onboarding and when policies or systems change, with periodic refreshers thereafter. Include privacy practices, secure communications, device handling, identity verification, minimum necessary use, and breach reporting. Use role-based modules for clinical and nonclinical staff, track completion, and address gaps with targeted retraining.

How often should risk assessments be conducted?

Perform a comprehensive risk analysis regularly and whenever you introduce significant changes—such as a new EHR, major process updates, or expanded vendor relationships. Review risks continuously, test controls on a defined schedule, and update your risk register, remediation plans, and documentation to reflect current operations and threats.