Hospice Care Telehealth HIPAA Requirements: What Providers Need to Know

HIPAA Compliance in Telehealth

What HIPAA requires for hospice telehealth

Telehealth does not change your HIPAA obligations. You must protect protected health information (PHI) under the Privacy Rule, secure electronic PHI under the Security Rule, and follow Breach Notification requirements. For hospice providers, this includes care plan updates, symptom management visits, medication counseling, and family conferences conducted remotely.

Core compliance actions

• Conduct and document enterprise-wide risk assessment protocols that include telehealth workflows, devices, and locations where care team members work.
• Apply the minimum necessary standard to every telehealth interaction and disclosure, including communications with family and caregivers.
• Verify patient identity at the start of each session and confirm who else is present before sharing PHI.
• Obtain and document consent when required by policy, especially for recording, messaging, or caregiver participation.
• Ensure HIPAA business associate agreements (BAAs) are in place with any vendor that creates, receives, maintains, or transmits PHI for you.

Interaction with other rules

HIPAA does not replace state telehealth licensure requirements, payer billing rules, or hospice Conditions of Participation. You must meet those obligations in parallel, especially when clinicians deliver care across state lines or from remote settings.

Technology Vendor Requirements

Due diligence and contracting

Any telehealth, messaging, scheduling, or cloud storage vendor that handles PHI is a business associate. Execute HIPAA business associate agreements that clearly define permitted uses, safeguards, subcontractor management, breach reporting timelines, and data return or destruction at contract end.

Security capabilities to require

• Encryption standards: enforce strong encryption in transit (TLS 1.2+ or equivalent) and at rest (e.g., AES‑256 or equivalent), with managed keys and rotation.
• Access controls: unique IDs, role-based permissions, automatic logoff, and multi-factor authentication for all administrative and remote access.
• Audit controls: immutable logs for user access, session start/stop, file shares, configuration changes, and administrative actions, retained per policy.
• Cybersecurity measures: vulnerability management, secure SDLC, penetration testing, incident response, and 24/7 monitoring.
• Business continuity: documented backup, disaster recovery, and downtime procedures that preserve PHI integrity and availability.
• Data governance: data location transparency, segregation of customer data, and approved procedures for export, eDiscovery, and secure deletion.

Selection checklist

• Demonstrated HIPAA program maturity (e.g., independent assessments) and willingness to sign a BAA without weakening protections.
• Interoperability with your EHR, secure APIs, and clear PHI data flows mapped end-to-end.
• Support for hospice-specific workflows such as caregiver participation, on-call triage, and interdisciplinary group documentation.

Audio-Only Telehealth Services

When audio-only is allowed

Audio-only telehealth can be HIPAA-compliant when you apply appropriate safeguards. Traditional landline calls are governed by the Privacy Rule; VoIP, smartphone calls, and apps typically involve ePHI and must also meet the Security Rule’s technical and administrative safeguards.

Safeguards for audio-only encounters

• Identity verification: confirm patient identifiers and who is present before discussing PHI; re-verify if the call is transferred.
• Environment controls: staff should use headsets in private spaces, avoid speakerphone, and document any patient-requested privacy accommodations.
• Technology protections: for VoIP or app-based calls, use approved systems under a BAA with encryption, access controls, and audit logging.
• Documentation: record modality as “audio-only,” note consent, identify all participants, and capture clinical decision-making and patient instructions.
• Accessibility: provide TTY or interpreter services as needed, ensuring those vendors are covered by BAAs when they interact with PHI.

Training and Education for Staff

Role-based training content

• Privacy fundamentals: PHI handling, minimum necessary, and practical steps for discussing sensitive information in a patient’s home or facility room.
• Security practices: phishing awareness, secure passwords, multi-factor authentication, device encryption, and approved app usage.
• Telehealth etiquette: identity checks, consent scripts, managing caregiver presence, and documenting telehealth-specific elements.
• Incident response: how to report suspected breaches, lost devices, or misdirected messages within required timelines.
• Regulatory context: HIPAA requirements alongside telehealth licensure requirements and payer rules relevant to hospice.

Competency and reinforcement

• Initial onboarding with scenario-based simulations for video, audio-only, after-hours triage, and end-of-life family meetings.
• Annual refreshers with targeted micro-trainings after policy or technology changes.
• Documented attestations, proficiency checks, and corrective action for non-compliance.

Privacy and Security Risks

Common risk areas

• Consumer apps without BAAs, which can expose PHI through analytics or third-party trackers.
• Unsecured home Wi‑Fi, shared devices, or unattended screens that allow unauthorized viewing or eavesdropping.
• Misdirected texts, emails, or voicemails containing sensitive updates or medication changes.
• Shadow IT: ad hoc tools used by staff during urgent situations that lack encryption or audit controls.

Risk mitigation measures

• Standardize approved platforms; disable or block unapproved tools on managed devices.
• Enforce encryption standards, MFA, mobile device management, and automatic logoff on all endpoints.
• Enable detailed audit controls and routinely review logs for anomalous access or data exfiltration.
• Use data loss prevention for email and messaging; require secure portals for attachments with PHI.
• Run periodic risk assessment protocols that test real telehealth workflows, then track and remediate findings.

Enforcement Discretion Expiration

Key dates and impact

OCR’s COVID‑19 telehealth enforcement discretion ended on August 9, 2023, following a transition period after the Public Health Emergency ended on May 11, 2023. Since August 10, 2023, full compliance has been required for all telehealth encounters.

What this means now

• Consumer-grade video or messaging tools are not permissible for PHI unless the vendor signs a BAA and supports necessary safeguards.
• Reassess any temporary workflows created during the emergency; update policies, vendor contracts, and staff training accordingly.
• Confirm your platform’s encryption, access, and audit capabilities meet current HIPAA Security Rule expectations.

Documentation and Record-Keeping Practices

Encounter documentation

• Record modality (video vs. audio-only), date/time, participants, patient location, clinician location as required, and identity verification steps.
• Note consent, privacy accommodations, interpreter use, and any technical issues that could affect clinical decision-making.
• Capture assessment, plan, medications, education provided, and safety instructions, then file within the legal medical record.

Program documentation

• Maintain current BAAs, vendor security summaries, penetration test attestations, and data flow diagrams.
• Keep written policies, workforce training records, sanction logs, and incident/breach reports with corrective actions.
• Retain audit logs per policy; verify that retention aligns with state and federal record-keeping rules for hospice.

Conclusion

Hospice telehealth can deliver timely, compassionate support while fully meeting HIPAA standards. Build your program on strong risk assessment protocols, secure platforms under BAAs, staff training, and rigorous documentation. With the enforcement discretion expired, proactive cybersecurity measures and continuous monitoring are essential to protect PHI and sustain compliant, patient-centered care.

FAQs

What are the HIPAA requirements for telehealth in hospice care?

You must safeguard PHI under the Privacy Rule, secure ePHI under the Security Rule, and follow Breach Notification requirements. Practical steps include completing risk assessment protocols, using approved encrypted platforms with audit controls, verifying identity at each session, applying the minimum necessary standard, obtaining/documenting consent, and keeping thorough encounter notes. These obligations apply to video and audio-only visits alike.

How do providers comply with HIPAA business associate agreements?

Identify every vendor that creates, receives, maintains, or transmits PHI for your telehealth program. Execute HIPAA business associate agreements that define permitted uses, security safeguards, subcontractor oversight, breach reporting, and data return or destruction. Validate the vendor’s encryption standards, access controls, and audit controls, and review evidence of their cybersecurity measures at least annually.

What training is required for hospice staff on HIPAA telehealth policies?

Provide role-based training at onboarding and annually thereafter, covering PHI handling, secure device use, phishing awareness, identity verification, consent scripts, audio-only safeguards, and incident reporting. Reinforce with simulations, updated guidance after technology or policy changes, and documented competency checks. Include awareness of telehealth licensure requirements so clinicians understand parallel state obligations.

How does the expiration of enforcement discretion affect telehealth compliance?

As of August 10, 2023, full HIPAA compliance is required for all telehealth services. Consumer apps used during the emergency are no longer permissible for PHI unless the vendor signs a BAA and supports required safeguards. Providers should revalidate vendors, tighten cybersecurity measures, update policies, and retrain staff to ensure every encounter meets current HIPAA expectations.