HIPAA Compliance for Hospices

Posted By Steve Alder on Nov 1, 2025

HIPAA compliance for hospices has to take into account that many members of the workforce may be volunteers or clergy who are less familiar with compliance requirements, yet who may be placed under extreme emotional pressures from the families of patients they are caring for.

HIPAA compliance is rarely straightforward in the healthcare industry, and HIPAA compliance for hospices is one area in which it less straightforward than most. The rules regarding the disclosure of Protected Health Information limit conversations with family members if patients have not previously given their consent for the conversations to take place. Furthermore, if no DPHA is appointed, obtaining consent when the patient cannot express themselves is impossible. And that´s just the beginning.

Many hospices are supported by volunteers, who – under the Privacy Rule – are regarded as members of the workforce. Volunteers have to be provided with the same training on HIPAA, permissible disclosures of Protected Health Information and HIPAA-compliant policies as professional healthcare providers. They are also subject to the same sanctions policies as professional healthcare providers, which makes things difficult if the volunteer is a priest or nun who has given comfort to the dying.

Administrative Issues Further Complicate HIPAA Compliance for Hospices

Hospice personnel can discuss the Protected Health Information of a patient with an unauthorized member of the family or other individual once the patient has died, if the conversation relates to payment for services provided – unless the disclosure of Protected Health Information is “inconsistent with a prior expressed preference of the decedent”. In these circumstances, HIPAA does not suggest how hospices should resolve outstanding payments without disclosing Protected Health Information.

Also with regard to finances, HIPAA compliance for hospices not only means complying with the administrative, physical and technical safeguards of the Security Rule, but restrictions on marketing and fundraising activities. Using patients´ names or images in marketing and fundraising activities is a breach of HIPAA unless the patient whose name or image is used – or their appointed representative – has given their informed, written consent. Hospices even have to be careful with memorials.

HIPAA Training for Hospice Staff

HIPAA training for hospice staff is critical because hospice care involves highly sensitive health information shared across clinical, home based, and family centered settings where privacy risks are elevated. Hospice staff regularly access and discuss PHI while coordinating care, managing medications, communicating with family members, and working in patients’ homes, often under emotional and time sensitive conditions. Training should clearly explain how the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule apply in hospice environments, with practical guidance on minimum necessary use, permitted disclosures, and respectful communication.

Consistent with strong HIPAA training for employees, hospice focused training should use clear language and realistic scenarios rather than abstract legal concepts. This includes handling PHI during home visits, protecting information in shared living spaces, securing mobile devices and paper records, using email and messaging appropriately, and responding correctly when family members request information. Training should also reinforce how to identify and report potential incidents quickly, even when care is delivered outside traditional clinical facilities.

Best practice in the healthcare sector is to provide HIPAA training annually, and hospice staff should participate in regular refresher training to reinforce expectations and address changing risks. Annual HIPAA training helps ensure hospice teams protect patient dignity, maintain family trust, and consistently uphold privacy obligations throughout end of life care.

Are Coroners and Funeral Homes Business Associates?

A reasonable interpretation of HIPAA is that coroners and funeral homes provide a service on behalf of a covered entity, and during the provision of the service they receive, use and store Protected Health Information. This, in theory, would make coroners and funeral homes business associates. Apparently not according to §164.512(g) of the Privacy Rule. An exemption is made for coroners, medical practitioners and funeral homes – and to organ procurement organizations and secondary services.

Further complications surround entities who provide services directly to a patient not on behalf of the hospice. These include pharmacies, ambulances, and hospitals, who provide a service for the patient and not for the hospice. Also, when the patient´s Protected Health Information is shared with a lawyer, clinical consultant or pharmacy benefit manager for the purpose of assisting a hospice with an administrative task, they become business associates and a Business Associate Agreement will be required.

If your business operates in this very complicated area of HIPAA, it is recommended you seek professional guidance about HIPAA compliance for hospices with regard to your specific circumstances and any state laws that may apply in your jurisdiction. Hospices have been fined in the past for non-compliance with HIPAA, plus incurred expenses to mitigate potential damage caused by a breach, and had to take corrective actions to ensure their future compliance. For a non-profit organization, the financial consequences of non-compliance can be significant.