The HIPAA Security Rule protects the electronic protected health information held by covered entities and their business associates. A hospice agency sits squarely inside that definition. Your clinicians document care in an EHR, your back office bills Medicare and other payers electronically, and your interdisciplinary team accesses patient records from homes, nursing facilities, and inpatient units across a wide service area.
Hospice and palliative care agencies are HIPAA covered entities.
Because you furnish healthcare and transmit health information electronically in connection with billing and other standard transactions, your agency is a covered entity. That brings you under the HIPAA Privacy Rule, the Security Rule, and the Breach Notification Rule at 45 CFR Part 164.
These obligations exist independent of your size and whether you have ever had an incident. A Security Risk Assessment, documented safeguards, Business Associate Agreements, and an incident response plan are baseline requirements, not responses to a breach.
Your interdisciplinary team carries ePHI into the field.
Hospice care is delivered where the patient is. Nurses, aides, chaplains, social workers, and physicians move between private homes, nursing homes, and inpatient units, and they need patient records with them. That means laptops, tablets, and phones with remote access to your EHR, each one a place ePHI can be lost or exposed.
We extend the safeguards that protect your office to that mobile fleet: encryption on every device, strong authentication for remote EHR access, the ability to lock or wipe a lost device, and audit logging that shows who reached which record. The distributed nature of hospice work is exactly why device-level protection is not optional in practice.
Coordinated care means Business Associate Agreements across many settings.
Hospice is a coordination-heavy model. A single patient's care can involve hospitals and referring physicians, nursing homes and assisted-living facilities, pharmacies, durable medical equipment suppliers, and laboratories, alongside your own IT, EHR, and billing vendors. PHI moves among them constantly.
Any vendor that creates, receives, maintains, or transmits ePHI on your behalf is a business associate and must be under a Business Associate Agreement. This coordination drives real BAA and vendor sprawl. We inventory every relationship, determine which ones require a BAA, put the agreements in place, and document the oversight so the requirement is satisfied rather than assumed.
Family and caregiver communication needs guardrails.
Hospice care happens in an intensely personal, family-centered setting. Team members speak with spouses, adult children, and caregivers, often at emotionally difficult moments, and it is easy for protected health information to be shared more broadly than the minimum necessary standard allows or with someone who is not authorized.
We help you put practical guardrails in place: how staff verify who they are speaking with, what may be shared and with whom, and how to use text and email with families without exposing PHI on unsecured channels. Privacy is especially sensitive here, and the controls are designed to protect families as much as to satisfy the rule.