HIPAA for Healthcare Volunteers

Volunteers contribute meaningfully to small clinic operations - assisting with patient flow, supporting administrative functions, and helping with community outreach. What many practice managers do not initially realize is that HIPAA applies to volunteers fully - not as a courtesy, but as a regulatory requirement.

Scenario: A retired nurse volunteers three days per week at a 4-provider family medicine practice, helping patients navigate the waiting room and escorting them to exam rooms. She is warm, experienced, and trusted by patients. Because she is unpaid and because “she knows what she’s doing,” she has never received formal HIPAA training and there is no documentation of her orientation. She is a workforce member under 45 CFR § 160.103. The clinic is operating with an untrained workforce member - a direct violation of 45 CFR § 164.530(b) - regardless of her clinical background or the informality of her role.

Volunteers Are Workforce Members Under 45 CFR § 160.103

The HIPAA definition of “workforce” leaves no ambiguity:

“Workforce means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid.”

Volunteers who work under your clinic’s direction are workforce members. This means they must receive HIPAA training before beginning work that involves PHI exposure; they are bound by your clinic’s privacy and security policies; they are subject to sanctions for non-compliance; and their conduct creates compliance obligations for your clinic.

A clinic that allows untrained volunteers to assist at the front desk, transport patients, or make outreach calls is operating with untrained workforce members - a direct violation of 45 CFR § 164.530(b).

Common Volunteer Roles That Create PHI Exposure

Not every volunteer role creates PHI exposure. A volunteer who sets up the waiting room or stocks supply closets has minimal PHI risk. But several common roles do create meaningful exposure.

Front Desk Assistance

Volunteers helping at the front desk - handing out sign-in sheets, directing arriving patients, or managing the waiting room - encounter PHI by proximity. They may see names on scheduling screens, hear conversations about appointments, or be asked by visitors or family members for information about patients.

Training for front desk volunteers must include: how to decline requests for patient information politely but firmly; what to do when someone asks for a patient by name; and when to escalate to a paid staff member.

Patient Transport Within the Facility

Volunteers who escort patients between waiting areas, procedure rooms, or clinical areas encounter PHI by role. They may hear clinical discussions in hallways, observe signage in clinical areas, or be present when providers or staff address patients by name and condition.

Training for transport volunteers must include: what to do if they overhear clinical information (treat it as confidential, do not repeat it); how to avoid looking at clinical screens in treatment areas; and how to maintain patient dignity during transport.

Patient Outreach Calls

Some clinics use volunteers for reminder calls, wellness check-in calls, or event invitation calls to established patients. These calls involve PHI by definition - the volunteer knows the person is a patient at the clinic, which is itself PHI under 45 CFR § 160.103.

Training for outreach volunteers must include: how to verify caller identity before leaving a voicemail with clinical content; what information they are authorized to share; and how to document the call.

What HIPAA Training for Volunteers Must Cover

Under 45 CFR § 164.530(b), training must be “necessary and appropriate” for the volunteer’s functions. Minimum required content for all clinic volunteers:

1. What is PHI. Any information that identifies a patient and relates to their health, treatment, or payment. Names, appointment schedules, diagnoses, medications - all PHI.

2. Minimum necessary standard. Access to and discussion of PHI should be limited to what the volunteer needs for their specific function. A transport volunteer does not need to know a patient’s diagnosis to escort them to a room.

3. Confidentiality obligation. Information encountered through volunteer work is confidential. It cannot be shared with family, friends, or others outside the clinic, and it cannot be discussed casually with other volunteers.

4. How to handle visitor or family requests. Volunteers should not respond to requests for information about patients. Direct the requesting person to the front desk or a staff member.

5. How to report a suspected violation. If a volunteer witnesses or suspects a HIPAA violation - a chart left open in a public area, a colleague discussing patient information loudly in the hallway - they must know how to report it and who the Privacy Officer is.

Documentation Requirements for Volunteer Training

The same documentation standards that apply to paid workforce members apply to volunteers. Under 45 CFR § 164.530(b) and § 164.530(j), training records must capture: the volunteer’s name; the date training was completed; the content covered; and an attestation confirming completion.

For volunteers who rotate through periodically, maintain documentation as part of the volunteer management records. Your clinic must be able to produce these records during an OCR investigation. “We train volunteers informally” is not a compliant answer.

Training records must be retained for six years under § 164.530(j).

Sanctions: Can Volunteers Be Sanctioned?

Yes. Under 45 CFR § 164.530(e), your clinic must apply appropriate sanctions against workforce members who fail to comply with privacy policies. Volunteers are workforce members.

Appropriate sanctions depend on the severity and nature of the violation:

• Verbal warning and retraining: For a first-time, inadvertent violation with no patient harm
• Formal written notice: For a second violation or a more serious first violation
• Termination of the volunteer relationship: For intentional violations, repeated non-compliance, or violations that caused patient harm

Document the sanction applied, just as you would for a paid employee. Absence of a documented response to a known volunteer violation is itself a compliance gap.

What Volunteers Cannot Do

Regardless of their enthusiasm, availability, or familiarity with the clinic, there are PHI-bearing functions that volunteers must not perform.

Volunteers may not access EHR systems. Clinical records systems contain comprehensive PHI, and access must be based on a documented clinical or administrative need. Volunteers do not have that need. Even a volunteer who is a registered nurse in their paid role should not access EHR systems in their volunteer capacity without explicit authorization for a specific purpose.

Volunteers may not review clinical records. This applies to paper and digital records. Even if a file is left in a visible location, a volunteer who accesses it goes beyond their authorized function.

Volunteers may not independently respond to patient requests for information. Requests for medical records, insurance information, or clinical information require verification, authorization review, and routing to the Privacy Officer. These functions require training and authority that volunteers do not have.

Volunteers may not handle PHI outside the clinic. Taking paper lists, printed schedules, or any PHI-bearing document out of the clinic is unauthorized retention and removal of PHI.

For training requirements that apply across all workforce roles, see annual HIPAA training requirements. For new workforce member onboarding requirements, see the new hire HIPAA onboarding checklist.

PHIGuard gives practice managers a centralized system for tracking volunteer training completion alongside paid staff compliance - without managing separate spreadsheets or paper sign-in logs. Learn how at PHIGuard HIPAA.