PHIGuard for Hospice Agencies

PHIGuard helps hospice agencies manage HIPAA compliance across interdisciplinary care teams, family disclosures, caregiver coordination, and workforce training — with a BAA at every tier.

Practice summary

Hospice agencies coordinate care across nurses, social workers, chaplains, home health aides, and volunteers — all of whom may access patient PHI. Family disclosure requests are frequent and emotionally charged. PHIGuard provides the compliance infrastructure to keep PHI access controlled, training documented, and incidents logged without per-user pricing.

Covered entity status. Hospice programs that participate in Medicare are certified by CMS under 42 CFR Part 418. Medicare-certified hospices transmit electronic claims and are covered entities under HIPAA. This is not a gray area — Medicare-certified hospice agencies have clear HIPAA obligations as covered entities and must maintain all required Privacy Rule, Security Rule, and Breach Notification Rule compliance programs.

Hospice agencies operate in an environment that makes HIPAA compliance structurally challenging. Care happens in patients’ homes, nursing facilities, and inpatient hospice units — not in a controlled clinical setting where access controls are built into the environment. The interdisciplinary team model means nurses, social workers, chaplains, home health aides, and volunteers all access patient information, often through a mix of electronic systems and paper records.

PHI Risks Specific to Hospice Agencies

Interdisciplinary team access. A hospice IDT may include ten or more people with different roles and different legitimate access needs. A home health aide does not need access to a clinical social worker’s psychosocial assessment, and a chaplain does not need to see the medication administration record. Role-based access controls, applied consistently and reviewed regularly, are a Security Rule requirement under 45 CFR 164.312(a).

Family disclosure requests. Family members of hospice patients often request information about the patient’s condition, prognosis, and care plan. These requests arrive frequently and are emotionally urgent. Staff need documented guidance on when they can share information under 45 CFR 164.510(b), what to do when a family member’s request conflicts with the patient’s prior instructions, and how to document the disclosure decision.

Caregiver coordination communications. Coordinating care between the hospice nurse, the home health aide agency, the attending physician, and the inpatient facility generates significant PHI transmission. Verbal coordination, faxes, and care summaries sent to or from non-BAA partners are recurring compliance exposure points.

Volunteer and contract staff access. Volunteers transport supplies, sit with patients, and interact with families. They access the home and sometimes encounter care documentation. A documented volunteer training program and clear policies on what volunteers may and may not discuss are required under §164.530(b).

After-hours communication. After-hours calls from families and on-call nurse responses frequently occur over personal mobile devices. The hospice must have a documented policy for after-hours communication that addresses PHI handling on personal devices. An organization-wide BYOD policy is not a substitute.

CAHPS Hospice Survey data. Hospices participating in Medicare are required to administer the CAHPS Hospice Survey, which collects family caregiver feedback on care quality. Survey response data is linked to individual care episodes and constitutes PHI. The survey vendor collecting and processing that data is a business associate and requires a BAA. CMS publishes aggregate results publicly, but the underlying individual response data requires the same protections as any other PHI the hospice generates.

Common Compliance Gaps

Hospice agencies consistently identify two gaps: volunteer training documentation that does not meet §164.530(b) standards because volunteers are treated as outside the workforce, and no formal process for logging and assessing family disclosure decisions. The latter gap means that when OCR requests documentation of a specific disclosure, the agency has no record.

What PHIGuard Provides

PHIGuard is designed for administrators managing compliance without a dedicated team. The platform includes:

  • Workforce training tracking with per-member timestamps, covering employees and volunteers
  • Incident log with guided assessment for both reportable breaches and near-miss events
  • BAA record tracking for home health aide agencies, pharmacy partners, and DME vendors
  • Compliance task templates for annual risk analysis, policy attestation, and training cycles
  • Audit trail on all compliance records

Pricing is per agency, not per staff member or volunteer. Essentials at $99/month, Clinic at $249/month, Group at $499/month per agency location. See current plan details and tier limits or visit the HIPAA compliance overview for the regulatory framework applicable to hospice agencies.

Editorial details

Written by: Angel Campa

Reviewed by: PHIGuard Compliance Research

Updated: April 23, 2026

Sources

Free clinic resource

HIPAA Compliance Self-Assessment

Download a practical self-assessment to spot the biggest control and workflow gaps before they become fire drills.

Email only. Practical follow-up tips. Unsubscribe any time.

Browse all resources

FAQ

Questions hospice agency teams ask before switching

Can hospice staff share patient information with family members who are not the designated representative?

Under 45 CFR 164.510(b), a covered entity may share relevant PHI with family members involved in the patient's care, if the patient has not objected or does not have capacity to object and it is in the patient's best interest. The permission is narrower than most staff assume. A documented process for evaluating each disclosure request is essential.

Do hospice volunteers need HIPAA training?

Yes. Volunteers whose conduct is under the direct control of the hospice are part of the workforce under HIPAA, and §164.530(b) requires workforce training on privacy policies and procedures. Hospice volunteers often have significant patient and family contact and must understand what they can and cannot disclose.

What PHI risks come with home-based care?

Care delivered in a patient's home involves verbal disclosures that are harder to control — family members overhear clinical discussions, paper care summaries are left in shared spaces, and staff use personal devices to communicate. Documented policies for home-setting communication and device use are required.

Operational assurance

Ready to put compliance on a proper foundation?

PHIGuard gives your clinic an audit trail, a signed BAA, and a task management system built for covered entities rather than adapted from generic software collaboration tools.

Start free trial

No credit card required. Add billing details later if you want service to continue after the trial.