HIPAA Compliance in Home Health & Hospice: Staff Training, BAAs, & More

Even when you understand HIPAA rules, knowing how to implement them day-to-day can still feel overwhelming.

That’s why we at The Home Health Consultant provide detailed explanations to help you move from regulation to action with HIPAA compliance. Whether it’s through internal training or setting up breach response plans, we’ve got you covered.

In this article, you’ll discover:

• Actionable steps to comply with HIPAA regulations
• Detailed information about staff and volunteer HIPAA training
• When you need a Business Associate Agreement to remain compliant

After reading, you’ll be an expert in all things HIPAA, know how to prepare for more complex situations, and be able to implement steps to protect your agency and patients.

What Actionable Steps Can You Take in Your Home Health or Hospice to Remain HIPAA Compliant?

You can take key security practices to protect your patients’ data:

• Device Protection: Use strong passwords or PIN locks on all devices with patient information​. Enable automatic screen locks after a short period of inactivity​.
• Remote Wipe: Set up the ability to remotely erase data on devices. That way if a device is lost or stolen, you can wipe its data​. This ensures that a missing device doesn’t turn into a breach. 
  • Pro Tip: If your staff are using Apple devices, you can track and remotely erase missing tech through the FindMyiPhone app or iCloud. This is possible as long as you have access to the Apple account the device is registered with. If you ever do have to take this precaution, make sure to document your efforts.
• Designate a Privacy & Security Officer: You must appoint someone responsible for your HIPAA compliance efforts. This person oversees training, audits, incident response, and policy enforcement.
• HIPAA Compliant Software: Ask software vendors that will store patient data about their HIPAA compliance. Most home health and hospice software will have this built in. If you use any software for general business, they’re likely not compliant to HIPAA standards. Make sure to ask.
• Private Settings: When doing telehealth calls or discussing cases by phone, find a private space​. Make sure no unauthorized person can overhear or see patient information. You also need to think about HIPAA when searching for an office space. To read more about office space and lease requirements, read our article below.

• • Physical Security: Do not leave laptops or paper charts with PHI unattended. Lock paper files in cabinets or rooms that only staff can access, and shred documents when they are discarded​. Don’t leave them in your car, or lying around your home. Lock them up in designated areas.
    • Pro Tip: Face computers away from office traffic. Passersby shouldn’t be able to see your screens from main entry areas or hallways.
  • Double Lock: Make sure all patient and staff related health information is behind a double lock and only accessible to personnel on a “need to know” basis. For example, your intake person should not have access to staff health records. Your HR person should not have access to patient health records. This will be checked at every survey. Joint Commission surveyors will often have agency personnel lock and unlock the place records are stored, to check for privacy breaches.
  • Pro Tip: A double lock can come in two forms:
    • • A locked filing cabinet in the office;
      • A separate lockable “records” room within the office.

• Change Passwords Often: Establish a regular schedule for changing passwords on software and devices used for patient information and charting. We recommend every 30-90 days.

• Avoid Saving Passwords in Browser History: Many of the online systems include this in their pre-login disclaimers. Make sure you and your staff are typing in the passwords each time. Saving passwords in your browser or phone leaves your agency vulnerable to unwanted logins.

• Designate Devices: Don’t chart on home computers. Patient information needs to be on devices that are only accessible to the person who will be charting.

• Add HIPAA Disclaimers to Communication Methods: Even well intentioned people can make mistakes. Sometimes a fax or email can be sent to the wrong person. Add the following HIPAA disclaimer to your fax cover sheet and email signature, requesting that any information received in error be immediately discarded. The disclaimer below is an example:

“Disclaimer: The information contained in this electronic message/fax is confidential, proprietary, and intended only for the use of the e-mail address listed as the recipient of this message. If you are not the intended recipient, you are hereby notified that any disclosure, dissemination, distribution, copying of this communication, or unauthorized use of the information is strictly prohibited and subject to prosecution to the fullest extent of the law!  If you are not the intended recipient, please delete this electronic message and DO NOT ACT UPON, FORWARD, COPY OR OTHERWISE DISSEMINATE IT OR ITS CONTENTS.”

By implementing these safeguards, you reduce the chance of a costly data breach. These practices aren’t optional; the HIPAA Security Rule mandates them. Always be sure to review your policies and procedures to ensure compliance.

What Training Is Required for Staff and Volunteers Under HIPAA?

Everyone in your agency who interacts with patients or handles patient information must get HIPAA training​. This includes nurses, therapists, aides, office staff, and contractors. This is true for hospice volunteers as well. Even students, clergy, or other volunteers who help with patient care must be trained​. Under HIPAA, all of these people are considered part of your workforce, so they are required to follow the same rules as any employee​. To read more about hospice volunteer Medicare requirements, click below.

Here are a few steps you can take to stay compliant with HIPAA education requirements:

• Give comprehensive HIPAA training when someone joins your team. This training should cover:
  • What is HIPAA
  • How to keep information private and secure
  • What to do if something goes wrong (reporting a lost or stolen device)
  • Exactly what information is considered PHI
• Provide refresher training at least once a year.

These inservice resources are included in The Home Health Consultant Administrative Compliance Program. To learn more about our program and what you get out of it, check out the article below.

Who Needs a Business Associate Agreement in Home Health or Hospice?

If you use any outside company or contractor for tasks involving patient information, you must have a Business Associate Agreement (BAA)​. Under HIPAA, a “business associate” is any person or company (other than your employees) that performs services for you involving PHI​. 

Common examples of outside vendors who need BAAs include:

• Staffing companies
• Billing services
• IT providers
• Consultants
• Accountants
• Cloud software companies​

A BAA is a contract that obligates your vendors to protect the information and follow HIPAA rules​. It also outlines what they are allowed and not allowed to do with the PHI. Make sure you have BAAs signed and on file with all such partners. Not doing so significantly increases your liability if any of your business associates are involved in a HIPAA breach.

However, HIPAA specifically excludes some entities from being considered business associates in certain cases. For example, funeral homes and coroners are not treated as business associates when they handle information as part of their duties​. But these are rare exceptions. 

Business Associate Agreements require specific, verbatim language. The Department of Health and Human Services (HHS) provides this contract addendum for free online. 

How Do HIPAA & BAA Apply When Working with a Separate Healthcare Provider?

You do not need a Business Associate Agreement (BAA) to share patient information with another healthcare provider who is actively treating the patient. For example, if your hospice patient goes to the emergency room, that hospital is not your business associate. They’re a covered entity providing treatment. HIPAA allows for sharing information between covered entities for the purpose of treatment without a BAA.

However, this doesn’t mean you can freely send patient records just because someone says they’re a provider. In today’s digital age, anyone can claim to be a healthcare professional. That’s why you must require a signed Consent to Release Medical Records from the patient before you share any information—even with another provider.

Here’s what that consent accomplishes:

• It confirms that the patient has authorized the exchange of their medical information with that specific provider.
• It protects your agency from liability, because you’re not releasing protected health information (PHI) without documented permission.
• It outlines any limitations the patient may have set—such as restricting certain diagnoses, time periods, or sensitive treatments from being disclosed. If no limitations are specified, you may share the full medical record.
• It has an expiration date. These consents aren’t indefinite. Your agency must verify that the consent is still valid at the time of sharing. Sharing after the expiration date—even accidentally—could be a HIPAA violation.

In contrast, if you’re sharing patient information with someone who is not providing treatment—like a billing company, software vendor, or consultant—you are dealing with a business associate, and you do need a signed BAA in place. That agreement ensures they will safeguard patient data and comply with HIPAA regulations just like you.

Bottom line: BAAs are for your vendors, not other providers. 

How Can Home Health and Hospice Agencies Avoid HIPAA Penalties?

HIPAA compliance in home health and hospice is challenging but achievable. It takes commitment, but it protects your patients and your agency. Remember that these rules are about preserving trust. Every safeguard and policy exists to protect the people in your care. By following these practices, you not only obey the law. You also show your patients and their families that their information is in good hands. 

Now it’s time to put this knowledge into action. Regularly review your procedures and keep your team trained on best HIPAA practices. Create a culture of privacy and security in your agency. In doing so, you’ll benefit your patients and ensure your agency thrives with integrity.

If you’re still concerned about maintaining proper HIPAA protocol or have other compliance concerns, feel free to reach out. At The Home Health Consultant, we specialize in helping agencies like yours implement a framework to stay compliant all the time, not just before a survey.

*This article was written in consultation with Mariam Treystman.

*Disclaimer: The content provided in this article is not intended to be, nor should it be construed as, legal, financial, or professional advice. No consultant-client relationship is established by engaging with this content. You should seek the advice of a qualified attorney, financial advisor, or other professional regarding any legal or business matters. The consultant assumes no liability for any actions taken based on the information provided.