What makes hospice HIPAA compliance different from other healthcare providers?

Hospice HIPAA compliance is distinctive in several ways: family members are closely involved in care but are not automatically authorized to receive PHI under HIPAA's personal representative rules; volunteer coordinators who access patient records through volunteer management platforms create business associate relationships; chaplaincy software and bereavement platforms may receive patient data; and the extreme sensitivity of end-of-life diagnoses and medication records (which often include controlled substances) heightens the importance of proper PHI protection.

Hospice Agencies

HIPAA Business Associate Agreement for Hospice Agencies

Q: Do bereavement services require a HIPAA BAA?

It depends. Bereavement services provided by the hospice directly as part of the hospice benefit (as required by Medicare Conditions of Participation) are covered under the hospice's HIPAA compliance program. If bereavement services are contracted to a third-party provider who receives patient or family information from the hospice's records — such as patient name, date of death, or family contact information linked to clinical records — that contractor may require a BAA.

By BAA Generator Editorial · Updated Apr 19, 2026 · 5 min read

Key Takeaways

✓ Hospice agencies are HIPAA covered entities handling extremely sensitive end-of-life PHI
✓ Family involvement in hospice care does not create automatic authorization to receive PHI
✓ Bereavement contractors and volunteer management platforms may require BAAs
✓ Hospice-specific EHR vendors (Netsmart myUnity, Axxess, Homecare Homebase Hospice) provide BAAs

Direct answer: Yes — hospice agencies are HIPAA covered entities. End-of-life PHI is among the most sensitive in healthcare. You must sign Business Associate Agreements with your hospice EHR, pharmacy vendors, family communication platforms, billing companies, and contractors. Unique hospice-specific BAA risks include bereavement service providers and volunteer management platforms.

Hospice agencies handle patient information that is uniquely sensitive: terminal diagnoses, end-of-life medication regimens (often including controlled substances), spiritual care assessments, and family-patient communication records. The multidisciplinary nature of hospice — nurses, social workers, chaplains, aides, volunteers, and bereavement counselors all involved in care — creates a broader set of vendor and contractor relationships than most healthcare settings, each of which must be evaluated for BAA requirements.

Why Hospice Agencies Are Covered Entities

Hospice agencies are healthcare providers under HIPAA. Medicare-certified hospice programs that submit claims electronically are covered entities subject to the full HIPAA Privacy and Security Rules. This applies to:

Medicare-certified hospice agencies
Medicaid-certified hospice providers
Hospital-based hospice programs
Non-profit community hospice organizations
For-profit hospice chains

Unique HIPAA Considerations for Hospice

Family Access and PHI Authorization

In hospice care, family members are deeply involved in patient care — but this involvement does not automatically authorize them to receive PHI. Under HIPAA, family members can receive PHI only when the patient has authorized disclosure, when the family member is the patient's personal representative (e.g., holds healthcare power of attorney), or when specific circumstances apply (e.g., the patient is incapacitated and disclosure is in their best interest).

Hospice agencies that use family communication platforms or portals to share clinical updates must ensure proper authorization is documented before sharing PHI through those platforms.

Volunteer Access to Patient Records

Hospice volunteers may be assigned to specific patients and may access patient records or receive patient-identifying information as part of their assignment. If volunteer coordinators use a software platform to manage assignments and that platform stores patient names, addresses, or care preferences, the platform is handling PHI and the vendor requires a BAA.

Vendors Hospice Agencies Typically Need BAAs With

Hospice-Specific EHR and Clinical Management

Netsmart myUnity, Homecare Homebase (Hospice edition), and Axxess are leading hospice clinical management platforms. These systems hold patient care plans, interdisciplinary group notes, physician orders, and billing data. All major hospice software vendors provide BAAs. Confirm that signed BAAs are on file before going live with any new platform.

Pharmacy and Compounding Vendors

Hospice pharmacy is distinct from standard pharmacy: many patients require compounded medications, especially in the final days of life. Whether you use a long-term care pharmacy, a compounding pharmacy, or a mail-order hospice pharmacy, those vendors receive patient-identifying prescription records and require BAAs. Review our guide on when a HIPAA BAA is required for the full decision framework.

Bereavement Service Providers

CMS requires hospice programs to offer bereavement services to families for at least 13 months after a patient's death. When bereavement services are contracted to outside counselors or organizations who receive patient and family information from your records, those contractors may be business associates requiring BAAs. The determination depends on whether they receive patient-identifying information as part of performing the service.

Chaplaincy and Spiritual Care Software

Chaplaincy software platforms used to document spiritual care assessments and visits link patient identities to sensitive religious and emotional information — a form of PHI. If your spiritual care team uses a standalone platform for documentation, the vendor requires a BAA.

Family Communication Platforms

Family engagement tools that share daily care updates, medication information, or clinical status with authorized family members handle PHI and their vendors are business associates requiring BAAs. These platforms are increasingly common in hospice settings. See our checklist on whether your vendor signs BAAs.

Billing and Revenue Cycle

Hospice billing is Medicare-specific and highly complex. Billing companies specializing in hospice and general RCM vendors that process your claims handle PHI and require BAAs.

Vendor Type	Example Vendors	BAA Required?
Hospice EHR	Netsmart myUnity, HCHB Hospice, Axxess	Yes
Pharmacy / compounding	LTC pharmacies, compounding pharmacies	Yes
Bereavement contractor	Third-party bereavement counselors	Yes (if receiving PHI)
Chaplaincy software	Spiritual care documentation platforms	Yes
Family communication	Family portal and engagement platforms	Yes
Volunteer management	VolunteerHub, Better Impact (if PHI accessed)	Yes (if PHI accessed)
Billing / RCM	Hospice billing companies	Yes
IT support / MSP	Local or remote IT provider	Yes

Generate a BAA for your hospice agency

Create a HIPAA-compliant Business Associate Agreement for your billing company, software vendor, or IT provider — free to start, no subscription required.

Generate BAA for Free →

Frequently Asked Questions

Do hospice agencies need HIPAA BAAs?

Yes. Hospice agencies are healthcare providers and HIPAA covered entities. They must execute BAAs with every vendor that creates, receives, maintains, or transmits PHI on their behalf under 45 CFR § 164.504(e). This includes hospice EHR vendors, pharmacy vendors, family communication platforms, and billing companies.

Do bereavement services require a HIPAA BAA?

It depends on whether the bereavement service provider receives patient-identifying information from your records. Third-party bereavement counselors or organizations who receive patient names, dates of death, or family contact information linked to clinical records as part of their contracted service are business associates requiring BAAs.

What makes hospice HIPAA compliance different?

Hospice deals with extremely sensitive end-of-life information, highly involved families who are not automatically authorized to receive PHI, volunteers who may access patient information, and contractors (chaplains, bereavement counselors) who create PHI as part of care. These features create a broader set of potential BAA obligations than most other healthcare settings.

Do volunteer coordinators and management platforms require BAAs in hospice?

Yes, if the volunteer management platform accesses patient-identifying information as part of managing assignments. Hospice volunteer assignments often reference patient information, and the software managing those assignments may process PHI, making the vendor a business associate requiring a BAA.