A CMS survey or an OCR investigation of a hospice agency typically begins the same way: with a document request. Before surveyors or investigators assess your clinical operations or technical controls, they ask for the foundational compliance documentation. The organizations that survive these reviews with minimal findings are those that can produce complete, current documentation immediately — not after a frantic search through filing systems.
This checklist organizes the documents and controls that hospice agencies need to have ready — for routine CMS surveys, triggered OCR investigations following a complaint or breach, and cyber insurance renewals.
Tier 1: Documents Requested Within the First 24 Hours
These are the documents that surveyors and investigators request at the start of every audit. They should be immediately accessible, current, and complete.
- [ ] Written HIPAA Security Rule risk analysis — comprehensive, covers all systems storing or transmitting ePHI, dated within the past 12 months or since last significant operational change. Identifies risks, likelihood, impact, and controls.
- [ ] Written information security program (WISP) or equivalent — documents your hospice's security policies and procedures. Reviewed and approved by the governing body within the past 12 months.
- [ ] Incident response plan — written, with named roles and contact information. Includes 72-hour internal notification procedure and breach notification timelines for OCR and affected individuals.
- [ ] List of all business associates with signed BAAs — complete list of vendors, contractors, and business associates who have access to ePHI. Confirmation that current BAAs are on file for each.
- [ ] Staff security awareness training records — documentation that all workforce members with ePHI access have completed security awareness training within the past 12 months. Includes training completion dates and content covered.
Tier 2: Technical Control Evidence Requested in Days 1–3
After reviewing documentation, surveyors and investigators request evidence that technical controls are actually implemented.
- [ ] MFA implementation evidence — documentation or system screenshots confirming MFA is enforced on all accounts with ePHI access. For Microsoft 365: Conditional Access policy configuration. For EHR: SSO/MFA integration settings.
- [ ] Encryption verification — documentation confirming encryption at rest on workstations (BitLocker/FileVault enabled), mobile devices (verified encryption status), and cloud storage. Confirmation of TLS 1.2+ for data in transit.
- [ ] Vulnerability scan results — most recent automated vulnerability scan, dated within the past six months. Remediation plan for any identified findings. Previous scan for comparison.
- [ ] Penetration test results — most recent penetration test report, dated within the past 12 months. Remediation actions taken for identified findings.
- [ ] Audit log configuration and review records — confirmation that audit logging is enabled on all ePHI-containing systems. Documentation of most recent quarterly log review, including findings.
- [ ] Backup and recovery documentation — backup configuration documentation, most recent backup restoration test results, recovery time and recovery point objectives.
Tier 3: Documents for Specific CoP and Hospice Compliance Areas
These are requested by CMS surveyors assessing hospice-specific compliance, including the cybersecurity dimensions of clinical operations.
- [ ] Clinical record access controls documentation — role-based access policy for the EHR. Confirmation of most recent access review (within 12 months). Process for deactivating access when staff leave.
- [ ] Downtime procedures — written procedures for maintaining care delivery when EHR systems are unavailable. Covers: how field staff access patient records during downtime, how care is documented manually, and how documentation is transferred to the EHR when systems restore.
- [ ] Device management policy — written BYOD and device security policy covering encryption requirements, MDM enrollment, PIN/lock requirements, and lost device reporting procedures. Signed BYOD agreements from staff who use personal devices for work.
- [ ] Vendor security management documentation — process for assessing vendor security before granting ePHI access. Evidence that all EHR vendors (Netsmart, Brightree, Axxess, MatrixCare, etc.) have signed BAAs.
- [ ] Governing body cybersecurity oversight documentation — minutes or resolutions showing that the governing body has discussed and approved the information security program. Evidence that cybersecurity is a standing agenda item or annual review topic.
Tier 4: Post-Incident Documentation (If a Breach Has Occurred)
If the survey or investigation is triggered by or includes review of a past security incident:
- [ ] Incident report — timeline of the incident, systems and data affected, immediate response actions, containment measures, root cause determination.
- [ ] Breach notification evidence — copies of notification letters to affected individuals, evidence of OCR notification, evidence of media notification if 500+ individuals in a single state were affected.
- [ ] Remediation documentation — evidence of controls implemented following the incident to address the root cause and reduce the risk of recurrence.
- [ ] Risk assessment update — updated risk analysis reflecting lessons learned from the incident and documenting the risk reduction achieved through remediation.
How to Use This Checklist
If every item is checked and current, your hospice is in strong audit-ready posture. If gaps exist, prioritize Tier 1 items first — the foundational documentation that every survey and investigation begins with. No documentation is worse than imperfect documentation: an OCR investigator who finds no risk analysis, no security program, and no training records is looking at a systemic non-compliance finding regardless of what technical controls are in place.
ShieldForce clients receive audit-ready documentation as part of the managed service: risk analysis, WISP, incident response plan, training records, vulnerability scan reports, and backup documentation — all maintained and available for immediate production.
Prepare for your next CMS survey or OCR audit with confidence. ShieldForce keeps your hospice audit-ready with current compliance documentation, verified technical controls, and a 24/7 security posture that holds up under investigation.
Explore Hospice Cybersecurity Solutions →
Start with a free HIPAA assessment to identify any audit-readiness gaps.