Volunteers are the heart of many hospice organizations. They provide companionship, respite for family caregivers, administrative support, bereavement follow-up, and a range of services that make hospice care more human. They typically serve without compensation, bring genuine compassion, and are deeply committed to the organization's mission.
They are also, in many hospice organizations, a significant unaddressed HIPAA security gap.
When a volunteer accesses a patient's name, address, visit schedule, or any clinical information, even basic scheduling details, they are handling protected health information. When that volunteer uses their personal device to access the hospice scheduling system, or their personal email to communicate with the clinical team about a patient, they are creating the same HIPAA compliance obligations as a paid staff member.
Most hospice HIPAA security programs, particularly security awareness training, device policies, and access controls, are designed for paid staff. Volunteers fall into a gap that organizations often don't discover until an incident occurs.
What HIPAA Says About Volunteers
The HIPAA Privacy Rule's definition of workforce specifically includes volunteers. 45 CFR § 160.103 defines workforce as "employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such entity or business associate, whether or not they are paid by the covered entity or business associate."
This means:
- Volunteers who access PHI must receive HIPAA training
- Volunteers must follow the same HIPAA policies as paid staff
- The hospice organization is responsible for volunteer HIPAA compliance as it is for staff compliance
- A volunteer's unauthorized disclosure of patient information is a HIPAA breach attributable to the organization
The Specific Volunteer Security Risks in Hospice
Risk 1: Personal Email for Patient Communication
Volunteers who communicate with patients, families, or clinical staff about patient care via their personal Gmail, Yahoo, or Outlook accounts are transmitting PHI through non-HIPAA-compliant channels. Even information as basic as a patient's name and visit confirmation contains PHI in the context of hospice care.
The fix: All volunteer communication involving patient information must use organization-provided or organization-approved channels such as the hospice's email system, secure messaging platform, or approved EHR communication tools.
Risk 2: Volunteer Access to Scheduling Systems
Volunteers who are given login credentials to the scheduling or EHR system to view their patient assignments are accessing ePHI. If those credentials are on the volunteer's personal phone without MDM, encryption, or MFA, the access is not HIPAA-compliant regardless of how limited the volunteer's role seems.
The fix: Apply the same access controls to volunteer accounts as to staff accounts. MFA enforced. Role-based access limited to the minimum data the volunteer needs. Accounts deprovisioned immediately when the volunteer's engagement ends.
Risk 3: Bereavement Volunteers and Family Contact Information
Bereavement volunteers who conduct follow-up calls to family members after a patient's death are working with personal contact information, family member names, and the implicit fact of a patient's death, all of which qualifies as PHI in the hospice context. This information may be stored in the volunteer's personal notes, phone contacts, or personal email.
The fix: Bereavement follow-up contacts must be documented in the organization's systems, not on volunteer personal devices. Volunteers conducting bereavement outreach must be trained on appropriate information handling.
Risk 4: Volunteer Training Gaps
Most hospice security awareness training is delivered to clinical and administrative staff. Volunteers attend a separate orientation that covers the mission, the patient experience, and general hospice philosophy, but often includes only a brief HIPAA privacy overview without the security-specific content such as phishing recognition, device security, and incident reporting that the full staff training covers.
The fix: Volunteers who access PHI, including scheduling systems, patient names, or family contact information, must receive security awareness training that covers device security and phishing recognition, not just HIPAA privacy basics. Document completion.
The Access Review for Volunteer Accounts
The quarterly access review that your HIPAA compliance program requires must include volunteer accounts. The specific review questions:
- Are all active volunteer accounts associated with current, active volunteers?
- Have volunteers who have ended their engagement had their accounts deprovisioned?
- Do volunteer access permissions reflect the principle of least privilege?
- Are volunteer accounts enrolled in MFA?
Many hospice organizations discover during their first comprehensive access review that they have dormant volunteer accounts from former volunteers who engaged with the organization years ago, accounts that have not been used but remain active and theoretically exploitable.
Close the volunteer security gap at your hospice organization.
ShieldForce includes volunteer account management, access reviews, and training documentation in our hospice cybersecurity program.
Explore Hospice Cybersecurity Solutions →
Get a free hospice HIPAA assessment that covers your entire workforce, including volunteers.