Legal Templates

HIPAA Employee Confidentiality Agreement Template

  • 4.6
    126 Ratings

Updated November 1, 2024
Written by Ioana Gagiuc | Reviewed by Brooke Davis

A HIPAA employee confidentiality agreement is a non-disclosure contract for employees, specifying they will not disclose protected health information (PHI) encountered during the course of their employment.

The confidentiality agreement describes PHI, its terms, and the consequences of a breach. Depending on the level of violation, disciplinary action may include warnings, suspension, or termination.

Table of Contents

Laws & Standards: HIPAA Compliance

HIPAA Privacy and Security Rules are the foundation for protecting patient information and the healthcare system. A HIPAA employee confidentiality agreement enforces these standards by making sure employees know what to do when handling PHI [1] .

Laws

  • HIPAA Privacy Rule (45 CFR 160 [2] and 164 [3] )

    • Purpose: To keep PHI confidential to maintain patient trust and privacy.
    • Scope: Covers all types of PHI, including medical histories, diagnoses, treatments, and identifiable personal information.
    • Patient Rights: Gives patients control over who has access to their information and how it’s shared, the cornerstone of healthcare confidentiality.
    • Who Must Comply: All healthcare providers, insurance companies, clearinghouses, and any business associates or contractors that handle PHI.
  • HIPAA Security Rule [4]

    • Purpose: To secure electronic personal health information.
    • Requirements: Administrative, physical, and technical safeguards to prevent unauthorized access, breaches, and cyber threats.
  • Consequences of Non-Compliance:

    • Non-compliance can result in severe penalties, fines, legal action, and damage to the organization’s reputation.
    • For employees, breaching a confidentiality agreement can result in disciplinary action like warnings, suspension, or termination.

Why This Matters

HIPAA compliance is key to safeguarding patient data and allowing healthcare entities to operate within the law. By signing a HIPAA Employee Confidentiality Agreement, employees acknowledge their legal responsibility to protect PHI, reducing the risk of privacy breaches and creating a safe environment for patient care.

Who Should Sign a HIPAA Employee Confidentiality Agreement?

Anyone who has access to or comes into contact with PHI regularly during their work duties should sign a HIPAA employee confidentiality agreement. Even if the business is not primarily a healthcare facility, employees should protect themselves and their agency.

Healthcare providers, insurers, clearinghouses, business associates, multi-employer health plans, and any other agency that handles identifiable PHI must sign HIPAA employee confidentiality agreements. Other HIPAA-related forms that involve access to medical records include:

  • HIPAA subcontractor agreement: Extends the web of HIPAA compliance to individuals or companies hired by the primary contractor, reinforcing the protection of sensitive medical information.
  • HIPAA business associate agreement: Ensures that all entities uphold HIPAA standards and PHI confidentiality to the same degree as the healthcare provider.
  • Medical records release (HIPAA) form: Empowers individuals to grant permission for the seamless sharing of their medical records between healthcare providers.

Definition of Confidential Information

Under HIPAA, confidential information is known as PHI, which includes any data that can identify a patient directly or indirectly. Protecting these identifiers prevents unauthorized access to personal information, which can lead to privacy violations, financial fraud, identity theft, and even discrimination.

Protecting PHI builds trust between healthcare providers and patients and maintains the integrity of the healthcare system.

Why These Identifiers Are Protected:

  • Identity Theft: Unauthorized access to identifiable information can lead to identity fraud, misuse of insurance benefits, and financial loss to the individual.
  • Patient Privacy: Patients share very personal information with healthcare providers. Disclosure of this information without consent breaches their privacy and damages trust.
  • Compliance: Not protecting PHI can lead to legal fines, reputational damage, and civil lawsuits.

Protected Health Information Identifiers

Under HIPAA, PHI includes 18 specific identifiers. Here’s a list of the main identifiers protected to safeguard patient confidentiality [5] :

  • Names
  • All geographic locations smaller than a state (e.g., city, county, precinct)
  • All dates related to an individual (e.g., birth date, admission date, discharge date)
  • Phone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web URLs
  • IP addresses
  • Biometric identifiers (e.g., fingerprints, voice prints)
  • Full-face photographs and comparable images
  • Any other unique identifying number, characteristic, or code

How To Write a HIPAA Employee Confidentiality Agreement

The HIPAA employee confidentiality agreement needs to spell out exactly what the employee is agreeing to and what the confidential information is. Here are the main steps to follow when creating your document:

Step 1 – Identify the Parties

  • State the name of the employer (company or organization).
  • State the name of the employee (individual).
  • Include titles or positions if relevant for clarity.
  • Specify the nature of the relationship, such as “This contract is between [Employer Name] and [Employee Name].”
  • If applicable, mention if the employee is working for another agency instead of the employer, and adjust the opening clause accordingly.

Step 2 – Define Personal Health Information

  • Before listing the identifiers, you may want to add a general paragraph stating, “PHI includes but is not limited to medical records, financial records, or billing information; data regarding patient’s past, present, or future medical care; past, present, or future payment; insurance information; and any of the following. “

Step 3 – Non-Disclosure Agreement

  • Detail the non-disclosure requirements. Specify that PHI cannot be shared or disclosed without written consent from the employer unless the law permits.
  • Mention any circumstances where limited disclosure may be allowed (e.g. if a patient requests access to their records).

Step 4 – Standard Contract Clauses

  • Consult your attorney or legal department for standard contract terms, if any.
  • You may want to include standard clauses regarding release of liability, severability, integration with other contracts, and arbitration.

Step 5 – Sign and Date the Document

  • After performing a final review, both parties must add their signature and date on the printed form.

HIPAA Employee Confidentiality Agreement Sample

Download our HIPAA employee confidentiality agreement template below in PDF or Word format.

HIPAA Employee Confidentiality Agreement Template

Legal Templates uses only high-quality sources, including peer-reviewed studies, to support the facts within our articles. Read our editorial guidelines to learn more about how we keep our content accurate, reliable and trustworthy.

  1. HIPAA Privacy Rule. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
  2. 45 CFR Part 160. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160?toc=1
  3. 45 CFR Part 164. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160?toc=1
  4. HIPAA Security Rule. https://www.hhs.gov/hipaa/for-professionals/security/index.html
  5. 45 CFR 164.514. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.514
Esc
HIPAA Employee Confidentiality Agreement Template

The document above is a sample. Please note that the language you see here may change depending on your answers to the document questionnaire.

Fill in the details