A HIPAA employee confidentiality agreement is a non-disclosure contract for employees, specifying they will not disclose protected health information (PHI) encountered during the course of their employment.
The confidentiality agreement describes PHI, the terms, and the consequences in the event of a breach. Disciplinary action may include warnings, suspension, or termination, depending on the level of violation.
Laws & Standards
- 45 CFR Part 160, 45 CFR Part 164
- HIPAA Privacy Rule lays out in basic terms what information is protected, who may access it, and which individuals and entities are covered by the Privacy Rule itself. It also outlines for patients their right to control their health information and to limit access as they see fit. The end goal of the HIPAA Privacy Rule is to ensure the smooth flow of critical information while protecting patient data and privacy.
Who Should Sign a HIPAA Employee Confidentiality Agreement?
Anyone who has access to or comes into contact with PHI regularly during their work duties should sign a HIPAA employee confidentiality agreement. Even if the business is not primarily a healthcare facility, employees should protect themselves and their agency.
Healthcare providers, insurers, clearinghouses, business associates, multi-employer health plans, and any other agency that handles identifiable PHI must sign HIPAA employee confidentiality agreements. Other HIPAA-related forms that involve access to medical records include:
- HIPAA subcontractor agreement: Extends the web of HIPAA compliance to individuals or companies hired by the primary contractor, reinforcing the protection of sensitive medical information.
- HIPAA business associate agreement: Ensures that all entities uphold HIPAA standards and PHI confidentiality to the same degree as the healthcare provider.
- Medical records release (HIPAA) form: Empowers individuals to grant permission for the seamless sharing of their medical records between healthcare providers.
Definition of Confidential Information
HIPAA (The Health Insurance Portability and Accountability Act) was enacted in 1996 to allow individuals to keep their health insurance when they moved or switched jobs. This required a secondary privacy control function to protect the confidentiality of patient data, called protected health information or PHI. Protected health information includes identifying information and insurance data for patients.
The statutory definition of protected health information has 18 identifiers. It includes any information in the medical record that can be used to identify an individual and also contains information about a diagnosis or treatment. Some identifiers alone are not considered PHI, such as vital signs without the medical records number or the patient’s name.
Confidential information identifiers include:
- All geographic areas smaller than states (such as cities, counties, etc.)
- All elements related to dates
- Phone numbers and fax numbers
- Social Security numbers
- Health plan beneficiary numbers
- Biometric identifiers, fingerprints, voice prints, photographs, and images
A complete list of identifiers can be found at 45 CFR 164.514.
How To Write a HIPAA Employee Confidentiality Agreement
The HIPAA employee confidentiality agreement needs to spell out exactly what the employee is agreeing to and what the confidential information is. Here are the main steps to follow when creating your document:
Step 1 – Identify the Parties
This is a contract between an employer and an employee. It should be included in the employee’s personnel file. If the employee is not working for the employer but at another agency, the opening clause should state this.
Step 2 – Define Personal Health Information
You may want a general paragraph stating: “PHI includes but is not limited to medical records, financial records, or billing information; data regarding patient’s past, present, or future medical care; past, present, or future payment; insurance information; and any of the following:” before listing the identifiers.
Step 3 – Non-Disclosure Agreement
You may include standard non-disclosure language if there are any conditions under which a release of PHI may be permitted.
For instance, if the patient is allowed to request their own records, you may want language that specifies that the “employee may not disclose any PHI without employer’s prior written consent.”
Step 4 – Standard Contract Clauses
Consult your attorney or legal department for standard contract terms, if any. You may want to include standard clauses regarding release of liability, severability, integration with other contracts, and arbitration.
Step 5 – Sign and Date the Document
After performing a final review, both parties must add their signature and date on the printed form.
HIPAA Employee Confidentiality Agreement Sample
Download our HIPAA employee confidentiality agreement template below in PDF or Word format.