Use our HIPAA employee confidentiality agreement to protect patient data from being disclosed by employees within your healthcare organization.
Updated November 7, 2023
Written by Ioana Gagiuc | Reviewed by Brooke Davis
A HIPAA employee confidentiality agreement is a non-disclosure contract for employees, specifying they will not disclose protected health information (PHI) encountered during the course of their employment.
The confidentiality agreement describes PHI, the terms, and the consequences in the event of a breach. Disciplinary action may include warnings, suspension, or termination, depending on the level of violation.
Anyone who has access to or comes into contact with PHI regularly during their work duties should sign a HIPAA employee confidentiality agreement. Even if the business is not primarily a healthcare facility, employees should protect themselves and their agency.
Healthcare providers, insurers, clearinghouses, business associates, multi-employer health plans, and any other agency that handles identifiable PHI must sign HIPAA employee confidentiality agreements. Other HIPAA-related forms that involve access to medical records include:
HIPAA (The Health Insurance Portability and Accountability Act) was enacted in 1996 to allow individuals to keep their health insurance when they moved or switched jobs. This required a secondary privacy control function to protect the confidentiality of patient data, called protected health information or PHI. Protected health information includes identifying information and insurance data for patients.
The statutory definition of protected health information has 18 identifiers. It includes any information in the medical record that can be used to identify an individual and also contains information about a diagnosis or treatment. Some identifiers alone are not considered PHI, such as vital signs without the medical records number or the patient’s name.
Confidential information identifiers include:
A complete list of identifiers can be found at 45 CFR 164.514.
The HIPAA employee confidentiality agreement needs to spell out exactly what the employee is agreeing to and what the confidential information is. Here are the main steps to follow when creating your document:
This is a contract between an employer and an employee. It should be included in the employee’s personnel file. If the employee is not working for the employer but at another agency, the opening clause should state this.
You may want a general paragraph stating: “PHI includes but is not limited to medical records, financial records, or billing information; data regarding patient’s past, present, or future medical care; past, present, or future payment; insurance information; and any of the following:” before listing the identifiers.
You may include standard non-disclosure language if there are any conditions under which a release of PHI may be permitted.
For instance, if the patient is allowed to request their own records, you may want language that specifies that the “employee may not disclose any PHI without employer’s prior written consent.”
Consult your attorney or legal department for standard contract terms, if any. You may want to include standard clauses regarding release of liability, severability, integration with other contracts, and arbitration.
After performing a final review, both parties must add their signature and date on the printed form.
Download our HIPAA employee confidentiality agreement template below in PDF or Word format.
Create a HIPAA Employee Confidentiality Agreement Here!
