What is a HIPAA Employee Confidentiality Agreement?

Healthcare providers, business associates, and subcontractors often ask their employees to sign a HIPAA employee confidentiality agreement statement. The purpose of the HIPAA employee confidentiality agreement is to ensure that an employee of a provider (or of another organization, including a business associate, or a subcontractor) will maintain the confidentiality and secrecy of protected health information, and other information that is confidential. 

A HIPAA employee confidentiality agreement statement contains terms outlining the consequences of a violation. The agreement typically states that if an employee deliberately violates a provision requiring him or her to keep information confidential and not use or disclose it, the employee will face disciplinary action. The type of disciplinary action is stated in the HIPAA employee confidentiality agreement, and may include a warning, suspension, or termination of employment. The features of a HIPAA employee confidentiality agreement are discussed below.

What is a HIPAA Employee Confidentiality Agreement: Who Should Sign One?

Whether you are a healthcare provider, a business associate, a subcontractor, or an independent contractor, you may have employees who, as part of their work duties, may see, hear, or touch protected health information (PHI).

If you are a provider, or a business associate, your employees may view PHI on a regular basis. If you are performing services for a provider or a business associate that are not healthcare-related, your employees may still be exposed to PHI if or when those employees are working on the premises of a healthcare provider or business associate. To ensure your employees do not use, access, or disclose protected health information other than as required to perform their jobs, you can request that they sign a HIPAA employee confidentiality agreement with you.

A HIPAA employee confidentiality agreement is an agreement between an employer and its employee, under which the employee agrees to:

• Not access, use or disclose PHI or ePHI, except when necessary to perform job duties.
• Not access, use or disclose any other types of confidential information, unless required for the performance of job duties.
• Not modify or copy confidential information.
• Keep security codes and passwords used to access a facility, equipment, or computer systems, confidential at all times. 
• Return all property, including keys, access cards, ID badges, and organization documents, to the employer when employment is terminated or completed.
• Be bound by the use, disclosure, and confidentiality obligations under the Confidentiality Agreement even after employment has concluded, to the extent permitted by law.
• Be subject to disciplinary action if the employee violates the terms of the confidentiality agreement.

What is a HIPAA Employee Confidentiality Agreement: Definition of “Confidential Information”

When drafting a HIPAA employee confidentiality agreement, an employer should be specific as to what constitutes “confidential information.”

For example, an employer may describe, as confidential, “PHI that may be included in documentation, communication or correspondence in any form, i.e. paper, magnetic or optical media, conversations, film, etc.” 

The HIPAA employee confidentiality agreement may also contain a provision specifically defining PHI: 

“PHI includes medical records, financial information, or billing information relating to a patient’s past, present or future mental or physical condition; or past, present or future provision of healthcare; or past, present, or future payment for provision of healthcare, and contains any of the following identifiers that may be used to identify a patient in relation to PHI:

1. Patient names.  
2. Geographical elements (such as a street address, city, county, or zip code).
3. Dates related to the health or identity of individuals (including birthdates, date of admission, date of discharge, date of death, or exact age of a patient older than 89).
4. Telephone numbers.
5. Fax numbers.
6. Email addresses.
7. Social Security numbers.
8. Medical record numbers.
9. Health insurance beneficiary numbers.
10. Account numbers.
11. Certificate/license numbers.
12. Vehicle identifiers.
13. Device attributes or serial numbers.
14. Digital identifiers, such as website URLs. 
15. IP addresses.
16. Biometric elements, including finger, retinal, and voiceprints.
17. Full face photographic images.
18. Any other unique identifying numbers, characteristics, or codes.