HIPAA Employee Confidentiality Agreement

When working in healthcare, organizations and individuals are privy to protected health information that includes the medical records of clients. In order to protect these patients, HIPAA requires healthcare workers to sign a confidentiality agreement. The HIPAA act of 1996 was created to ensure that the private medical records of individuals would not be shared with other parties without those individuals knowing.

What is a HIPAA Confidentiality Agreement?

Under HIPAA, a healthcare worker that shares a patient’s private medical information without their knowledge or permission is subject to severe penalty. The confidentiality agreement (also called a nda agreement) states that a worker will not share any protected health information (also known as PHI). This includes information they have received electronically.

Workers are bound by confidentiality agreements to only request and view information that is necessary for the care of the patient. They are often required to dispose of or destroy PHI once it is no longer necessary for their care of the patient.

What Is a HIPAA Privacy Rule?

The goal of HIPAA’s privacy rule is to allow the access of health information by those who require it, while safeguarding this confidential information from others. Organizations or other healthcare providers that the Privacy Rule applies to are defined as covered entities.

In addition to the basic Privacy Rule, the Security Rule protects electronic health data that is shared with healthcare professionals. Covered entities are responsible for protecting their electronic data and preventing breaches under the Security Rule.

Does HIPAA Confidentiality Agreement Cover All Employees?

HIPAA’s confidentiality agreement covers health plans, health care clearinghouses, and health care providers that share information. The goal of HIPAA is to cover anyone who may see confidential information in their jobs. HIPAA employees have to sign a document stating their dedication to keeping the privacy of their patients.

Do the HIPAA Rules Apply to Health Insurance Employees Giving Out Their Full Name?

HIPAA specifically protects 18 key pieces of identifying information. These include the full name of the patients. If the name is being used in a medical capacity, it is a violation of HIPAA to share the name of a patient. Other information that is protected includes geographic location, dates that are connected to an individual (such as graduation, birth, and death), phone numbers, fax numbers, and other identifying information.

What Should Be Included in the Agreement?

The confidentiality agreement should cover the key 18 pieces of PHI. It needs to state that the signee of the contract will not violate the terms enclosed that protect the rights of patients.

18 Identifying PHI

The 18 pieces of information named as confidential by HIPAA are as follows:

  • Full name
  • Geographic subdivision smaller than a state
  • Account numbers
  • Phone number
  • Fax number
  • Email address
  • Social Security number
  • Full-face photo image
  • Dates related to the individual
  • Device identifiers
  • Numbers of health plan beneficiary
  • Biometric information
  • License plate number
  • Certificate or license number
  • IP address or URL
  • Medical record numbers
  • Any other identifying information not covered

All of this information is deemed confidential and therefore protected under HIPAA.


HIPAA still applies upon leaving a health care position. Former healthcare professionals will still be prosecuted if they reveal any of the confidential information that they had access to while working as a health care employee. This must be noted in the non disclosure agreement template.

Returning Information

Also included in a HIPAA agreement is the confirmation that the employee will return any PHI that is requested by the company immediately. This means that whatever health information the employee has access to is at the discretion of their employer.

General Provisions

In addition to all of the information above, there is a need for general provisions to be accounted for in the agreement. This includes an affirmation of following the laws of the state and a clause that specifies the punishment of the employee upon breach (in addition to legal punishment).

Is It Possible to be Penalized for Breaching a HIPAA Confidentiality Agreement?

Upon signing a confidentiality agreement, an employee is legally bound to that document, much like an NDA. Any breach of the terms stated within the agreement will lead to a heavy penalty. Violation of the Health Insurance Portability and Accountability Act is a violation of the law.

The HHS has a special law enforcement branch called the Office for Civil Rights that specifically targets violations of HIPAA. As a result, the confidential health information of individuals is strongly protected, leading to more private information in the healthcare sector.

Outside of the government, healthcare providers will also punish employees on their own if they violate the agreement. Any breach of the Health Insurance Portability and Accountability Act damages the reputation of the organization or entity that it took place under, so employers will often sue employees for damages if they violate.

Filling out the HIPAA Confidentiality Agreement

While all of this may sound complicated, the confidentiality agreement is very similar to a simple non-disclosure agreement. It simply requires basic information from the covered entity and their employee. Many agreements are sent via PDF for employees to fill out upon hiring.

Review the Document

A confidentiality agreement has certain qualifications that must be met. Double-check that each requirement is present in the document.

Provide an Accurate Date

The date on the document needs to be correct to ensure that the document stays legitimate for the correct period of time.

Name Parties and Sign

Both the covered entity employer and the employee must be named within the document. Sign the same name where indicated to finalize acceptance of the terms and conditions of the agreement.

Published: Aug 17, 2022