DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
A Confidentiality Agreement (CA) is a signed, legally enforceable document. In a Confidentiality Agreement, one party promises to keep another party's information confidential. A confidentiality agreement may be entered into between two parties negotiating a business deal, who want their respective sensitive company data kept confidential if shared between them. An employer may require that an employee sign a confidentiality agreement, in which the employee promises to keep information the employee views or accesses confidential.
The HIPAA law and regulations do not expressly require a HIPAA-covered entity (covered entity or business associate) to enter into a confidentiality agreement - either as the party requiring a promise to keep information confidential, or the party obligated to keep information confidential.
The HIPAA Privacy Rule at 45 CFR 164.530 requires HIPAA-covered entities to "have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information." A confidentiality agreement a HIPAA-covered entity requires an employee to sign, in which the employee promises to treat PHI the employee views or accesses as confidential, is an example of an administrative safeguard. The precise wording of such an agreement should be discussed with an attorney, who can furnish language appropriate to an organization's needs. The Security Rule at 45 CFR 164.306 requires covered entities and business associates to "Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits." A HIPAA-covered employer may seek to ensure confidentiality of ePHI by, among other things, having an employee to sign a confidentiality agreement - in which the employee agrees to treat ePHI the employee views or accesses as confidential.
Confidentiality agreements may be appropriate in other circumstances as well. The Privacy Rule at 45 CFR 164.530(c)(2)(i) provides, "A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that violates the standards, implementation specifications or other requirements of the Privacy Rule," while 45 CFR 164.530(c)(2)(ii) provides that "a covered entity must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure." Collectively, these requirements impose an obligation on HIPAA-covered entities to take measures to prevent PHI and ePHI from being unintentionally accessed, viewed or disclosed. A confidentiality agreement might be an appropriate measure to meet this obligation. If I am a covered entity and a janitorial service cleans my office and removes the trash every evening, there is a possibility that a member of the janitorial staff may inadvertently access PHI. A confidentiality agreement between me, as the employer, and the janitorial service, obligating its employees to keep such information confidential and to report any unintentional uses or disclosures, may be an appropriate "reasonable safeguard." As above, a HIPAA-covered entity would want to discuss the wording of such an agreement with a qualified attorney.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article