DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
A Confidentiality Agreement (CA) is a signed, legally enforceable document. In a Confidentiality Agreement, one party promises to keep certain information relating to the other party, confidential. A confidentiality agreement may be mutual; the agreement can be written to require each party to keep certain information about the other, confidential. To keep information confidential generally means to not disclose that information to a third party, and to only disclose it to workforce members whose job performance requires awareness of the nature of the confidential information.
What are Some Examples of When a Confidentiality Agreement is Used?
A confidentiality agreement may be entered into between two parties negotiating a business deal, who want their respective sensitive company data kept confidential if shared between them. An employer may require that an employee sign a confidentiality agreement, in which the employee promises to keep information the employee views or accesses, confidential.
A confidential agreement may also be entered between two parties who are already doing business with each other, where one party possesses information that it does not want disclosed to the outside world. This information can include financial information, sensitive business information such as the details of negotiations, or information that one party is under an obligation to keep private or limit access to.
Does HIPAA Require the Use of Confidentiality Agreements?
Neither the HIPAA law nor the HIPAA regulations mention the phrase "confidentiality agreement." There is no express requirement that a HIPAA-covered entity enter into a confidentiality agreement - either as the party requiring another party to keep information it may view as confidential, or as the party that is itself obligated to keep information that it views confidential.
Rather, the utility of having a confidentiality agreement is inferred from the text of the HIPAA Privacy Rule.
Circumstances in Which a Confidentiality Agreement May be Appropriate - Employees
The HIPAA Privacy Rule at 45 CFR 164.530 requires HIPAA-covered entities to "have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information." A confidentiality agreement that a HIPAA-covered entity requires an employee to sign, in which the employee promises to treat PHI the employee views or accesses as confidential, is an example of an administrative safeguard. The precise wording of such an agreement should be discussed with an attorney, who can furnish language appropriate to an organization's needs.
The Security Rule at 45 CFR 164.306 requires covered entities and business associates to "Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits." A HIPAA-covered employer may seek to ensure the confidentiality of ePHI by, among other things, having an employee sign a confidentiality agreement, in which the employee agrees to treat ePHI the employee views or accesses as confidential.
Circumstances in Which a Confidentiality Agreement May be Appropriate - Third Parties
Confidentiality agreements may be appropriate in other circumstances as well.
The Privacy Rule at 45 CFR 164.530(c)(2)(i) provides, "A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that violates the standards, implementation specifications or other requirements of the Privacy Rule," while 45 CFR 164.530(c)(2)(ii) provides that "a covered entity must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure."
Collectively, these requirements impose an obligation on HIPAA-covered entities to take measures to prevent PHI and ePHI from being unintentionally accessed, viewed, or disclosed. A confidentiality agreement might be an appropriate measure to meet this obligation, when doing business with an entity that HIPAA does not regulate (that is, an entity that is not a covered entity or a business associate).
An example of an entity that HIPAA does not regulate is a janitor service that cleans a CE healthcare provider's facility every night. The janitor is not a healthcare provider, health plan, or healthcare clearinghouse. Nor is it a business associate of any of these entities - that is to say, the janitor service does not create, maintain, receive, and/or transmit PHI for or on behalf of these entities. However, a janitor service might still access or view PHI:
If I am a covered entity provider and a janitorial service cleans my office and removes the trash every evening, there is a possibility that a member of the janitorial staff may inadvertently access PHI. One of my (the provider's) workforce members may accidentally have left a piece of paper containing PHI on the floor. The janitor service may believe the piece of paper is part of a pile of blank index cards I intended for the janitor service to throw out, only to discover that the piece of paper is a patient record. A confidentiality agreement between me, as the provider-employer, and the janitorial service, obligating its (the janitor service's) employees to keep such information confidential and to report any unintentional uses or disclosures to me (as the provider), may be an appropriate "reasonable safeguard" to prevent unintentional use or disclosure and mitigate its consequences. A HIPAA-covered entity would want to discuss the appropriateness and the wording of such an agreement with a qualified attorney.
What Might Happen if a Covered Entity Does Not Enter Into A Confidentiality Agreement With An Entity Not Covered by HIPAA?
A covered entity provider that does not enter into a confidentiality agreement (one that requires a non-HIPAA-covered entity to refrain from accessing PHI, and that requires the entity to report to the provider any PHI that it inadvertently acesses) with a third party may be found to have not implemented reasonable safeguards to protect PHI from intentional or unintentional use or disclosure. When a provider enters into a business associate agreement with a business associate, legal protection is already in place to safeguard the confidentiality, availability, and integrity of PHI. However, since non-HIPAA-covered third parties are not required to sign business associate agreements, such parties, if they do not sign a confidentiality agreement, may not be legally (that is, through a binding agreement), may be found by a court to not be under a legal obligation to keep (or to have kept) PHI that they access or accessed, confidential.
In some instances, a court may find that there is an "implied-in-law" confidentiality agreement. That is, a court will find that a confidentiality agreement exists (even if one is not in place). These instances are ones in which the parties have some kind of special relationship with or to each other involving obligations of trust or loyalty, or to not repeat or disclose client information except when legally required to. Examples of such special relationships include doctor-patient, attorney-client, and relationships where someone (for example, a trustee) is assigned to take care of someone else's money or assets.
However, in "garden-variety" business relationships, such as those between a healthcare provider and another company with which the provider contracts to provide a routine business service, such as cleaning services, trash disposal, painting, construction, supplying of stationery or food, it is unlikely that a court will find an "implied-in-law" confidentiality agreement to exist. If the PHI of a patient is disclosed to someone who is not under a legal duty to protect that PHI, a provider may nonetheless face legal action in the form of a state law disciplinary or ethics proceeding; a state's rules of professional conduct governing the provider's area of practice may prohibit a provider from having acted negligently in storing PHI. A state rule of conduct may provide that a provider who has acted negligently in storing PHI, is subject to disciplinary action and even loss of license as a result of such negligence.
What are Some Specific Confidentiality Agreement Scenarios?
Although the focus of this article has so far been on whether a covered entity should enter into a confidentiality agreement with a non-HIPAA-covered entity, there is at least one instance where a confidentiality agreement between HIPAA-covered entities may be appropriate: A provider or health plan or clearinghouse that is a CE, may wish to enter into a confidentiality agreement with another CE - another CE provider, health plan, or clearinghouse, when each CE is providing CE services involving to the other. While HIPAA requires each such entity to safeguard the confidentiality of PHI, having a formal agreement that spells out the ramifications for its breach (e.g., termination of an underlying services agreement between the parties) can serve as an incentive to ensure each party acts mindfully with respect to its CE obligations.
What about a situation in which a provider hires a clinician to provide treatment, for a limited arrangement or period of time, from a temp agency or staffing agency that employs the clinician? If the staffing agency is acting as a business associate with respect to the provider (the hiring provider), the provider should consider entering into a BAA with the staffing agency, and, should consider entering into a confidentiality agreement with the clinician. The clinician is not providing business associate services to the provider, but is providing services involving access to the provider's PHI. A confidentiality agreement can (among other things) ensure that this access, if improper, can result in the termination of the clinician's services performed for the provider.
Another instance in which entering into a confidentiality agreement can be considered is when a practice is a tenant in a multi-tenant space. In this case, the practice may wish to enter into a confidentiality agreement with the landlord. If the landlord refuses to do this, the practice may wish to negotiate with the landlord to obtain an assurance that the landlord will report PHI that the landlord or its agents might encounter. A provision containing such an assurance might be added to the lease, if the landlord agrees to such a provision.
Another instance in which a confidentiality agreement may be appropriate is one in which a clinicial rents office space to another clinician. The two might want to consider entering into a confidentiality agreement.
When Might a Confidentiality Agreement Not be Required?
When the entity whom a HIPAA-covered information gives information to is a "conduit" for PHI. A data transmission service entity that accesses PHI is a conduit, as opposed to a business associate, if the entity is not required to access the PHI on a routine basis. Examples of conduits include the U.S. Postal Service and UPS.
The determination of whether an entity is a conduit, as opposed to a business associate, is a fact-specific one, and depends upon the nature of the services provided and the extent to which the entity needs access to PHI to perform the service for the covered entity. HHS' definition of what constitutes a "conduit" is narrow. Entities are conduits only if they provide mere courier services, such as the U.S. Postal Service or UPS and their electronic equivalents, such as internet service providers (ISPs) providing mere data transmission services.
Further, HHS guidance provides that a conduit is an entity that transports information but does not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law. For example, a telecommunications company may have occasional, random access to PHI when it reviews whether the data transmitted over its network is arriving at its intended destination. Such occasional, random access to PHI would not qualify the company as a business associate. In contrast, an entity that requires access to [PHI] to perform a service for a covered entity, such as a Health Information Organization that manages the exchange of PHI through a network on behalf of covered entities through the use of record locator services for its participants (and other services), is not considered a conduit and, thus, is not excluded from the definition of business associate.
HIPAA-covered entities may not have to enter into confidentiality agreements with conduits. The determination of whether a confidentiality agreement should be entered into with a conduit should be made by a qualified healthcare attorney. In some cases, entering into a confidentiality agreement with a conduit may be difficult, if not impossible. Entering into a confidentiality agreement with the U.S. Postal Service, for example, is not feasible. HIPAA-covered entities should consult with a qualified attorney to determine whether an entity for whom the HIPAA-covered entity provides transmission services, is a conduit.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article