What is a HIPAA Employee Confidentiality Agreement?
HIPAA (Health Insurance Portability and Accountability Act) is a federal law that sets national standards for the security and privacy of protected health information (PHI). As part of compliance with HIPAA, it is common for a covered entity to have each employee (and in some cases volunteers, contractors and interns) sign a HIPAA employee confidentiality agreement in order to address PHI and other confidential information. These agreements are commonly used in healthcare organizations where employees are required to handle PHI in order to provide healthcare services. They are also often used in other situations where confidential business information is shared with employees.
Although these agreements can go by many different names, including HIPAA confidentiality agreements, confidentiality and non-disclosure agreements, personnel confidentiality agreements, and employment agreements, they all generally serve the same purpose. They are designed to codify the employee’s responsibilities and obligations regarding physical and electronic access and disclosure of protected health information and to avoid embarrassment , harm, or liability to the employer. In order to protect the employer’s interests, these agreements should require the employee to keep confidential all PHI, company records, trade secrets, confidential information, and any other information that is proprietary to the employer. There may be exceptions to this confidentiality that are spelled out in the agreement, such as disclosing information to authorized persons in the course of their duties, reporting to a supervisor, or complying with legal obligations.
In signing the agreement, the employee usually acknowledges receipt of a copy of the employer’s privacy and security policies. In some cases, the agreement imposes additional obligations on the employee, such as prohibiting the employee from using the employer’s name in a manner that would permit identification of the employer without first obtaining permission. They may also require the employee to agree to return all company property upon termination of employment and to agree that misappropriation of confidential or proprietary information shall be grounds for discipline.
Essential Components of a HIPAA Confidentiality Agreement
A HIPAA confidentiality agreement should be brief, to the point, and understandable to any employee and contain a few vital components which let your employees know what is expected of them in order to comply with the HIPAA privacy and security rules.
Definitions
PHI, or protected health information. It’s the information which the HIPAA privacy rule protects. It can be in any form, oral or written, on paper or electronic. It applies to individually identifiable health information, including, but not limited to demographic data that relates to the physical or mental health, or the provision of health care to an individual. PHI encompasses just about any health information related to a patient, where a person can clearly identify a patient, including billing and enrollment records and claims information. Here is a complete definition of PHI.
Responsibilities
Lay out precisely what information is authorized for the employee to access, to share, and to safeguard. Simply put, at its most basic, an employee is not to remove, copy, or share PHI unless the patient or the law has authorized it, and then only by your company policy.
Consequences
It is extremely important to make it obvious to the employee what the ramifications are for violating the agreement to handle PHI or breaches of confidentiality. A positive disciplinary clause is extremely important, and there should also be an acknowledgment on the part of the employee that violation of HIPAA or the Privacy Rule may mean civil or criminal penalties.
Who Should Sign a HIPAA Confidentiality Agreement?
Employees or contractors performing work on behalf of a covered entity that have access to protected health information (PHI) of a covered entity should sign a HIPAA confidentiality agreement in order to remain compliant with the HIPAA privacy standards. The HIPAA privacy standards defines PHI as all individually identifiable health information of an individual obtained by a HIPAA covered entity, such as an employer, provider, health plan, or business associate. For example, employees and contractors that will have access to PHI should sign a confidentiality agreement prior to beginning employment or contract.
The healthcare roles most likely to have access to PHI of a covered entity include, among others: administrators, billing and coding specialists, employees in medical records, IT/IS professionals, employee human resources, payroll and benefits, workers’ compensation, and other miscellaneous positions. Other employees or contractors that will have access to PHI are those with the authority to make decisions regarding the use and disclosure of PHI, or for the staff members that directly handle the requests of patients, providers and payers.
Legal Ramifications for Non-Compliance
The legal implications of breaching HIPAA are two-fold. Oftentimes, the organization itself will be subject to penalties, but the individual employees (and not just those with access to PHI) can also be subjected to legal action. Organizations. Organizations who violate HIPAA’s terms can be hit with civil and criminal penalties. The amount of the penalty received depends on how the violation occurred, the organization’s culpability in the breach, and how many people were affected. Unlike state law, there are no caps on the penalties an organization can receive due to HIPAA violations . The mandatory penalty amount for a HIPAA violation is $100, but the maximum penalty can run into the millions of dollars. Employees. Employees who violate HIPAA can be charged with civil and criminal charges. Depending on the severity of the violation, employees can face up to $250,000 in fines and ten years in prison. Individuals who knowingly violate HIPAA’s terms are also subject to civil penalties, which can range anywhere from $100 to $50,000, and up to 6 months in prison. The penalties can be doubled if the violation occurs with "malicious intent."
Best Practices Regarding HIPAA Agreements
Unfortunately, having an employee confidentiality agreement or a HIPAA related policy is not enough. It is not enough to simply have the policies. You must actively work with your employees to ensure that the policies are understood, followed and practiced. For example, you should require your employees to complete HIPAA training regularly and conduct periodic audits of employee work to confirm compliance with the confidentiality agreements and HIPAA policies.
Regular training and education will go a long way in securing compliance with the employee confidentiality agreements. The type of training you should conduct on a regular basis depends upon the employee’s position with your company, but larger companies may want to undergo training quarterly, while smaller companies can implement training yearly.
The first step in ensuring that your employees are aware of their obligations under HR policies is to conduct onboarding when they are hired. Onboarding is different from simple orientation. Orientation occurs when the employee is first presented with the HR Policies. Onboarding involves taking time to train the employee about the HR Policies. You may want to consider one-on-one onboarding for key employees that have access to PHI as well as conducting group onboarding sessions for other employees.
Typically, your HR Policies should have two components: policies that are specific to the position and policies that apply to everyone (such as policies prohibiting sexual harassment). You should designate the policies that are specific to the person’s position and review those during the onboarding process. To the extent the employee will have access to PHI, review the PHI related policies. Our HIPAA for TX HIPAA Managers course has a section in the HIPAA Security Rule that outlines the essential elements for training your workforce on PHI.
Hypothetical and Real-World Examples
One illustrative example occurred in July 2011, when a New York ambulatory surgery center (ASC) settled a Department of Health and Human Services (HHS) Enforcement Action for $150,000 in fines for failure to conduct an accurate and thorough "risk analysis," and for numerous violations of the mandatory "Business Associate Agreement" between the ASC and Xerox (its electronic records vendor). (The $150,000 fine was paid to the State of New York, however HHS issued a press release about the settlement , which made clear that the settlement was based at least in part on the ASC’s contract with Xerox.) In the context of its "risk analysis" deficiency, HHS specifically cited the ASC’s failure to obtain proper safeguards from its Business Associate. Business Associate Agreements require strict liability by the business associate. HHS will enforce its Contractual Privacy Rule in any enforcement action against a HIPAA-covered entity that fails to properly monitor Business Associate Agreements.