What is a HIPAA Confidentiality Agreement?
Compliance with HIPAA involves a lot of moving parts in order to stay on top or ahead of current trends in securing healthcare. As part of the compliance plan, organizations develop strategies to strengthen their safeguarding measures for protected health information. Some covered entities have decided to require employees to sign their own individual HIPAA confidentiality agreement, adding another layer of responsibility within their internal safeguards. Entities, such as hospitals, may look at amending this policy to ensure it meets legal standards of form and content.
A HIPAA confidentiality agreement acts as an acknowledgment from the signing party that they understand their obligation to protect private patient data in what is often referred to as "individually identifiable health information." This information, by law, may not be disseminated to unauthorized individuals without written consent from the patient. Unauthorized disclosures, even in the form of an accidental email, can endanger the privacy of individual patients and trigger a malpractice lawsuit or civil liability . The breach of confidentiality may even lead to imprisonment in case of a "knowing" violation of a person’s private health information, which may be construed as a violation of federal criminal laws. A formal, signed agreement may additionally put the signer on notice that any unauthorized use or disclosure of health information may be subject to discipline ranging from oral or written warnings to civil penalties, or up to and including dismissal.
Despite the legal jargon, confidentiality agreements need not be overly long or written in complex legal terms, and in fact should be easy to read and include provisions that would put the signer "on notice" of their obligations under federal and state law. At a minimum it should:
HIPAA confidentiality agreements may be used for many purposes and in a variety of contexts. For example: Any activity or contract that involves potential use or disclosure of protected health information by the health care provider or business associate may be subject to some level of confidentiality agreement. That said, this type of confidentiality agreement is only one of the many tools available to health care providers and business associates for safeguarding the privacy of protected health information.
HIPAA Confidentiality Agreement: Key Components
When creating a HIPAA confidentiality agreement, it is important to include all the key components that underlie the fundamental security of PHI. First and foremost, a provision regarding definitions and rules is indispensable. A section defining what is considered electronic PHI (ePHI), what constitutes ePHI, the role of business associates, as well as laying out rules and restrictions on its use and disclosure of PHI are necessary. This will help keep up standards and reduce risk exposure as much as possible. In addition to the definitions, it is recommended that parties both clearly see their roles and obligations regarding PHI. This includes identifying the parties subject to the agreement and their responsibilities for considering and maintaining the confidentiality, integrity, and availability of the data. Parties should include obligations for protecting ePHI, including access restrictions, as well as identifying who may have authorized access to this data. Obligations should also address whether or not PHI will be encrypted, the method of encryption expected, and whether the party is permitted to retain copies of these statistics. Furthermore, in the event of a breach regarding PHI, the agreements should outline the expectations for reporting the breach, including timeframes. It is also recommended that the purpose for processing ePHI be outlined, as well as identifying the parties and their permitted uses of PHI. Confidentiality agreements also include provisions designed to maintain the security and protection of the privacy of the information, as well as accountability. The agreement must define components that detail physical safeguards for the data, as well as policies and procedures to implement technical safeguards. Both entities should also agree to take reasonable safeguards and due care to mitigate risks regarding unsecured data. Finally, parties should include obligations that require notification regarding a business associate’s disposal of PHI, including the return or disposal of data upon termination of engagement, and identifying information the business associate may keep.
Who Must Sign a HIPAA Confidentiality Agreement?
Generally, when a covered entity hires employees, it may require them to sign some sort of HIPAA confidentiality agreement. As an example, the physician’s office staff or nurses working in a hospital should be forced to execute one of these agreements in order to be employed at the facility.
Similarly, all third-party vendors that handle any kind or amount of protected health information (PHI) must sign a confidentiality agreement before they are hired by the covered entity. For example, a recruitment and staffing firm that offers the services of temporary nurses and office workers may just provide the staff for the covered entity and not any other services. But this example is treated as a business associate under HIPAA, meaning the rules for protecting the PHI they are privy to still apply. In order to protect the sensitive health information entrusted to their care, the recruitment and staffing firm would need to sign a HIPAA confidentiality agreement with the covered entity.
Therefore, anyone that has been entrusted with the handling of PHI must have a signed agreement on record with the covered entity.
The Legal Fallout of Not Signing a HIPAA Confidentiality Agreement
Breaching a HIPAA confidentiality agreement can lead to significant legal trouble. Entry of a HIPAA violation will subject a covered entity to substantial monetary fines, designated as follows: The OCR has the discretion to impose the maximum fine, or it may impose lesser fines based on the severity of the violation. The OCR designates severity as: 1) no knowledge of the violation; 2) reasonable cause; 3) reasonable due diligence; and 4) willful neglect to comply. Awards to individuals under the HIPAA Privacy Rule include compensation for any physical harm to an individual, together with compensation for any "economic loss," including both costs incurred and lost wages. Compensation may be awarded for non-economic losses, including emotional pain and suffering . Awards may be as high as $50,000 for each violation, or $25,000 per day (not to exceed $250,000 in one calendar year), as well as punitive damages where the disclosure was intentional or grossly negligent. The party that may be liable for damages includes the person or organization that made the wrongful disclosure, and also the employer of the person at the time of the violation, but not if the action that caused the violation is contrary to the clear policies of the employer. In addition to monetary penalties and liability, a person or an organization that permits disclosure of confidential information may be subject to considerable publicity about the breach of trust. Such publicity may lead to irreparable harm in terms of customers, business and reputation.
Best Practices for Drafting a HIPAA Confidentiality Agreement
Here are some best practices to keep in mind when developing a HIPAA confidentiality agreement for your workforce members, including employees, volunteers and interns.
In addition to these best practices above, the agreement should be reviewed regularly for updates and revisions reflecting new HIPAA regulations or guidance. While it is advisable to revisit the agreement once a year, the agreement should also be regularly reviewed to respond to any notable changes at the organization that may need to be addressed through the agreement. Similarly, any changes to the applicable confidential information or to the overall business model as it relates to HIPAA compliance would also be a suitable trigger for revising the agreement.
Once you have developed the appropriate language for the agreement, the agreement can now be included in the organization’s workforce training materials and internal policies and procedures. The organization should ensure that each workforce member listed above receives effective HIPAA training, review (or re-reads) the agreement on an annual basis, and signs a copy of the agreement. Finally, where necessary, the organization should document that the individual provided his or her signature to the organization by using a HIPAA-compliant means, such as a handwritten signature, a password protected electronic signature, or a password protected electronic acknowledgement.
Common Mistakes with HIPAA Confidentiality Agreements
Many organizations make significant mistakes with HIPAA confidentiality agreements. Here are some common errors and examples of what is and is not permissible. 1. Blanket Confidentiality Provisions: Some entities try to address all confidentiality issues with one clause that tries to keep everything confidential. That is not possible and, in fact, is a violation of the HIPAA Privacy Rule. HIPAA allows you to impose a confidentiality requirement for protected health information (PHI). It does not allow you to control all confidential information. For example, the Pom Wonderful case noted that the FTC takes the position information is deceptive where a company allows access to consumer information prior to agreement to the terms and conditions of a website. The settlement in the case applies to Pom Wonderful but not to the information in the settlement. That information was confidential. 2. Limiting Access by Agents: The Privacy Rule provides that business associates must agree that PHI will be used or disclosed only as required to perform the services and that the PHI will be provided only to the extent necessary to perform those services. While that makes sense generally, there is often a conflict with the Trade Secrets Act. The Act prohibits disclosure of trade secrets which the FTC has defined to include confidential information. The Pom Wonderful settlement prohibited Pom Wonderful from disclosing the consumer information except for a specific purpose, in writing, and after notification that access can only occur after agreement to the Pom Wonderful terms and condition. That limitation was sufficient to satisfy the FTC. 3. Enforceability: Many times, confidentiality agreements fail because they lack consideration: "something of value" in legal terms . If a health care provider is issuing a confidentiality agreement to an employee, the employee has received a new job, a benefit of value. If a provider is requiring a patient to sign a confidentiality agreement, the patient has received treatment as consideration and must keep the information confidential to continue treatment. However, when a provider or other entity is seeking to have a lawyer or business partner agree to keep information confidential, it can be difficult to find consideration analogous to the employment or treatment relationship. A court would be unlikely to uphold the contract because the parties did not receive mutual consideration and thus never truly entered into a binding agreement. The result is the provider or entity may not be able to enforce the agreement and the individual may use the information freely. 4. No Notice of Privacy Practices: While often the notice is not part of the agreement, the agreement should have a provision that states the party has received the notice of privacy practices as required by the HIPAA Privacy Rule. An individual could later argue that he or she did not know of the requirement to maintain confidentiality. Adding a provision of receipt of the notice helps to preclude that argument. 5. No Limitation on Publication: Many entities seek confidentiality agreements but do not limit use or disclosure for marketing purposes. Even if the entity is not covered by HIPAA, they should not allow the individual to disclose confidential information or use the information to promote the individual’s image. Occasionally you will see a negotiation of the reasonable limitations on using information but without that clause the agreement should prohibit the release of the information.
No Responses