25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

What is a HIPAA Confidentiality Agreement for Employees?

Posted By on Dec 8, 2025

A HIPAA confidentiality agreement for employees is similar to a non-disclosure agreement inasmuch as members of the workforce agree not to disclose any confidential information they encounter in the performance of their functions – unless the disclosure is permissible by the Privacy Rule, relevant to the function they are performing, and limited to the minimum necessary.

The agreement should not only relate to the confidentiality of Protected Health Information, but to any information employees encounter that may not be protected by the Privacy Rule. This might include identifying non-health data maintained outside a protected designated record set, billing information, or proprietary information about the organization´s operations.

An agreement of this type can also cover the non-disclosure of login credentials for the organization’s systems and the return of the organization’s property (for example, keys, ID badges, access cards, etc.) on termination or completion of employment. Other conditions may be added to the agreement depending on the nature of the organization’s operations.

Is the Agreement Comprehensive, Enforceable, and Fair?

For a HIPAA confidentiality agreement for employees to be effective, it has to be comprehensive, enforceable, and fair. If it is not comprehensive, for example, by stipulating that Protected Health Information has to remain confidential, but omitting other types of information, the agreement does no more than remind employees of the Privacy Rule requirements.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

If the agreement doesn’t specify the sanctions for violating the agreement, or fails to refer employees to the organization’s disciplinary policy, it will be impossible to enforce. If sanctions are applied to some employees, but not others, the credibility of the HIPAA confidentiality agreement for employees will be called into question.

The issue of fairness is also a potential stumbling block for the credibility of a HIPAA confidentiality agreement for employees if, for example, an employee is asked to sign the agreement without it being explained what Protected Health Information is. For this reason, when an organization asks an employee to sign an agreement, it is best done once training is completed.

Is a HIPAA Confidentiality Agreement for Employees a Deterrent?

In some cases, a HIPAA confidentiality agreement for employees can be a deterrent against impermissible disclosures of Protected Health Information and other confidential information, but it is unlikely to prevent accidental HIPAA violations or violations of the agreement attributable to a lack of comprehensiveness (i.e., credential sharing in emergency situations).

Furthermore, while it might act as a reminder to most members of the workforce that confidential information has to remain confidential, a HIPAA confidentiality agreement for employees is not going to a prevent a member of the workforce willingly or negligently violating the agreement any more than HIPAA training and the Privacy Rule-mandated sanctions policy

With regards to training and sanctions, an agreement of this type does not excuse a Covered Entity any part of their HIPAA training obligations or the requirement to provide each member of the workforce with a HIPAA sanctions policy unless the agreement is specifically titled as a HIPAA sanctions policy with other, non-HIPAA conditions added and explained.

This second option (with non-HIPAA conditions added) can evolve into an administrative burden as the agreement may have to be amended whenever a relevant organizational policy is changed or a new technology is introduced. Because it is a HIPAA-related agreement, each version of the agreement will have to be retained for a minimum of six years from the date the agreement was last effective, even if the changes are not related to HIPAA.

Finally, it could be argued that, depending on how the agreement is written, asking employees to sign a confidentiality agreement denies employees their whistleblower protections under §164.502(j) and §164.530(e) of the Privacy Rule. Therefore, prior to asking any member of the workforce to sign a HIPAA confidentiality agreement for employees, it is advisable to seek professional compliance advice.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist