5 min read

5 Free HIPAA Employee Non-Disclosure Agreement Templates

The HIPAA Employee Non-Disclosure Agreement is a contract between healthcare facilities and their employees as well as other third parties that have access to patient’s medical records that needs them to uphold data privacy and observe confidentiality regarding Personal Health Information (PHI).

The agreement legally restricts employees and other third parties from using or sharing private and sensitive information.

The provisions of HIPAA restricts hospital, healthcare professionals, other hospital employees, insurance providers, auditors, and any other parties that have access to patient records. New healthcare providers are regularly hired, and for them to effectively attend to their patients, they must have access to health records. To ensure they are committed to protecting the patients’ information, they must sign the HIPAA Employee Non-Disclosure Agreement Form.

The Privacy Rule guides the Health Insurance Portability and Accountability Act (HIPAA) and advocates for the discretion of Personal Health Information (PHI), while at the same time ensuring that information necessary for normal healthcare service delivery flows uninterrupted. Personal Health Information refers to any records or pieces of information containing identifiable details that can be used to trace patients, including health records, financial records, addresses, billing details, and contacts among others.

Confidentiality should be maintained by ensuring that a patient’s information that has been conveyed during discussions or in writing as being confidential is not disclosed; such information includes passwords, account numbers, and PINs. Patients’ health records, whether electronically or manually stored, are subject to HIPAA rules, and hospitals should use the HIPAA Employee Non-Disclosure Agreement Form to that effect.

The HIPAA Employee Non-Disclosure Agreement can also be referred to as:

  • HIPAA Confidentiality and Non-Disclosure Agreement
  • HIPAA Employee Confidentiality Agreement
  • HIPAA Confidentiality Agreement

Laws45 CFR Part 160 and Part 164 are mainly involved and should be considered in a HIPAA employee non-disclosure agreement form.

Types of HIPAA Medical Forms

The following HIPAA agreements are used by the different parties that fall under HIPAA;

  • Independent HIPAA Contractor Agreement: It is used by an independent contractor who has access to patients’ medical records and the medical offices.
  • Subcontractor HIPAA Agreement: It is used by any third party, either a company or individual, that has been hired by the independent contractor for assisting in medical records-related projects.
  • Patient HIPAA Release Form: It is a release document that permits physicians or hospitals to share patients’ medical records among them.

Components of the Form

The following provisions are a thorough guide on what to include in the HIPAA Employee Non-Disclosure Agreement Form:

Introductory paragraph

The name of the healthcare facility and the provider of the confidential information must be specified in the introductory paragraph. The name of the employee who has access to the Personal Health Information (PHI) should also be specified. The date of the day that the agreement is signed by the last person is finally included.

Personal Health Information (PHI) and confidential information

This provision involves identifying and defining the Personal Health Information that can be used in tracing and identifying a patient, as well as set access limits for healthcare facility employees. PHI includes the patient’s financial, billing, and medical records, as well as address and contact information. Confidential information like patient’s PINs, passwords, account names, and numbers should not be shared with unauthorized personnel.


The employees and other third parties with access to any information that has been labeled as being confidential, such as the PHI are prohibited from sharing it without following the set HIPAA rules according to the non-disclosure agreement, it requires medical records to be shared only after the identifiable information contained in PHI has been removed from the rest of the records.

Return of materials

Return of materials clause ensures that the employee is bound to instantly return the confidential information that they have access to, under the circumstances such as expiry of the contract, or any other reasons that may render the employee no longer being part of the healthcare facility.

Time frame/ termination

The termination provision defines the time frame that the agreement is expected to be in effect. The time frame encompasses the Effective Date, which is the first day of committing to uphold information confidentiality, and the Disclosure Period, which is the entire time span that confidential information must remain unshared.

The parties to the HIPAA agreement agree reach a consensus on when the contract shall be terminated, mostly under the conditions of;

  • Expiration of the agreement
  • Completion of the transaction, or
  • After the rapture of a prior agreed-upon period

Notice of immunity from liability

This provision ensures that the employee is made aware that any damages that might result from their sharing of confidential information may subject them to being liable for double damages, among them being the attorney fees as stipulated by the Federal Defend Trade Secrets Act.

General provisions

General provision clauses contain any other information that is deemed as being relevant in the execution of the agreement. The miscellaneous details are also called boilerplate due to their standardized nature.

  • Relationships: In case there are any relationships other than those that the non-disclosure agreement has stipulated, they are included here.
  • Severability clause: The severability clause stipulates that if the breach of the non-disclosure agreement results in a lawsuit and the court finds that one of the parties to the agreement is not valid, then the invalid part can be eliminated from the agreement without affecting the validity of the rest of the agreement.
  • Waiver clause: The waiver clause provides insight that if the NDA is violated and a complaint is not made instantly, later complaints are still valid.
  • Integration clause: The integration clause in a HIPAA form stipulates that the version of the non-disclosure agreement being signed by the parties is the final and conclusive version and is not subject to changes from past statements.
  • Attorney fees: It is a clause in the agreement that is applicable when the attorney fees is not included in the agreement and the judge within their right rules for the inclusion of the fees.
  • Jurisdiction: It is a provision that requires the parties to the non-disclosure agreement to agree beforehand:
    • The agreement shall be bound by the exclusive jurisdiction of a specific county or state.
    • That suing cannot occur at any other state or county other than the one the health facility is located, and,
    • The venue of the state and federal courts.
  • Injunctive relief: A clause involving a court order directing an employee to stop sharing or using the employer’s confidential information after violating the non-disclosure agreement.

Agreement signing

For the HIPAA Employee Non-Disclosure Agreement to take effect, it must be signed by the healthcare facility and the employee. A date should also be included. It necessary for both parties to take enough time of reviewing and understanding their respective obligations before impending their signatures.

The HIPAA Employee Non-Disclosure Agreement form is a legally binding document, and the parties are held liable from the moment they sign the contract. Breaching any provision of the agreement is subject to court intervention.

Free Templates





authorization to release medical records to third party 04


    It is crucial for parties that have been bound by the HIPAA Employee Non-Disclosure Agreement not to engage in activities that might violate its requirements such as mishandling and sharing patient records, breaching or stealing health records, and accessing data without proper authorization.

    Keep reading