Defining a Non-Disclosure Agreement
Non-Disclosure Agreements (NDAs) are legally binding contracts between two or more parties in which at least one of the involved parties agrees to keep certain information confidential. Typically, NDAs prevent the sharing of proprietary information, such as trade secrets, with others. This restricted data cannot include any general or publicly available knowledge or information that the other party already knew before entering into the agreement; it must only cover data that is shared specifically in the context of a business relationship . NDAs are often signed before formal discussions begin on a specific venture to prevent the involved party from making that information public before the other party has publicly revealed that data. However, NDAs can also be signed when negotiations were previously made; instead, the sealed information is ones that would have been known to the other party had they not just signed the NDA.
HIPAA Basics: Confidentiality of Health Information
The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") was enacted by Congress in order to answer the demand for efficient, effective, and equitable health care. The HIPAA Privacy Rule established requirements for protected health information "PHI" held by covered entities, and sets limits and conditions on the uses and disclosures that may be made of such health information without patient authorization. Covered entities are health plans, health care clearinghouses, and health care providers who transmit any information in an electronic form in connection with a transaction for which HHS has adopted standards.
The Security Rule establishes standards to ensure that electronic protected health information ("EPHI") is private and can be accessed, shared, and used only by authorized individuals. The Security Rule governs health care entities that have EPHI in their systems. Covered entities must adopt administrative, physical, and technical safeguards to protect this information. The Security Rule does not apply to paper records.
There are a number of privacy considerations set forth in the Privacy Rule. Compliance with this Rule will reduce the risk that information will not be improperly used or disclosed or accounted for. Prior to new legislation, patients of health care entities had little ability to protect their personally identifiable information, and had no legal recourse if this information were mishandled or released. The Privacy Rule gives patients greater protections by requiring written consent prior to sharing and by including "exceptions" for possible sharing, requiring explicit patient authorization to share information.
The Privacy Rule also requires that organizations develop written privacy procedures, post such information conspicuously within the organization, and train its workforces on the organization’s privacy procedures. Such training gives employees a clear understanding of policies and procedures regarding handling of personal health information.
The Importance of Non-Disclosure Agreements with Respect to HIPAA Compliance
Ensuring patient confidentiality and the protection of sensitive health information is one of the primary goals of the Health Insurance Portability and Accountability Act (HIPAA) and all applicable regulations. As part of this objective, healthcare organizations, physicians, and their associates who deal with electronic medical records (EMRs) or any type of digital health records are responsible for safeguarding the information they generate and maintain. Having employees and vendors sign Non-Disclosure Agreements (NDAs) can play a key role in securing that goal, and failing to do so may put them on the wrong side of HIPAA enforcement actions.
NDAs can be an effective strategy to help healthcare organizations maintain HIPAA compliance, as the penalties for noncompliance can be severe. Through the HITECH Act of 2009, Congress amended HIPAA to provide that violations with "willful neglect" usually incur fines from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) that start at $10,000 per incident and go up to $50,000 per incident. For willful neglect violations which are not corrected within 30 days, the fines go from $50,000 per incident to $1.5 million. This applies to both HIPAA privacy and security violations. Of note, the OCR considers failures to encrypt or password-protect EMRs when NDAs or other safeguards are in effect as serious violations due to lack of a "good faith effort to ensure compliance."
If an organization has board members, contractors, vendors, or employees involved with the EMR systems, then use of rigorous NDAs between those associated parties and with the organization can help establish that the organization has implemented reasonable safeguards for the privacy and security of patient health information, even though a contractual obligation in and of itself is not a mandate under HIPAA.
NDAs can help prevent unauthorized disclosure of PHI by making clear exactly what types of information are covered and what types of disclosures are prohibited, thereby also helping to protect individuals’ privacy rights. Individuals should be informed of the organization’s privacy practices, and NDAs can be a vehicle for doing that, while also ensuring that appropriate administrative, physical and technical safeguards are in place to protect records and keep them confidential.
The Essential Components of a Non-Disclosure Agreement Under HIPAA
Yet, in order to meet the requirements of HIPAA, the following are important clauses to include in a Non-Disclosure Agreement:
• The Recipient agrees to limit access and use of PHI to the purposes described in the agreement (i.e., Defend Protected Downloads). Data Protection does not need to always occur in an isolated environment. However, when an agreement exists between parties to take reasonable steps to limit disclosure of that information, compliance is much better assured.
• The Recipient will use safeguards to protect PHI.
• The Recipient must immediately report breaches and instances of theft or loss of PHI to the disclosing party.
• The Recipient is required to return all PHI to the disclosing party upon termination of the relationship.
• Provisions must be included regarding contractor and sub-recipients. This is particularly important for large medical centers that have multiple business associates, subsidiary or other related entities. Especially when one organization has many subsidiaries, it is important to include language in the agreement that requires the Recipient to require its permitted subcontractors and agents to comply with the terms of the agreement.
• There must be a provision advising the Recipient that it may not be able to terminate agreements or contracts currently in place with non-compliant subcontractors and that it is its responsibility to ensure that such subcontractors are brought into compliance, and further that the Recipient must report non-compliance to the disclosing party.
Common Situations for Non-Disclosure Agreements Within the Healthcare Environment
Below are some common situations where NDAs are usually required to protect the data of patients and employees and comply with HIPAA.
Data Sharing Between Covered Entities and Business Associates Under HIPAA, Covered Entities and Business Associates are often required to enter into Business Associate Agreements as a part of their relationship. These Business Associate Agreements often contain confidentiality provisions, but when they do not there is still a need for an NDA to protect any Covered Health Information shared. In these cases, the Covered Entity and Business Associate may choose to draft one NDA to be incorporated into the Business Associate Agreement as an addendum, or separate NDAs may be exchanged. This is especially true where the Sharing requires multiple exchanges of information, because under case law it is ambiguous whether the information is protected by the Business Associate Agreement’s confidentiality language . Incorporation of the confidentiality terms into the agreement or superimposing a separate document ensures that no party will argue it is free to use the data in a manner other than that permitted by HIPAA or the express language of the Business Associate Agreement.
Data Sharing Among Healthcare Providers Doctors are often required to share data with each other in order to provide proper treatment to patients. This is often done verbally or through electronic widgets. In these cases, an NDA may be entered into between the parties to ensure that the data is treated confidentially and in accordance with HIPAA.
Data Sharing between Healthcare Providers and Insurers Insurers often receive large amounts of sensitive information about patients in order to properly make underwriting decisions and validate claims. In these cases, NDAs should be entered into before any data is transferred.
How to Compose a Non-Disclosure Agreement for HIPAA Compliance
When it comes to drafting an effective and enforceable non-disclosure agreement (NDA) that meets the requirements of HIPAA, you will want to consider the following: Ensuring Compliance with HIPAA and State Health Care Privacy Laws At a minimum, any confidentiality agreement concerning health information must prohibit the unauthorized disclosure or use of "protected health information" (PHI). PHI includes all individually identifiable health information that is transmitted or maintained in electronic or any other form or medium by a "covered entity" or "business associate" under HIPAA and includes demographic data relating to past, present or future physical or mental health or condition of an individual or the provision of health care to an individual. Covered entities and business associates are separately discussed below. In addition to the requirements imposed by HIPAA, states are permitted to enact laws that offer greater privacy protections for the health information of their residents than required at the federal level. The HIPAA Privacy Rule does not "preempt" or override state laws except to the extent that such laws are contrary to a requirement of the Privacy Rule. Preemption requires that there be a conflict between HIPAA and a state law, such that it is impossible to comply with both. For example, if a state law prohibits disclosure without patient consent as to the use, collection or disclosure of health information, and HIPAA permits such disclosure, the state law is not preempted. However, if a state law provides greater disclosure protection, and such disclosure is authorized by HIPAA, the state law will be preempted. It is important to analyze whether the health information at issue may be subject to more stringent state laws such that additional language should be included in the NDA to address such requirements and offer the required disclosures or protections when such health information is shared with the other party to the agreement. Covered Entities and Business Associates Health Plans, Health Care Providers and Health Care Clearinghouses Before discussing the HIPAA requirements for NDAs, it is important to define the parties subject to the HIPAA Privacy Rule. The HIPAA Privacy Rule applies equally to three categories of "covered entities": health plans, healthcare providers and healthcare clearinghouses. Healthcare providers that transmit health information in electronic form in connection with a claim for payment for healthcare goods or services are also considered covered entities. The definition of "protected health information" under the HIPAA Privacy Rule is limited to individually identifiable health information created or received by a covered entity from its interactions with patients, clients or members that relates to the past, present or future physical or mental condition or healthcare treatment of the individual, the provision of healthcare to the individual or the payment for the provision of healthcare to the individual. A healthcare provider may obtain a signed authorization from the patient which permits the patient’s medical records to be shared with another party for a permitted use under the HIPAA Privacy Rules. In the context of an NDA, the covered entity and the patient should be considered as parties to the NDA because the covered entity has an obligation to maintain the confidentiality of patient information. Notwithstanding the preemption provisions of HIPAA relating to state privacy rules, parties to an NDA should also consider whether there are any applicable state laws that offer greater privacy protections for patient information than under HIPAA, which may require additional disclosure or protections to be incorporated into the NDA to meet such state requirements. Business Associate Agreements with Vendors If the NDA relates only to the sharing of PHI or EPHI (a subset of PHI that is maintained or transmitted in electronic form) between a covered entity and a third party vendor, such NDA must be structured as a "business associate agreement". Further, if the NDA relates to a vendor of the covered entity who will create, receive, maintain or transmit PHI or EPHI on behalf of the covered entity in performing functions or activities on behalf of the covered entity that involve the use or disclosure of PHI or EPHI, the agreement must be structured as a business associate agreement. In this type of situation, HIPAA and the HIPAA privacy rule specifically applies even though the agreement is not structured as a business associate agreement, and the HIPAA privacy rule imposes certain specific obligations on the covered entity relating to the collection, use and disclosure of PHI but such privacy rule obligations can be satisfied by obtaining written assurance from the vendor (business associate) by entering into a business associate agreement.
Legal Ramifications for Violating Non-Disclosure Agreements in the Healthcare Industry
In the healthcare industry, where the handling of private information is subject to regulations such as HIPAA (the Health Insurance Portability and Accountability Act), the signing of a Non-Disclosure Agreement (NDA) provides the best form of documented legal protection by making it crystal clear to the parties that confidentiality is vital to their working relationship. When either party fails to abide by the NDA and discloses "confidential information," they are "in breach" of that contract. In the context of provider-patient or entity-provider relationships, confidential information is anything that is prohibited from being disclosed by the contracting parties with the exception of certain circumstances specifically enumerated within the contract or as mandated or allowed by law. Unless personal information or protected health information (PHI) is sufficiently anonymized to remove any chance of identification, the breach of an NDA may also constitute a breach under HIPAA . However, if personal information or PHI must be shared between parties, it is likely best practice to start with what is currently in the common vernacular – an NDA with business associate agreement (BAA) language. This will document and clarify the shared understanding of the parties prior to breach. While the BAA may be separate from the NDA or integrated into a single contract, both should specifically address the handling of personal information and PHI to be HIPAA compliant. If a provider or entity breaches an NDA thick with BAA language or a separate BAA by improperly disclosing personal information or PHI, it is up to the FDA Office of Civil Rights and the Department of Health and Human Services to obtain fines and sanctions for inadvertent breaches that meet a certain threshold. Where there is a distinct violation such as knowingly or willfully leaking HIPAA-protected information, the defendant can be up against more serious penalties and legal consequences.
Leave a Reply