Patient Confidentiality Agreement Template for the United States

Generate a bespoke document

Trusted by 200k+ teams

4.7 Capterra
4.8 Product Hunt
4.6 Trustpilot

What is a Patient Confidentiality Agreement?

The Patient Confidentiality Agreement is essential for healthcare providers operating in the United States to ensure compliance with HIPAA and state privacy laws. This document should be implemented when establishing a provider-patient relationship and before collecting or handling any protected health information. It addresses the collection, use, and disclosure of medical information, incorporating federal requirements while allowing for state-specific variations. The agreement helps healthcare providers maintain legal compliance while building trust with patients through transparent information handling practices.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

United States

Publisher

GenieAI

Sector

Business

Cost

Free to use

Last updated

About the Patient Confidentiality Agreement

A Patient Confidentiality Agreement is a legally binding document that establishes privacy protections between healthcare providers and patients regarding medical information. This agreement ensures your practice complies with federal healthcare privacy laws while clearly defining how patient data will be collected, used, and protected throughout the provider-patient relationship.

When do you need this document?

You need a Patient Confidentiality Agreement before establishing any provider-patient relationship or collecting protected health information. This includes when opening a new medical practice, onboarding new patients, hiring healthcare staff who will access patient records, or implementing new electronic health record systems. The agreement is also essential when partnering with other healthcare providers, conducting medical research involving patient data, or when patients specifically request enhanced privacy protections beyond standard HIPAA requirements.

Key legal considerations

The agreement must clearly define Protected Health Information (PHI) and establish specific protocols for its handling, storage, and transmission. Include detailed provisions for permitted uses and disclosures, such as treatment coordination, payment processing, and healthcare operations. Address patient rights including access to their medical records, amendment requests, and disclosure accounting. Establish breach notification procedures and security safeguards for both physical and electronic health information. Consider including provisions for patient consent to specific uses, minimum necessary standards for information sharing, and protocols for third-party disclosures. The agreement should also address record retention periods, patient authorization requirements, and procedures for handling requests to restrict information use or disclosure.

Legal requirements in United States

Under federal law, your Patient Confidentiality Agreement must comply with HIPAA's Privacy Rule and Security Rule, which govern the use and disclosure of protected health information. The HITECH Act expands these requirements and mandates breach notifications for unsecured PHI. If treating substance use disorders, you must also comply with 42 CFR Part 2, which provides additional confidentiality protections. The Americans with Disabilities Act requires protecting medical information of patients with disabilities, while GINA prohibits discrimination based on genetic information. State privacy laws may impose additional or more stringent requirements than federal regulations, so ensure your agreement addresses applicable state-specific provisions. Some states require enhanced consent procedures, impose stricter disclosure limitations, or provide additional patient rights beyond federal minimums. Mental health records often receive special protection under state laws, requiring separate consent procedures and enhanced confidentiality measures.

GOVERNING LAW

Applicable law

This Patient Confidentiality Agreement is drafted to comply with United States law. Key legislation includes:

HIPAA: Health Insurance Portability and Accountability Act of 1996 - Primary federal law governing healthcare privacy and security requirements

HITECH Act: Health Information Technology for Economic and Clinical Health Act - Expands HIPAA requirements and strengthens enforcement of privacy and security protections

42 CFR Part 2: Federal regulations specifically governing the confidentiality of substance use disorder patient records

ADA: Americans with Disabilities Act - Includes provisions for protecting medical information of individuals with disabilities

GINA: Genetic Information Nondiscrimination Act - Protects genetic information privacy and prevents discrimination based on genetic information

State Privacy Laws: State-specific regulations that may impose additional or more stringent requirements than federal laws for patient privacy protection

State Record Retention Laws: State-specific requirements for how long medical records must be maintained and secured

State Breach Notification Laws: State-specific requirements for notifying patients and authorities in case of data breaches

Mental Health Privacy Laws: State-specific laws governing the privacy and handling of mental health records, which often have additional protections

Minor Privacy Laws: State-specific laws regarding the handling and privacy of medical information for minors

Medical Ethics Guidelines: Professional standards and ethical guidelines established by medical associations regarding patient confidentiality

Licensing Board Requirements: Professional licensing board standards and requirements for maintaining patient confidentiality

Special Category Information Rules: Specific requirements for handling sensitive information such as HIV/AIDS status, mental health records, and substance abuse treatment

EHR Requirements: Requirements specific to electronic health records storage, security, and sharing

Third Party Sharing Protocols: Requirements and protocols for sharing patient information with third parties, including consent requirements

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it