HIPAA Compliance Explained: Learn how to become HIPAA complaint

Soumya Shekhar
Soumya Shekhar 04 min read 549 Views
Last Updated: Nov 21, 2023
What is HIPAA Compliance? Important Guidelines & Requirements

A HIPAA confidentiality agreement secures the protected healthcare information ("PHI") of clients and patients. These agreements derive their name from the United States' Health Insurance Portability and Accountability Act of 1996, which mandates that patients' healthcare information remains strictly confidential. Thus, these agreements enforce an organization's obligations under the Act. Such duties mainly deal with the healthcare status of an individual and healthcare payment-related details. 

Healthcare providers sign HIPAA with third parties. Such third parties include but are not limited to, supply vendors, employees, contractors, volunteers, and even patients. While other agreements have different nuances, they each have some standard features. A patient's is confidential, so none of the information can be shared, collected, or used by whichever party acquires them. Furthermore, HIPAA mandates both civil and criminal action against violators: Offences attract a fine of up to $ 1,500,000 yearly, while "wilful offenders" may receive a jail sentence of upto 10 years. 


HIPAA agreements are mainly concerned with the protection of a patient or client's health information. Thus, anyone signing the agreement cannot use, share or record such information without explicit authorization. 

However, patients may also accidentally have access to the health information of another patient. In such cases, they will be covered by HIPAA and have obligations under it. 


HIPAA covers agreements with "Business Associates", which are defined as organizations that are not the other party and are involved in handling sensitive personal information. These are limited to organizations providing administrative, legal, accounting, consulting, management, etc. They do not include vendors of medical supplies, who may only incidentally have access to PHI.

Nevertheless, hospitals and clinics must also sign a HIPAA Agreement with their vendors. This agreement should clarify the nature of the relationship, i.e. a vendor is not considered an "employee" but a contractor. However, it should clarify that even if vendors incidentally or accidentally access the PHI of a patient/client, they are to strictly not distribute, use, or record this information. This requirement is materially similar to HIPAA Agreements for patients.



Volunteers are individuals who are involved in assisting the organization in a variety of ways. Most of them are very involved in the use of patients' confidential health information. As a result, they must sign HIPAA contracts. 

Most organizations that regularly deal with volunteers and students develop HIPAA policies. These policies usually lay out the HIPAA obligations of any student or volunteer involved with the organization. A policy makes these obligations accessible and clearly defined. 

Apart from the obligations mentioned in the above two sections, volunteers have additional obligations since they are more closely involved with health data:

  • The PHI or confidential information of any patient should not be altered or deleted to any extent

  • The use of such data should be restricted to the minimum possible limit

  • Passwords and other information that gives access to sensitive data should be securely handled

  • Any concerns regarding the integrity of PHI are communicated to dedicated individuals within the organization

  • Revealing such data or using this information is indefinitely prohibited, even post-termination. 

It is crucial to confer confidentiality onto an individual's health data. HIPAA made a positive step in this direction by making it compulsory for organizations to handle this information. A culture has developed around HIPAA where organizations take their obligations seriously, and a patient's information is protected. Health information is deeply personal, and it must remain protected.

A variety of stakeholders can be exposed to a patient's data. This can include volunteers and contractors, but also other patients. Each of these individuals must understand their obligations under HIPAA. The contract is an effective way to provide adequate intimation and enforcement. While patients and vendors have reduced obligations, volunteers and interns are exposed to more PHI and thus require more scrutiny. Nevertheless, the system is generally conducive to protecting patient privacy and confidentiality.

Ask a Lawyer

Welcome to LegalKart
Please tell us what legal issue you are facing?
LegalKart LegalKart

Need Help? I won't keep you waiting




Ask A Lawyer

Ask now and get answer within two hours from expert lawyers.