HIPAA Business Associate Agreement
Please note that the attached Business Associate Agreement has been updated as of 2010 to reflect the new requirements set forth in the Health Information Technology for Economic & Clinical Health Act ("HITECH"), Subtitle D-Privacy (§§13400-13424), as part of the American Recovery and Reinvestment Act of 2009.
It is recommended that all entities having a business relationship with Medical Protective complete this updated version and retain a copy for their records.
Instructions for Completing HIPAA Business Associate Addendum
- Please be sure to have your Medical Protective Policy Number available before you begin.
- In the first box, enter initials indicating you understand you are entering into a legally binding electronic transaction.
- If you are a doctor or with a group of doctors enter your 6 digit Medical Protective policy number as your signature. If you are signing on behalf of a hospital or for any other reason do not have an individual policy number, please enter the first 6 digits of your last name. By signing this agreement, you represent that you are authorized to sign on behalf of the individual, partnership, professional corporation, hospital or other entity on whose behalf this agreement is made.
- Validate your electronic signature by entering the requested contact information.
- Before clicking "I Accept," please print out a copy of the fully completed addendum.
- After completing and printing the addendum, click "I Accept".
- You Are Finished- It's That Simple!
Please save or print this form as confirmation that you entered into this agreement with Medical Protective.
Please note: Due to the large number of requests, this electronic format is the exclusive method to enter into a business associate agreement with Medical Protective. Paper submissions of this form or alternative forms will be returned.
Thank You For Using Medical Protective's Electronic HIPAA Business Associate Addendum!
BUSINESS ASSOCIATE AGREEMENT
This agreement ("Agreement") is effective upon its execution and delivery to Medical Protective (referred to as "the Business Associate" hereafter), as further indicated below, by and between the Business Associate and the undersigned health care provider or other services provider (referred to as "the Provider" hereafter).
The Provider and the Business Associate mutually agree to the terms of this Agreement to comply with the requirements of the Standards for Security and Privacy of Individually Identifiable Information (the "Security and Privacy Regulations"), as applicable, under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended, as well as with the Health Information Technology for Economic & Clinical Health Act ("HITECH"), Subtitle D-Privacy (§§13400-13424), as part of the American Recovery and Reinvestment Act of 2009.
The Business Associate and Provider have a business relationship such that Provider may be deemed to be a covered entity, and in conducting such activities on behalf of Provider, may be deemed a business associate of Provider.
- The Provider wishes to disclose certain information to the Business Associate pursuant to the terms of this Agreement, some of which may constitute Protected Health Information ("PHI") (as defined below).
- The Provider and the Business Associate intend to protect the privacy and provide for the security of PHI disclosed to the Business Associate pursuant to this Agreement in compliance with the HIPAA Security and Privacy Regulations and HITECH.
- HIPAA Security and Privacy Regulations and HITECH require the Provider to enter into a contract containing specific requirements with the Business Associate prior to the disclosure of PHI, as set forth in, but not limited to, Title 45, Sections 164.502(e) and 164.504(e) of the Code of Federal Regulations ("CFR") and contained in this Agreement.
- Breach. "Breach" has the same meaning as this term has in §13400 of HITECH.
- Designated Record Set. "Designated Record Set" has the same meaning as this term has in 45 C.F.R. 164.501.
- Electronic Protected Health Information ("E-PHI"). "E-PHI" has the same meaning as "Protected Health Information in 45 C.F.R. §160.103, limited to information transmitted by, or maintained in, electronic media received by Business Associate from, or on behalf of Covered Entity.
- Individual. "Individual" has the same meaning as this term has in 45 C.F.R §160.103 and shall include a person that qualifies as a personal representative as set out in 45 C.F.R §160.502(g).
- Protected Health Information. "Protected Health Information" ("PHI") has the same meaning as this term has in 45 C.F.R. §160.103.
- Secretary. "Secretary" has the same meaning as the Secretary of the Department of Health and Human Services.
- Unsecured PHI. "Unsecured PHI" has the same meaning as the term has in §13401 of HITECH.
B. Privacy of Protected Health Information
- Permitted Uses and Disclosures. The Business Associate agrees to use or disclose PHI that it creates for or receives from the Provider only as follows:
- Functions and Activities on the Provider's Behalf. The Business Associate is permitted to use and/or disclose PHI it creates for or receives from, the Provider as necessary in Business Associate's discretion to perform its obligations under this Agreement or other Agreement with Provider.
- The Business Associate's Operations. The Business Associate is permitted by this Agreement to use Protected Health Information it creates for or receives from, the Provider:
- if such use is for the Business Associate’s proper management and administration; or,
- as necessary to carry out the Business Associate’s legal responsibilities.
- Other Permitted Disclosures. The Business Associate is permitted by this Agreement to disclose Protected Health Information:
- if required by law; or,
- if the Business Associate obtains reasonable assurances that the information will remain confidential, be used or further disclosed only as permitted by law or for the purposes for which the Business Associate made the disclosure, and if the Business Associate is notified of any breaches of confidentiality.
- Prohibition on Unauthorized Use or Disclosure. The Business Associate will neither use nor disclose Protected Health Information it creates for or receives from, the Provider, or from another Business Associate of the Provider, except as permitted or required by this Agreement, or as required by law, or following receipt of prior written approval from the Provider. Provider shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Security and Privacy Regulations or HITECH.
- Minimum Necessary. Absent an applicable exception, Business Associate will only disclose the minimum amount of PHI necessary, as defined by the HIPAA Security and Privacy Regulations and HITECH, to accomplish the Business Associate’s intended purpose.
- Documentation. Business Associate agrees to document such disclosures of PHI, and information related to such disclosures, as would be required for Provider to respond to a request by an Individual for an accounting of disclosures.
- Information Safeguards. The Business Associate will comply with the HIPAA Security and Privacy Regulations and HITECH requirements to develop, document, implement, maintain and use reasonable administrative, technical and physical safeguards to preserve the integrity, availability and confidentiality of and to prevent non-permitted use or disclosure of Protected Health Information created for or received from the Provider.
- Sub-Contractors and Agents. The Business Associate will require any of its subcontractor’s agents, and other representatives to provide reasonable assurances in writing that subcontractor or agent will comply with the same restrictions and conditions that apply to the Business Associate under the terms and conditions of this Agreement with respect to such PHI.
- Prohibition and Restrictions on the Sale of PHI and Marketing Communication. The Business Associate will not receive direct or indirect remuneration in exchange for any PHI unless a HIPAA-compliant authorization is obtained that includes information with regards to future sales. PHI may be sold for the purposes of public health, research or treatment, merger or sale of the entity or service payments. Limited marketing communications may be made by the Business Associate on behalf of the covered entity so long as a HIPAA-complaint authorization is obtained.
C. Protected Health Information Access, Amendment and Disclosure Accounting
- Access. To the extent the Business Associate maintains the Designated Record Set, Business Associate agrees, at the request of Provider, to provide Provider, or its designee, access to PHI in a Designated Record Set in a prompt and reasonable manner in order to meet the requirements under 45 Code of Federal Regulations § 164.524.
Business Associate, shall, upon request with reasonable notice, provide Provider access to its premises, during normal business hours, for a review and demonstration of its internal practices and procedures for safeguarding PHI.
- Amendments. To the extent Business Associate maintains the Designated Record Set, Business Associate agrees to amend, or permit the Provider access to amend, any portion of the PHI in the original Designated Record Set so that the Provider may meet its amendment obligations under 45 Code of Federal Regulations § 164.526.
- Disclosure Accounting. So that the Provider may meet its disclosure accounting obligations under 45 Code of Federal Regulations § 164.528:
- Disclosure Tracking. Except as otherwise provided in Section 3.c. below, starting April 14, 2003, the Business Associate will record each disclosure made to Provider or a third party of PHI, created for or received from the Provider.
- Business Associate agrees to provide Provider with information regarding Business Associate’s Disclosure Tracking to permit Provider to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 Code of Federal Regulations § 164.528 and HITECH. Business Associate will deliver that information to Provider within ten (10) business days following the receipt by Business Associate of the request from the Provider.
- Exceptions from Disclosure Tracking. The Business Associate need not record disclosure information or otherwise account for disclosures of PHI that this Agreement or the Provider in writing permits or requires (i) for the purpose of the Provider’s treatment activities, payment activities, or health care operations, (ii) to the individual who is the subject of the PHI disclosed or to that individual’s personal representative; (iii) to persons involved in that individual’s health care or payment for health care; (iv) for notification for disaster relief purposes, (v) for national security or intelligence purposes, (vi) to law enforcement officials or correctional institutions regarding inmates; (vii) pursuant to an authorization; (viii) for disclosures of certain PHI made as part of a limited data set; (ix) for certain incidental disclosures that may occur where reasonable safeguards have been implemented; and (x) for disclosures prior to April 14, 2003.
- Inspection of Books and Records. Upon request, the Business Associate will make available its internal practices, books, and records, relating to its use and disclosure of the Protected Health Information it creates for or receives from the Provider to the Secretary to determine the Provider’s compliance with HIPAA Security and Privacy Regulations and HITECH. Business Associate shall have a reasonable time within which to comply with such requests and, in no instances, shall access be required in less than fifteen (15) business days after the Business Associate’s receipt of such request. The Business Associate shall provide the Provider a copy of such request, and furnish the information or documents disclosed to the Secretary pursuant to such request, within ten (10) days following said disclosures.
D. Breach of Privacy Obligations
- Mitigation. The Business Associate agrees to timely act to mitigate, to the extent practicable, any harmful effects that are known to Business Associate of a use or disclosure of PHI held by Business Associate in violation of the requirements of this Agreement.
- Reporting. The Business Associate will report to the Provider any use or disclosure of PHI of which Business Associate becomes aware that is not permitted by this Agreement, unless such use or disclosure is required by law or prior written approval of the use or disclosure was given by the Provider.
- The Business Associate will, as soon as practicable, but in no event later than sixty (60) calendar days, after becoming aware of any use or disclosure of PHI, in violation of this Agreement by the Business Associate, or its subcontractors or agents, or by a third party to which the Business Associate disclosed PHI in compliance with this Agreement, make a report to the Provider.
- Business Associate will notify Provider of any breach, as defined by HITECH, by Business Associate pertaining to Unsecured PHI without unreasonable delay and in no case later than sixty (60) calendar days after discovery of such breach by Business Associate. To the extent possible, Business Associate should provide Provider with the identification of each individual affected by the breach as well as any information required to be provided by the Provider in its notification to affected individuals. Business Associate will promptly notify Provider of any additional information which becomes available with respect to the breach. Notice to the Secretary, will only be required if the breach of Unsecured PHI involved, at a minimum, five hundred (500) individuals. Notice to media outlets will only be required if the breach of Unsecured PHI involved, at a minimum, five hundred (500) individuals in the same state or jurisdiction.
- Term and Termination of Agreement.
- Term. This Agreement shall continue in force so long as any underlying contract between the Provider and Business Associate remains in force.
- Right to Terminate for Breach. The Provider shall provide written notice if it determines that the Business Associate has breached any material provision of this Agreement. The written notice must contain the facts necessary for the Business Associate to evaluate and cure the alleged breach. If the breach is not cured within 30 days, the Provider may immediately terminate this Agreement.
- Obligations upon Termination
- Continuing Privacy Obligation. The Business Associate's obligation to protect the privacy of the PHI it created for or received from the Provider, will be continuous and survive termination, cancellation, expiration or other conclusion of this Agreement. Business Associate shall make no further uses and disclosures of PHI except for the proper management and administration of its business or to carry out its legal responsibilities, or as required by law.
- Other Obligations and Rights. The Business Associate's other obligations and rights and the Provider's obligations and rights upon termination, cancellation, expiration or other conclusion of this Agreement are only those set forth in this Agreement.
E. General Provisions
- Independent Relationship. None of the provisions of this Agreement are intended to create, nor will they be deemed to create any relationship between the parties other than that of independent parties contracting with each other as independent contractors solely for the purposes of effecting the provisions of this Agreement.
- Rights of Third Parties. This Agreement is between the Provider and the Business Associate and shall not be construed, interpreted, or deemed to confer any rights whatsoever to any third party or parties.
- Headings. The headings of sections contained in this Agreement are for reference purposes only and shall not affect in any way the meaning or interpretation of this Agreement.
- Effective Date and Delivery. This Agreement shall be effective upon the date on which the Provider executes a full and complete copy of this Business Associate Agreement by providing an electronic signature to this document and returning to the Business Associate by selecting "I submit" below. Such manner of execution and delivery shall be the exclusive method for executing and delivering this Agreement, except as otherwise approved in writing by the Business Associate, and this Agreement shall not become effective as between the Business Associate and the Provider unless it shall be delivered to the Business Associate in this prescribed manner.
- Notices. All notices and notifications under this Agreement shall be electronically signed and sent by the party providing the notice or notification to the listed representatives of either the Provider and the Business Associate as indicated below.
- Amendment. The Business Associate agrees to take such action as necessary to amend this Agreement from time to time, as determined by the Business Associate, to comply with any requirement related to the Security and Privacy Regulations and HITECH, and any other regulations or provisions of the Security and Privacy Regulations and HITECH which are adopted, promulgated or published after the Effective Date.
- Interpretation. Any ambiguity in this Agreement shall be resolved so as to permit the Provider to comply with the Security and Privacy Regulations and HITECH and any regulation promulgated under the Security and Privacy Regulations and HITECH.
IN WITNESS WHEREOF, the Provider and the Business Associate execute this Business Associate Agreement to be effective as of the date signed and submitted by the Provider as indicated below:
Trent C. Heinemeyer, Sr. Vice President, General Counsel & Secretary
5814 Reed Road
Fort Wayne, Indiana 46835
BY TYPING YOUR INITIALS IN THE BOX AT THE END OF THIS SENTENCE YOU ACKNOWLEGE THAT IT IS YOUR INTENT THAT THE POLICY NUMBER TYPED IN THE SIGNATURE BOX BELOW WILL SERVE AS YOUR SIGNATURE FOR THE PURPOSE OF THIS BUSINESS ASSOCIATE AGREEMENT AND THAT YOU AGREE TO CONDUCT THIS TRANSACTION ELECTRONICALLY.