Instructions for Completing HIPAA Business Associate Addendum

1. Please be sure to have your Medical Protective Policy Number available before you begin.
2. Scroll down to the bottom of this page.
3. In the first box, enter initials indicating you understand you are entering into a legally binding electronic transaction.
4. If you are a doctor or with a group of doctors enter your 6 digit Medical Protective policy number as your signature. If you are signing on behalf of a hospital or for any other reason do not have an individual policy number, please enter the first 6 digits of your last name. By signing this agreement, you represent that you are authorized to sign on behalf of the individual, partnership, professional corporation, hospital or other entity on whose behalf this agreement is made.
5. Validate your electronic signature by entering the requested contact information.
6. Before clicking "I Accept," please print out a copy of the fully completed addendum..
7. After completing and printing the addendum, click "I Accept".
8. You Are Finished- It's That Simple!

Within a short time after submitting the addendum, you will receive an automatic e-mail thanking you for completing the online HIPAA Business Associate Addendum. Please save or print this e-mail as confirmation that you entered into this agreement with Medical Protective.

Please note: Due to the large number of requests, this electronic format is the exclusive method to enter into a business associate agreement with Medical Protective. Paper submissions of this form or alternative forms will be returned.

Thank You For Using Medical Protective's Electronic HIPAA Business Associate Addendum!

BUSINESS ASSOCIATE ADDENDUM

Release Number: HIPAA 1.0
This addendum ("Addendum") is effective upon its execution and delivery to Medical Protective (referred to as "the Business Associate" hereafter), as further indicated below, and is in addition to or amends and is made a part of any existing agreement or agreements ("Agreement") by and between the Business Associate and the undersigned health care provider or other services provider (referred to as "the Provider" hereafter).

The Provider and the Business Associate mutually agree to modify the Agreement to incorporate the terms of this Addendum to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing privacy regulations at 45 C.F.R. Parts 160-164 ("HIPAA Privacy Rule").

• The Provider wishes to disclose certain information to the Business Associate pursuant to the terms of the Agreement, some of which may constitute Protected Health Information ("PHI") defined below).
• The Provider and the Business Associate intend to protect the privacy and provide for the security of PHI disclosed to the Business Associate pursuant to the Agreement in compliance with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 ("HIPAA") and regulations promulgated thereunder by the U.S. Department of Health and Human Services (the "HIPAA Regulations")
• As part of the HIPAA Regulations, the Privacy Rule requires the Provider to enter into a contract containing specific requirements with the Business Associate prior to the disclosure of PHI, as set forth in, but not limited to, Title 45, Sections 164.502(e) and 164.504(e) of the Code of Federal Regulations ("CFR") and contained in this Addendum.

A. Privacy of Protected Health Information

1. Permitted Uses and Disclosures. The Business Associate agrees to use or disclose Protected Health Information ("PHI"), as that term is defined in Section D.1. of this Addendum, that it creates for or receives from the Provider only as follows:
   1. Functions and Activities on the Provider's Behalf. The Business Associate is permitted to use and/or disclose PHI it creates or receives for or from the Provider as necessary in Business Associate’s discretion to perform its obligations under the Agreement
   2. The Business Associate's Operations. The Business Associate is permitted by this Addendum to use Protected Health Information it creates or receives for or from the Provider: (i) if such use is for the Business Associate’s proper management and administration; or (ii) as necessary to carry out the Business Associate’s legal responsibilities.
   3. Permitted Disclosures. The Business Associate is permitted by this Addendum to disclose Protected Health Information: (i) if required by law; or (ii) if the Business Associate obtains reasonable assurances that the information will be used or further disclosed only as permitted by law or for the purposes for which the Business Associate made the disclosure and if the Business Associate is notified of any breaches of confidentiality.
2. Prohibition on Unauthorized Use or Disclosure. The Business Associate will neither use nor disclose Protected Health Information it creates or receives for or from the Provider or from another the Business Associate of the Provider, except as permitted or required by the Agreement and this Addendum, or as required by law, or following receipt of prior written approval from the Provider.
3. Information Safeguards. The Business Associate will comply with HIPAA requirements to develop, document, implement, maintain and use appropriate administrative, technical and physical safeguards to preserve the integrity and confidentiality of and to prevent non-permitted use or disclosure of Protected Health Information created or received for or from the Provider.
4. Sub-Contractors and Agents. The Business Associate will require any of its subcontractors agents, and other representatives to provide reasonable assurances in writing that subcontractor or agent will comply with the same restrictions and conditions that apply to the Business Associate under the terms and conditions of this Addendum with respect to such Protected Health Information.

B. Protected Health Information Access, Amendment and Disclosure Accounting

1. Access. Within 10 days of receiving the Provider’s written request, the Business Associate will make available to the Provider or, at the Provider’s direction, to the individual (or the individual’s personal representative) for inspection and obtaining copies any Protected Health Information about the individual which the Business Associate created or received for or from the Provider and that is in the Business Associate’s custody or control, so that the Provider may meet its access obligations under 45 Code of Federal Regulations § 164.524.
2. Amendment. Within 10 days of receiving the Provider’s written request, the Business Associate will amend or permit the Provider access to amend any portion of the Protected Health Information which the Business Associate created or received for or from the Provider, and incorporate any amendments to such Protected Health Information, so that the Provider may meet its amendment obligations under 45 Code of Federal Regulations § 164.526.
3. Disclosure Accounting. So that the Provider may meet its disclosure accounting obligations under 45 Code of Federal Regulations § 164.528:
   1. Disclosure Tracking. Starting April 14, 2003, the Business Associate will record for each disclosure, not excepted from disclosure accounting under Addendum Section B.3(b) below, that the Business Associate makes to the Provider or a third party of Protected Health Information that the Business Associate creates or receives for or from the Provider.
   2. Exceptions from Disclosure Tracking. The Business Associate need not record disclosure information or otherwise account for disclosures of Protected Health Information that this Addendum or the Provider in writing permits or requires (i) for the purpose of the Provider’s treatment activities, payment activities, or health care operations, (ii) to the individual who is the subject of the Protected Health Information disclosed or to that individual’s personal representative; (iii) to persons involved in that individual’s health care or payment for health care; (iv) for notification for disaster relief purposes, (v) for national security or intelligence purposes, (vi) to law enforcement officials or correctional institutions regarding inmates; (vii) pursuant to an authorization; (viii) for disclosures of certain PHI made as part of a limited data set; (ix) for certain incidental disclosures that may occur where reasonable safeguards have been implemented; and (x) for disclosures prior to April 14, 2003.
4. Inspection of Books and Records. The Business Associate will make its internal practices, books, and records, relating to its use and disclosure of the Protected Health Information it creates or receives for or from the Provider to the U.S. Department of Health and Human Services to determine the Provider’s compliance with 45 Code of Federal Regulations Part 164. The Business Associate shall provide to the Provider a copy of any Protected Information that the Business Associate provides to the Secretary concurrently with providing such Protected Information to the Secretary.

C. Breach of Privacy Obligations.

1. Reporting. The Business Associate will report to the Provider any use or disclosure of Protected Health Information that is neither permitted by this Addendum nor given prior written approval by the Provider. The Business Associate will make the report to the Provider's Chief Privacy Official, within 10 days after the Business Associate learns of such non-permitted use or disclosure.
2. Termination of Agreement.
   1. Right to Terminate for Breach. The Provider shall provide written notice if it determines that the Business Associate has breached any material provision of this Addendum. The written notice must contain the facts necessary for the Business Associate to evaluate and cure the alleged breach. If the breach is not cured within 30 days, the Provider may immediately terminate the Agreement.
   2. Obligations upon Termination.
      1. Return or Destruction. Upon termination, cancellation, expiration or other conclusion of Agreement, the Business Associate will return to the Provider or destroy all PHI and, in whatever form or medium (including in any electronic medium under the Business Associate’s custody or control), that the Business Associate created or received for or from the Provider, including all copies of and any data or compilations derived from and allowing identification of any individual who is a subject of the Protected Health Information. The Business Associate will complete such return or destruction as promptly as possible, but not later than 30 days after the effective date of the termination, cancellation, expiration or other conclusion of Agreement. The Business Associate will identify any Protected Health Information that the Business Associate created or received for or from the Provider that, in Business Associate’s discretion, cannot feasibly be returned to the Provider or destroyed, will notify the Provider as to any information that Business Associate is required to maintain, and will limit its further use or disclosure of that Protected Health Information to those purposes that make return or destruction of that Protected Health Information infeasible.
      2. Continuing Privacy Obligation. The Business Associate's obligation to protect the privacy of the Protected Health Information it created or received for or from the Provider will be continuous and survive termination, cancellation, expiration or other conclusion of Agreement.
      3. Other Obligations and Rights. The Business Associate's other obligations and rights and the Provider's obligations and rights upon termination, cancellation, expiration or other conclusion of Agreement are those set forth in the Agreement.

General Provisions

1. Definitions. The capitalized term "Protected Health Information" has the meaning set forth in 45 Code of Federal Regulations Section 164.501, as amended from time to time. Generally, this term means individually identifiable health information including, without limitation, all information, data and materials, including without limitation, demographic, medical and financial information, that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past present, or future payment for the provision of health care to an individual; and that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. This definition shall include any demographic information concerning the Provider’s patients. All other terms used in this Addendum shall have the meanings set forth in the applicable definitions under the HIPAA Privacy Rule.
2. Independent Relationship. None of the provisions of this Addendum are intended to create, nor will they be deemed to create any relationship between the parties other than that of independent parties contracting with each other as independent contractors solely for the purposes of effecting the provisions of this Addendum and the Agreement.
3. Rights of Third Parties. This Addendum is between the Provider and the Business Associate and shall not be construed, interpreted, or deemed to confer any rights whatsoever to any third party or parties.
4. Headings. The headings of sections contained in this Addendum are for reference purposes only and shall not affect in any way the meaning or interpretation of this Addendum.
5. Effective Date and Delivery. This Addendum shall be effective upon the date on which the Provider executes a full and complete copy of this Business Associate Addendum by providing an electronic signature to this document and returning to the Business Associate by selecting "I submit" below. Such manner of execution and delivery shall be the exclusive method for executing and delivering this Addendum, and this Addendum shall not become effective as between the Business Associate and the Provider unless it shall be delivered to the Business Associate in this prescribed manner.
6. Notices. All notices and notifications under this Addendum shall be electronically signed and sent by the party providing the notice or notification to the listed representatives of either the Provider and the Business Associate as indicated below.

IN WITNESS WHEREOF, the Provider and the Business Associate execute this Business Associate Addendum to be effective as of the date electronically signed and submitted by the Provider as indicated below:

Signed:

MEDICAL PROTECTIVE

Trent Heinemeyer, Sr. Vice President, General Counsel & Secretary

5814 Reed Road

Fort Wayne,Indiana 46825

Signed:

BY TYPING YOUR INITIALS IN THE BOX AT THE END OF THIS SENTENCE YOU ACKNOWLEDGE THAT IT IS YOUR INTENT THAT THE POLICY NUMBER TYPED IN THE SIGNATURE BOX BELOW WILL SERVE AS YOUR SIGNATURE FOR THE PURPOSE OF THIS BUSINESS ASSOCIATE ADDENDUM AND THAT YOU AGREE TO CONDUCT THIS TRANSACTION ELECTRONICALLY.

• Return to Risk Management
• I only use fax to transmit patient information
• Am I covered if I don't comply with HIPAA?
• What is HIPAA?