Insurance Applicant Business Associate Agreement

This Business Associate Agreement is entered into by and between The Doctors Company, an Interinsurance Exchange, including all of its subsidiaries, hereinafter referred to as “we,” and “you” in conjunction with the policy of insurance we have entered into with you. This agreement supersedes and replaces any prior Business Associate Agreement (“BAA”).

We are committed to comply with the Standards for Privacy of Individually Identifiable Health Information under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and as modified by the HITECH provisions of the American Recovery and Reinvestment Act of 2009 and related rules and as may be modified subsequently (the “Privacy Regulations”). Under the Privacy Regulations, you are a “covered entity,” and as required by 45 C.F.R. Section 164.502(e) and 45 C.F.R. Section 164.504(e), we acknowledge that we, in certain instances, may be your “business associate.” We must use and disclose information that identifies an individual; relates to health, health treatment, or healthcare payment; and is maintained in any form (e.g., electronic, paper, oral) (“Protected Health Information” or “PHI”) in our performance of services under this Policy, and we agree to abide by the assurances, terms, and conditions contained herein in the performance of our obligations.

This document sets forth the terms, conditions, and obligations pursuant to which Protected Health Information that is provided, created, or received by us from you or on your behalf, will be handled.

We agree as follows:

  1. Permitted Uses and Disclosures of Protected Health Information.

    Pursuant to this Agreement, we provide services (“Services”) for your operations that may involve the use and disclosure of Protected Health Information as defined by the Privacy Regulations. These Services may include, among others, quality assessment; quality improvement; outcomes evaluation; protocol and clinical guidelines development; reviewing the competence or qualifications of healthcare professionals; evaluating practitioner and provider performance; conducting training programs to improve the skills of healthcare practitioners and providers; credentialing, conducting, or arranging for medical review; arranging for legal services; conducting or arranging for audits to improve compliance; resolution of internal grievances; placing stop-loss and excess of loss insurance; and other functions necessary to perform these Services. Except as otherwise specified herein, we may make any uses of Protected Health Information necessary to perform our obligations under this Agreement. All other uses not authorized by this Agreement are prohibited. Moreover, we may disclose Protected Health Information for the purposes authorized by this Agreement: (i) to our employees, subcontractors, and agents, in accordance with Section D(5) below; (ii) as directed by you in writing; or (iii) as otherwise permitted by the terms of this Agreement. Additionally, unless otherwise limited herein, we are permitted to make the following uses and disclosures:

  2. Our Obligations and Activities.

    We may use and disclose the Protected Health Information in our possession to third parties for the purpose of our proper management and administration, such as obtaining reinsurance, or to fulfill any of our present or future legal responsibilities, such as complying with insurance regulator requests, provided that (i) the disclosures are required by law; or (ii) we have received from the third party written assurances regarding its confidential handling of such Protected Health Information as required under 45 C.F.R. Section 164.504(e)(4) and where necessary received a BAA.

  3. In addition to using the Protected Health Information to perform the services set forth above, we may:

    (1) Aggregate the Protected Health Information in our possession with the Protected Health Information of other covered entities that we have in our possession through our capacity as a business associate to said other covered entities, provided that the purpose of such aggregation is to provide you with data analyses relating to your healthcare operations. Under no circumstances may we disclose Protected Health Information of one covered entity as defined by 45 C.F.R. Parts 160 and 164 to another covered entity absent your express written authorization; and

    (2) De-identify any and all Protected Health Information provided that the de-identification conforms to the requirements of 45 C.F.R. Section 164.514(b), and further provided that you are sent the documentation required by 45 C.F.R. Section 164.15(b), which shall be in the form of a written assurance from us. Pursuant to 45 C.F.R. 164.502(d)(2), de-identified information does not constitute Protected Health Information and is not subject to the terms of this Agreement.

  4. With regard to our use and/or disclosure of Protected Health Information, we agree to do the following:

    (1) Use and/or disclose the Protected Health Information only as permitted or required by this Agreement or as otherwise required by law and then only to the minimum necessary extent to accomplish the intended purpose of the use;

    (2) Report to your designated Privacy Officer, in writing, any use and/or disclosure of the Protected Health Information that is not permitted or required by this Agreement of which we become aware as soon as practical and within ten (10) business days of our discovery of such unauthorized use and/or disclosure. Where practical and possible, we will take steps to mitigate the harmful effect of any unpermitted disclosure of PHI;

    (3) Use commercially reasonable efforts to maintain the security of the Protected Health Information and take appropriate physical, administrative, and technical safeguards to prevent unauthorized use and/or disclosure of such Protected Health Information;

    (4) Require all of our subcontractors and agents that undertake to perform the services that we perform under this Agreement and that receive, use, or have access to Protected Health Information under this Agreement to agree, in writing, to adhere to the same restrictions and conditions on the use and/or disclosure of Protected Health Information that apply to us pursuant to this Agreement;

    (5) Unless prohibited by attorney-client and other applicable legal privileges or unless it would violate our contractual and other legal obligation to you, make available all records, books, agreements, policies, and procedures relating to the use and/or disclosure of Protected Health Information to the Secretary of the United States Department of Health and Human Services for purposes of determining your compliance with the Privacy Regulations;

    (6) Upon prior written request, make available during normal business hours at our offices all records, books, agreements, policies, and procedures relating to the use and/or disclosure of Protected Health Information to you within five (5) business days for purposes of enabling you to determine our compliance under the terms of this Agreement;

    (7) We shall honor any request from you for information to assist in responding to an individual’s request for an accounting of disclosures of Protected Health Information to us. However, should you be asked for an accounting of the disclosures of an individual’s Protected Health Information in accordance with 45 C.F.R. Section 164.528, such accounting should not include any disclosures to us which are to carry out your healthcare operations. See 45 C.F.R. Section 164.528(a)(1)(i);

    (8) Upon termination of this Policy, the protections of this Agreement will remain in force and we shall make no further uses and disclosures of Protected Health Information except for the proper management and administration of our business or as required by law;

    (9) In those instances when you would be required to honor an individual’s request for access and/or amendment of Protected Health Information disclosed to us, we will assist you to comply with your duties under 45 C.F.R. Sections 154.524 and 164.526. However, usually you will not be required to honor such requests because Protected Health Information in our possession is not part of a designated record set as that term is defined by 45 C.F.R. 164.501; and/or because the information is exempt from access and amendment under 45 C.F.R. Sections 164.524(a) and 164.526(a)(2); and/or because access would violate your superseding contractual and other legal rights; and/or because any amendment could be tampering with evidence in a civil or administrative matter;

    (10) You may terminate this Agreement by canceling this Policy if we violate a material term of this Agreement;

    (11) You agree that we may modify this Agreement as required to comply with applicable laws or regulations.

In witness whereof, The Doctors Company has caused this Agreement to be signed by its Chairman at its Home Office.

rea_sig

Richard E. Anderson, MD
Chairman of the Board of Governors