What agreement is required when a Brightstar Care Business Associate discloses PHI to subcontractors?
Brightstar_Care Franchise · 2025 FDDAnswer from 2025 FDD Document
- 4.5 Disclosures to Subcontractors and/or Third Parties.
Business Associate shall ensure that all representatives, subcontractors, persons and/or entities (other than entities that are merely conduits) to whom Business Associate discloses or provides the PHI execute a written Business Associate Agreement, as required under the Privacy Laws, in which such third persons and/or entities expressly agree to the same restrictions and conditions that apply to Business Associate hereunder, as applicable.
If a Business Associate Agreement is not required by the Privacy Laws, Business Associate shall obtain reasonable assurances from all persons and entities who have access to or are recipients of the PHI that: (i) the PHI will be held confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the third party; and (ii) the third party will promptly notify Business Associate of any Compromise of PHI, and Business Associate will, in turn, notify Covered Entity.
Source: Item 22 — CONTRACTS (FDD pages 117–118)
What This Means (2025 FDD)
According to Brightstar Care's 2025 Franchise Disclosure Document, when a Business Associate discloses Protected Health Information (PHI) to subcontractors, certain agreements are required to ensure compliance with privacy laws. Specifically, the Business Associate must ensure that all representatives, subcontractors, persons, and/or entities (excluding mere conduits) who receive PHI execute a written Business Associate Agreement. This agreement legally binds these third parties to the same restrictions and conditions that apply to the Business Associate, as mandated by Privacy Laws. This requirement ensures that PHI is protected throughout the service chain, maintaining confidentiality and security even when data is handled by external parties.
If a Business Associate Agreement is not mandated by the Privacy Laws, Brightstar Care requires the Business Associate to obtain reasonable assurances from all persons and entities who have access to or are recipients of the PHI. These assurances must confirm that (i) the PHI will be held confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the third party; and (ii) the third party will promptly notify Business Associate of any Compromise of PHI, and Business Associate will, in turn, notify Covered Entity.
This dual requirement—either a formal Business Associate Agreement or reasonable assurances—highlights Brightstar Care's commitment to safeguarding PHI and adhering to privacy regulations. For a prospective franchisee, this means understanding and implementing these requirements when engaging subcontractors or third parties who may handle PHI. Failing to comply with these stipulations could result in legal and financial repercussions for the franchisee. Therefore, it is crucial for franchisees to fully understand their obligations and ensure that all necessary agreements and assurances are in place before disclosing PHI to any external party.