Is a Brightstar Care Business Associate responsible for notifying individuals of a Breach, and who is responsible for notification costs?
Brightstar_Care Franchise · 2025 FDDAnswer from 2025 FDD Document
failed login attempts, and port scans.
The parties will meet and confer in good faith before notifying affected individuals, government agencies, and/or commencing any legal action regarding any suspected or actual Breach or Security Incident and/or breach of this Agreement, and shall comply with
applicable Privacy Laws regarding the need for and nature of any notification of individuals or reporting to government agencies.
- 4.10 Mitigation and Notification. Mitigation efforts by Business Associate shall not require Business Associate to pay the costs of credit monitoring or other similar credit protection services unless required by law. Business Associate will not be responsible for notifying individuals of a Breach and will not be responsible for any notification costs.
- 4.11 Audits and Inspections. Business Associate will make its internal practices, books, and such records as are not protected by applicable legal privilege or work product protection relating to the use, disclosure, and/or compromise of PHI available to Covered Entity to determine compliance with applicable Privacy Laws and this Agreement, and to the Secretary of the United States, Department of Health and Human Services and/or other authorized lawful authority as required by law or authorized by Covered Entity in writing.
Source: Item 22 — CONTRACTS (FDD pages 117–118)
What This Means (2025 FDD)
According to Brightstar Care's 2025 Franchise Disclosure Document, the Business Associate is not responsible for notifying individuals of a Breach. The Business Associate will also not be responsible for any notification costs. This stipulation is part of the Business Associate and Confidentiality Agreement outlined in Exhibit M of the Franchise Agreement.
This means that as a Brightstar Care franchisee, you, acting as the Covered Entity, retain the responsibility for notifying individuals in the event of a data breach. You are also responsible for covering the costs associated with such notifications. This allocation of responsibility is typical in franchise agreements where the franchisee has direct control over patient information.
However, the Business Associate is required to report any attempted or successful unauthorized access, use, disclosure, modification, or destruction of information. They must also identify and respond internally to suspected or known Security Incidents, and will mitigate, to the extent practicable, their harmful effects, document their outcomes, and provide such documentation to Covered Entity upon request. Brightstar Care requires that the parties meet and confer in good faith before notifying affected individuals, government agencies, and/or commencing any legal action regarding any suspected or actual Breach or Security Incident and/or breach of this Agreement, and shall comply with applicable Privacy Laws regarding the need for and nature of any notification of individuals or reporting to government agencies.
Prospective franchisees should clarify with Brightstar Care the specific procedures and protocols for handling data breaches, including the division of responsibilities for investigation, notification, and remediation. Understanding these obligations is crucial for ensuring compliance with privacy laws and protecting the interests of both the business and its clients.