What is Brightstar Care's responsibility for documenting and reporting disclosures of PHI to the Covered Entity?
Brightstar_Care Franchise · 2025 FDDAnswer from 2025 FDD Document
uthorized individuals as required by Privacy Laws and in the time, manner, and format designated by such individuals to the extent required by Privacy Laws; and
- (b) to make any amendment(s) to PHI in a Designated Record Set as requested by Covered Entity and/or authorized individuals pursuant to 45 C.F.R. § 164.526.
- 4.7 Restrictions on PHI. Business Associate will comply with any patient restrictions on the Use and Disclosure of PHI requested by Covered Entity under Section 5.3 below.
- 4.8 Accounting of PHI Disclosures. Business Associate will document and report to Covered Entity all disclosures of PHI that are required for Covered Entity to provide an accounting under 45 C.F.R. § 164.528 and/or the Privacy Laws. If an individual contacts Business Associate directly for such an accounting, Business Associate will direct the individual to contact Covered Entity.
- 4.9 Reporting of Violations and Security Incidents. Business Associate will promptly report to Covered Entity any impermissible use or disclosure under Privacy Laws of which it becomes aware that Compromises the security or privacy of the PHI ("Breach"). Business Associate will include in the report of Breach the following information if known or can be reasonably obtained:
- (a) Contact information for individuals who may be impacted by the Breach;
- (b) The date of Breach and a brief description of the circumstances surrounding the breach;
- (c) A description of the type of information involved; and
- (d) What Business Associate is doing to investigate the Breach and mitigate harm to individuals.
In addition, Business Associate will report attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system that does not Compromise the security or privacy of the PHI ("Security Incidents"). Business Associate will identify and respond internally to suspected or known Security Incidents, and will mitigate, to the extent practicable, their harmful effects, document their outcomes, and provide such documentation to Covered Entity upon request. Notice is hereby deemed provided, and no further notice will be given, with respect to routine unsuccessful attempts at unauthorized access to the PHI such as pings and other broadcast attacks on firewalls, denial of service attacks, failed login attempts, and port scans.
Source: Item 22 — CONTRACTS (FDD pages 117–118)
What This Means (2025 FDD)
According to Brightstar Care's 2025 Franchise Disclosure Document, as a Business Associate, Brightstar Care is responsible for documenting and reporting all disclosures of Protected Health Information (PHI) to the Covered Entity. This is necessary for the Covered Entity to provide an accounting of disclosures as required under 45 C.F.R. § 164.528 and other Privacy Laws. If an individual directly requests such an accounting from Brightstar Care, Brightstar Care must direct the individual to contact the Covered Entity.
Brightstar Care must promptly report to the Covered Entity any unauthorized use or disclosure of PHI that compromises the security or privacy of the information, which is considered a Breach. The report must include contact information for individuals affected by the Breach, the date and a description of the Breach, the type of information involved, and the steps Brightstar Care is taking to investigate and mitigate the harm.
Brightstar Care's mitigation efforts do not require it to pay for credit monitoring or similar credit protection services unless required by law, and Brightstar Care is not responsible for notifying individuals of a Breach or covering any notification costs. Brightstar Care must also allow the Covered Entity access to its internal practices, books, and records related to the use, disclosure, or compromise of PHI to ensure compliance with Privacy Laws. Additionally, Brightstar Care is prohibited from selling PHI or using it for fundraising or marketing purposes without prior written consent from the Covered Entity and in accordance with applicable Privacy Laws.