For Degree Wellness, what aspects of ePHI must the Business Associate protect?
Degree_Wellness Franchise · 2025 FDDAnswer from 2025 FDD Document
Business Associate agrees to use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement and to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity.
In accordance with 42 U.S.C. § 17931 of the HITECH Act, Business Associate shall be directly responsible for full compliance with the policies and procedures and documentation requirements of
the HIPAA Security Rule, including, but not limited to, 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314 and 164.316.
Source: Item 23 — Receipts (FDD pages 66–257)
What This Means (2025 FDD)
According to Degree Wellness's 2025 Franchise Disclosure Document, as a Business Associate, the franchisee must implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI) that it creates, receives, maintains, or transmits on behalf of the Covered Entity. The franchisee is directly responsible for full compliance with the policies, procedures, and documentation requirements of the HIPAA Security Rule, including specific sections outlined in 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314 and 164.316.
This means that a Degree Wellness franchisee must establish and maintain security measures to ensure that ePHI is not improperly accessed, altered, or disclosed. These safeguards encompass a range of practices, from securing physical locations where ePHI is stored to implementing technical controls like encryption and access restrictions on electronic systems. The franchisee must also have documented policies and procedures in place to manage these safeguards and ensure ongoing compliance with HIPAA regulations.
The franchisee's responsibilities extend to any agents or subcontractors they use who also handle ePHI. The franchisee must ensure that these parties agree in writing to the same restrictions and conditions regarding PHI protection and implement the necessary safeguards. Furthermore, the franchisee must take action if they become aware of any violations by these agents, including terminating the arrangement if necessary.
Failure to comply with these requirements can result in significant penalties under HIPAA and the HITECH Act. Therefore, it is crucial for prospective Degree Wellness franchisees to fully understand their obligations as a Business Associate and to invest in the necessary resources and expertise to protect ePHI effectively. This includes conducting regular risk assessments, providing ongoing training to staff, and implementing robust security measures to prevent unauthorized access, use, or disclosure of sensitive health information.