Does the Business Associate of Degree Wellness have to limit its disclosure of PHI?
Degree_Wellness Franchise · 2025 FDDAnswer from 2025 FDD Document
iness Associate shall not disclose PHI in any manner that would constitute a violation of the Privacy Rule or the HITECH Act if so disclosed by Covered Entity. In addition, if Business Associate discloses PHI to a third party, Business Associate must obtain, prior to making any such disclosure, (i) satisfactory written assurances from such third party that the PHI will be held as confidential as provided pursuant to this Agreement and only disclosed as Required By Law or for the purposes for which it was disclosed to such third party, and (ii) a written agreement from such third party to immediately notify Business Associate of any breaches of confidentiality of the PHI, to the extent such third party has obtained knowledge of such breach. Business Associate agrees to limit its disclosure of PHI to the minimum amount necessary to accomplish the intended purpose of the disclosure.
- (c) Prohibited Uses and Disclosures. Business Associate shall not use or disclose PHI for fundraising or marketing purposes. In accordance with 45 C.F.R. § 164.522(a)(1)(B)(6), Business Associate shall not disclose PHI to a health plan for payment or Health Care Operations purposes if a patient has requested this special restriction, and has paid out of pocket in full for the healthcare item or service to which the PHI solely relates. Business Associate shall not sell PHI as provided in 45 C.F.R. § 164.502.
Source: Item 23 — Receipts (FDD pages 66–257)
What This Means (2025 FDD)
According to Degree Wellness's 2025 Franchise Disclosure Document, as a Business Associate, franchisees must limit their disclosure of Protected Health Information (PHI) to the minimum amount necessary to achieve the intended purpose of the disclosure. This requirement is part of Degree Wellness's compliance with HIPAA, the HITECH Act, and related regulations. This limitation ensures that franchisees only share the essential information required for specific tasks, protecting patient privacy.
Specifically, the Degree Wellness Business Associate Agreement prohibits the use or disclosure of PHI for fundraising or marketing purposes. Additionally, franchisees cannot disclose PHI to a health plan for payment or healthcare operations if a patient has requested a special restriction and has paid out-of-pocket in full for the healthcare item or service related to the PHI. The agreement also prohibits selling PHI, reinforcing the commitment to patient data protection.
To further safeguard PHI, Degree Wellness franchisees must implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic PHI (ePHI). Franchisees are also required to report any unauthorized access, use, or disclosure of PHI, as well as any security incidents, to the Covered Entity (Wellness Provider Therapies, P.A.) in writing. This ensures that any potential breaches are promptly addressed and mitigated.
These measures are critical for maintaining compliance with privacy laws and protecting patient information. Prospective Degree Wellness franchisees should understand these obligations and ensure they have the necessary systems and training in place to handle PHI responsibly. Failure to comply with these requirements could result in significant penalties and damage to the reputation of both the franchisee and the Degree Wellness brand.