Does the Business Associate of Degree Wellness have to limit its use of PHI?
Degree_Wellness Franchise · 2025 FDDAnswer from 2025 FDD Document
Business Associate agrees to limit its use of PHI to the minimum amount necessary to accomplish the intended purpose of the use.
Business Associate agrees to limit its disclosure of PHI to the minimum amount necessary to accomplish the intended purpose of the disclosure.
- (c) Prohibited Uses and Disclosures.
Business Associate shall not use or disclose PHI for fundraising or marketing purposes.
In accordance with 45 C.F.R. § 164.522(a)(1)(B)(6), Business Associate shall not disclose PHI to a health plan for payment or Health Care Operations purposes if a patient has requested this special restriction, and has paid out of pocket in full for the healthcare item or service to which the PHI solely relates.
Business Associate shall not sell PHI as provided in 45 C.F.R. § 164.502.
- (e) Safeguards.
Business Associate agrees to use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement and to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity.
In accordance with 42 U.S.C. § 17931 of the HITECH Act, Business Associate shall be directly responsible for full compliance with the policies and procedures and documentation requirements of
the HIPAA Security Rule, including, but not limited to, 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314 and 164.316.
- (f) Reporting of Unauthorized Uses or Disclosures and Security Incidents.
Business Associate agrees to report to Covered Entity in writing any access, use or disclosure of PHI not provided for or permitted by this Agreement and, any Security Incidents of which Business Associate (or Business Associate's employee, officer or agent) becomes aware.
Source: Item 23 — Receipts (FDD pages 66–257)
What This Means (2025 FDD)
According to Degree Wellness's 2025 Franchise Disclosure Document, as a Business Associate, franchisees must limit their use of Protected Health Information (PHI). The agreement specifies that the Business Associate must limit both the use and disclosure of PHI to the minimum amount necessary to fulfill the intended purpose.
Degree Wellness franchisees operating as Business Associates are prohibited from using or disclosing PHI for fundraising or marketing purposes. They are also restricted from disclosing PHI to a health plan for payment or healthcare operations if a patient has requested a special restriction and has paid out-of-pocket for the healthcare item or service related to the PHI. Selling PHI is also prohibited.
To safeguard PHI, Degree Wellness requires its Business Associates to implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic PHI (ePHI). Franchisees are also responsible for complying with the policies, procedures, and documentation requirements of the HIPAA Security Rule. Any unauthorized access, use, or disclosure of PHI, as well as any security incidents, must be reported to the Covered Entity in writing.