What does the Business Associate of Degree Wellness need to protect regarding ePHI?
Degree_Wellness Franchise · 2025 FDDAnswer from 2025 FDD Document
e PHI to a health plan for payment or Health Care Operations purposes if a patient has requested this special restriction, and has paid out of pocket in full for the healthcare item or service to which the PHI solely relates. Business Associate shall not sell PHI as provided in 45 C.F.R. § 164.502.
- (d) Other Business Associates. As part of its providing functions, activities, and/or services to Covered Entity, Business Associate may disclose information, including PHI, to other business associates of Covered Entity, and Business Associate may use and disclose information, including PHI, received from other business associates of Covered Entity as if this information was received from, or originated with, Covered Entity.
- (e) Safeguards. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement and to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity. In accordance with 42 U.S.C. § 17931 of the HITECH Act, Business Associate shall be directly responsible for full compliance with the policies and procedures and documentation requirements of
the HIPAA Security Rule, including, but not limited to, 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314 and 164.316.
- (f) Reporting of Unauthorized Uses or Disclosures and Security Incidents. Business Associate agrees to report to Covered Entity in writing any access, use or disclosure of PHI not provided for or permitted by this Agreement and, any Security Incidents of which Business Associate (or Business Associate's employee, officer or agent) becomes aware. Business Associate shall so notify Covered Entity pursuant to this Section 3(f) within twenty-four (24) hours after Business Associate becomes aware of such unauthorized use, disclosure or Security Incident.
- (g) Reporting of Breach of Unsecured PHI. Business Associate agrees to report to Covered Entity any Breach of Unsecured PHI of which Business Associate (or Business Associate's employee, officer or agent) becomes aware without unreasonable delay and in no case later than twenty-four (24) hours after Business Associate knows of such Breach, except where a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security.
- (h) Agents and Subcontractors.
Source: Item 23 — Receipts (FDD pages 66–257)
What This Means (2025 FDD)
According to Degree Wellness's 2025 Franchise Disclosure Document, as a Business Associate, the franchisee must implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI) that it creates, receives, maintains, or transmits on behalf of the Covered Entity. The franchisee must comply with the policies, procedures, and documentation requirements of the HIPAA Security Rule, including specific sections outlined in 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314 and 164.316.
Degree Wellness franchisees are required to report any unauthorized access, use, or disclosure of PHI, as well as any security incidents, to the Covered Entity in writing. This ensures that any breaches or potential compromises of sensitive health information are promptly addressed and mitigated. The franchisee is responsible for making decisions regarding the safeguarding of PHI and must adhere to state laws that may provide more restrictive requirements than HIPAA, the HIPAA Regulations, or the HITECH Act.
Degree Wellness, as the Covered Entity, may examine the franchisee's facilities, systems, procedures, and records to certify the extent to which the franchisee's security safeguards comply with HIPAA, the HIPAA Regulations, the HITECH Act, and the Business Associate Agreement. This examination can be conducted by Degree Wellness or its authorized agents or contractors, ensuring that the franchisee maintains adequate security measures to protect PHI. The franchisee is also obligated to extend the protections outlined in the Business Associate Agreement to PHI and limit further uses and disclosures to purposes that make the return or destruction of the PHI unfeasible, as long as the franchisee maintains such PHI.