What must the Business Associate of Degree Wellness report to the Covered Entity regarding PHI?
Degree_Wellness Franchise · 2025 FDDAnswer from 2025 FDD Document
es to use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement and to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity. In accordance with 42 U.S.C. § 17931 of the HITECH Act, Business Associate shall be directly responsible for full compliance with the policies and procedures and documentation requirements of
the HIPAA Security Rule, including, but not limited to, 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314 and 164.316.
- (f) Reporting of Unauthorized Uses or Disclosures and Security Incidents. Business Associate agrees to report to Covered Entity in writing any access, use or disclosure of PHI not provided for or permitted by this Agreement and, any Security Incidents of which Business Associate (or Business Associate's employee, officer or agent) becomes aware. Business Associate shall so notify Covered Entity pursuant to this Section 3(f) within twenty-four (24) hours after Business Associate becomes aware of such unauthorized use, disclosure or Security Incident.
- (g) Reporting of Breach of Unsecured PHI. Business Associate agrees to report to Covered Entity any Breach of Unsecured PHI of which Business Associate (or Business Associate's employee, officer or agent) becomes aware without unreasonable delay and in no case later than twenty-four (24) hours after Business Associate knows of such Breach, except where a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security.
- (h) Agents and Subcontractors.
Source: Item 23 — Receipts (FDD pages 66–257)
What This Means (2025 FDD)
According to Degree Wellness's 2025 Franchise Disclosure Document, the Business Associate Agreement outlines several reporting obligations regarding Protected Health Information (PHI). The Business Associate must report to the Covered Entity, in writing, any access, use, or disclosure of PHI not explicitly provided for or permitted by the agreement. This includes reporting any Security Incidents of which the Business Associate, its employees, officers, or agents become aware.
The Business Associate is required to notify the Covered Entity within twenty-four (24) hours after becoming aware of any unauthorized use, disclosure, or Security Incident. Additionally, the Business Associate must report any Breach of Unsecured PHI without unreasonable delay, and no later than twenty-four (24) hours after knowing of such a Breach. An exception exists if a law enforcement official determines that such notification would impede a criminal investigation or cause damage to national security.
Furthermore, if the Business Associate makes any disclosures of PHI subject to the accounting requirements of the Privacy Rule, they must report these disclosures to the Covered Entity within three (3) days of the disclosure. This notice must include the name of the individual, the recipient, the reason for disclosure, and the date of the disclosure. The Business Associate must also maintain a record of each disclosure for six (6) years, including the date, recipient information, a description of the PHI disclosed, and the purpose of the disclosure, making it available to the Covered Entity upon request in an electronic format.