What must the Business Associate of Degree Wellness report in writing to the Covered Entity?
Degree_Wellness Franchise · 2025 FDDAnswer from 2025 FDD Document
es to use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement and to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity. In accordance with 42 U.S.C. § 17931 of the HITECH Act, Business Associate shall be directly responsible for full compliance with the policies and procedures and documentation requirements of
the HIPAA Security Rule, including, but not limited to, 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314 and 164.316.
- (f) Reporting of Unauthorized Uses or Disclosures and Security Incidents. Business Associate agrees to report to Covered Entity in writing any access, use or disclosure of PHI not provided for or permitted by this Agreement and, any Security Incidents of which Business Associate (or Business Associate's employee, officer or agent) becomes aware. Business Associate shall so notify Covered Entity pursuant to this Section 3(f) within twenty-four (24) hours after Business Associate becomes aware of such unauthorized use, disclosure or Security Incident.
- (g) Reporting of Breach of Unsecured PHI. Business Associate agrees to report to Covered Entity any Breach of Unsecured PHI of which Business Associate (or Business Associate's employee, officer or agent) becomes aware without unreasonable delay and in no case later than twenty-four (24) hours after Business Associate knows of such Breach, except where a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security.
- (h) Agents and Subcontractors. Business Associate agrees to ensure that any agent, including a subcontractor, to whom Business Associate provides PHI, agrees in writing to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such PHI, and implement the safeguards required by Section 3(e) above with respect to ePHI.
Source: Item 23 — Receipts (FDD pages 66–257)
What This Means (2025 FDD)
According to Degree Wellness's 2025 Franchise Disclosure Document, the Business Associate is required to make several written reports to the Covered Entity. Specifically, the Business Associate must report any access, use, or disclosure of Protected Health Information (PHI) not explicitly provided for or permitted by the Business Associate Agreement. This includes reporting any Security Incidents of which the Business Associate becomes aware. This notification must occur within twenty-four (24) hours of the Business Associate becoming aware of the unauthorized use, disclosure, or Security Incident.
Additionally, the Business Associate must report any Breach of Unsecured PHI of which they become aware, without unreasonable delay, and no later than twenty-four (24) hours after knowing of such Breach. An exception exists if a law enforcement official determines that such notification would impede a criminal investigation or damage national security. The Business Associate must also provide written notice confirming that they have made amendments or addenda to PHI as directed by the Covered Entity within fifteen (15) business days of the amendment.
Furthermore, if the Business Associate makes any disclosures of PHI subject to the accounting requirements of the Privacy Rule, they must report such disclosures to the Covered Entity within three (3) days of the disclosure. This report must include the name of the Individual, the recipient, the reason for disclosure, and the date of the disclosure. These stringent reporting requirements are in place to ensure compliance with HIPAA and to protect the privacy and security of patient information.
For a prospective Degree Wellness franchisee, this means understanding and implementing procedures to promptly identify and report any unauthorized access, use, or disclosure of PHI. Failure to comply with these reporting requirements could result in significant penalties and legal repercussions for both the franchisee and Degree Wellness.