factual

For Degree Wellness, what is the Business Associate required to do if they access PHI not permitted by the agreement?

Degree_Wellness Franchise · 2025 FDD

Answer from 2025 FDD Document

es to use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement and to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity. In accordance with 42 U.S.C. § 17931 of the HITECH Act, Business Associate shall be directly responsible for full compliance with the policies and procedures and documentation requirements of

the HIPAA Security Rule, including, but not limited to, 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314 and 164.316.

  • (f) Reporting of Unauthorized Uses or Disclosures and Security Incidents. Business Associate agrees to report to Covered Entity in writing any access, use or disclosure of PHI not provided for or permitted by this Agreement and, any Security Incidents of which Business Associate (or Business Associate's employee, officer or agent) becomes aware. Business Associate shall so notify Covered Entity pursuant to this Section 3(f) within twenty-four (24) hours after Business Associate becomes aware of such unauthorized use, disclosure or Security Incident.
  • (g) Reporting of Breach of Unsecured PHI.

Source: Item 23 — Receipts (FDD pages 66–257)

What This Means (2025 FDD)

According to Degree Wellness's 2025 Franchise Disclosure Document, if a Business Associate accesses, uses, or discloses Protected Health Information (PHI) in a way that is not allowed by the Business Associate Agreement, they must report it to the Covered Entity (Wellness Provider Therapies, P.A.) in writing. This report must also include any security incidents that the Business Associate becomes aware of, including those known by their employees, officers, or agents.

The Business Associate must notify the Covered Entity within twenty-four (24) hours of becoming aware of the unauthorized use, disclosure, or security incident. Additionally, if there is a breach of unsecured PHI, the Business Associate must report it to the Covered Entity without unreasonable delay, and no later than twenty-four (24) hours after becoming aware of the breach. An exception exists if a law enforcement official determines that such notification would impede a criminal investigation or cause damage to national security.

Furthermore, the Business Associate is required to mitigate, to the extent practicable, any harmful effect resulting from the unauthorized use or disclosure of PHI by them or their agents or subcontractors. This includes taking reasonable steps to end any violation by an agent and terminating the arrangement if the agent's violations cannot be resolved. These requirements ensure that Degree Wellness franchisees operating as Business Associates take immediate and comprehensive action to address any unauthorized access, use, or disclosure of PHI, protecting patient privacy and complying with HIPAA regulations.

Disclaimer: This information is extracted from the 2025 Franchise Disclosure Document and is provided for research purposes only. It does not constitute legal or financial advice. Consult with a franchise attorney before making any investment decisions.
All Degree_Wellness 2025 FAQs Ask FDD Ninja