What is the Business Associate of Degree Wellness required to do if they become aware of any Security Incidents?
Degree_Wellness Franchise · 2025 FDDAnswer from 2025 FDD Document
Business Associate agrees to report to Covered Entity in writing any access, use or disclosure of PHI not provided for or permitted by this Agreement and, any Security Incidents of which Business Associate (or Business Associate's employee, officer or agent) becomes aware.
Business Associate shall so notify Covered Entity pursuant to this Section 3(f) within twenty-four (24) hours after Business Associate becomes aware of such unauthorized use, disclosure or Security Incident.
- (g) Reporting of Breach of Unsecured PHI.
Business Associate agrees to report to Covered Entity any Breach of Unsecured PHI of which Business Associate (or Business Associate's employee, officer or agent) becomes aware without unreasonable delay and in no case later than twenty-four (24) hours after Business Associate knows of such Breach, except where a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security.
- (h) Agents and Subcontractors.
Business Associate agrees to ensure that any agent, including a subcontractor, to whom Business Associate provides PHI, agrees in writing to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such PHI, and implement the safeguards required by Section 3(e) above with respect to ePHI.
If Business Associate knows of a pattern of activity or practice of an agent that constitutes a violation of the agent's obligations to Business Associate, Business Associate shall take reasonable steps to end the violation, and if such steps are unsuccessful, Business Associate must terminate the arrangement if feasible.
- (i) Mitigation of Unauthorized Uses or Disclosures.
Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate or one of its agents or subcontractors in violation of the requirements of this Agreement.
Source: Item 23 — Receipts (FDD pages 66–257)
What This Means (2025 FDD)
According to Degree Wellness's 2025 Franchise Disclosure Document, as a Business Associate, franchisees must report any Security Incidents to the Covered Entity (Wellness Provider Therapies, P.A.) in writing. This includes any unauthorized access, use, or disclosure of Protected Health Information (PHI) not permitted by the Business Associate Agreement.
The report must be submitted within twenty-four (24) hours of the Business Associate (or their employee, officer, or agent) becoming aware of the incident. Additionally, franchisees must report any Breach of Unsecured PHI without unreasonable delay, and no later than twenty-four (24) hours after they know of such Breach. An exception exists if a law enforcement official determines that notification would impede a criminal investigation or damage national security.
Furthermore, Degree Wellness franchisees are obligated to ensure that any agents or subcontractors who are provided with PHI agree in writing to the same restrictions and conditions regarding PHI. Franchisees must also take reasonable steps to end any violations by an agent and, if unsuccessful, terminate the arrangement if feasible. Finally, franchisees must mitigate, to the extent practicable, any harmful effect of a use or disclosure of PHI in violation of the Business Associate Agreement.