What is the deadline for a Degree Wellness Business Associate to report a Breach of Unsecured PHI?

According to Degree Wellness's 2025 Franchise Disclosure Document, a Business Associate must report any Breach of Unsecured Protected Health Information (PHI) to the Covered Entity. The report must be made without unreasonable delay, and in no case later than twenty-four (24) hours after the Business Associate becomes aware of such Breach. An exception exists if a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security.

This requirement ensures timely notification and mitigation of potential harm resulting from a breach. The term "Unsecured PHI" refers to PHI that is not secured through a technology or methodology specified by the Secretary in guidance or as otherwise defined in 45 C.F.R. § 164.402.

This obligation extends to the Business Associate's employees, officers, or agents. Furthermore, the Business Associate must ensure that any agent or subcontractor who is provided with PHI agrees in writing to the same restrictions and conditions, including the implementation of safeguards for electronic PHI (ePHI). The Business Associate is also responsible for taking steps to end any violations by its agents and, if unsuccessful, must terminate the arrangement if feasible.

Degree Wellness also requires its Business Associates to mitigate, to the extent practicable, any harmful effect known to them resulting from a use or disclosure of PHI in violation of the agreement. This includes cooperating with the Covered Entity to fulfill individual requests for access to PHI and to comply with all applicable laws and regulations.