What safeguards must the Business Associate of Degree Wellness implement to protect PHI?
Degree_Wellness Franchise · 2025 FDDAnswer from 2025 FDD Document
e PHI to a health plan for payment or Health Care Operations purposes if a patient has requested this special restriction, and has paid out of pocket in full for the healthcare item or service to which the PHI solely relates. Business Associate shall not sell PHI as provided in 45 C.F.R. § 164.502.
- (d) Other Business Associates. As part of its providing functions, activities, and/or services to Covered Entity, Business Associate may disclose information, including PHI, to other business associates of Covered Entity, and Business Associate may use and disclose information, including PHI, received from other business associates of Covered Entity as if this information was received from, or originated with, Covered Entity.
- (e) Safeguards. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement and to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity. In accordance with 42 U.S.C. § 17931 of the HITECH Act, Business Associate shall be directly responsible for full compliance with the policies and procedures and documentation requirements of
the HIPAA Security Rule, including, but not limited to, 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314 and 164.316.
- (f) Reporting of Unauthorized Uses or Disclosures and Security Incidents. Business Associate agrees to report to Covered Entity in writing any access, use or disclosure of PHI not provided for or permitted by this Agreement and, any Security Incidents of which Business Associate (or Business Associate's employee, officer or agent) becomes aware. Business Associate shall so notify Covered Entity pursuant to this Section 3(f) within twenty-four (24) hours after Business Associate becomes aware of such unauthorized use, disclosure or Security Incident.
- (g) Reporting of Breach of Unsecured PHI.
Source: Item 23 — Receipts (FDD pages 66–257)
What This Means (2025 FDD)
According to Degree Wellness's 2025 Franchise Disclosure Document, as a Business Associate, the franchisee must use appropriate safeguards to prevent unauthorized use or disclosure of Protected Health Information (PHI). This includes implementing administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic PHI (ePHI) that the franchisee creates, receives, maintains, or transmits on behalf of the Covered Entity (Wellness Provider Therapies, P.A.).
The Degree Wellness franchisee, as a Business Associate, is directly responsible for full compliance with the policies, procedures, and documentation requirements of the HIPAA Security Rule, as outlined in 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314 and 164.316, in accordance with 42 U.S.C. § 17931 of the HITECH Act. Furthermore, the franchisee must ensure that any agent or subcontractor who is provided with PHI agrees in writing to the same restrictions and conditions, including implementing the safeguards required by Section 3(e) of the agreement with respect to ePHI.
In practical terms, this means a Degree Wellness franchisee must invest in and maintain secure IT systems, train staff on HIPAA compliance, and establish clear protocols for handling PHI. They must also have a plan for mitigating any harmful effects resulting from unauthorized use or disclosure of PHI. The franchisee is obligated to report any unauthorized access, use, or disclosure of PHI, as well as any security incidents, to the Covered Entity in writing. They must also report any breach of unsecured PHI without unreasonable delay, and no later than 24 hours after becoming aware of the breach.
Degree Wellness franchisees should be aware that they are solely responsible for decisions regarding the safeguarding of PHI and should not rely on the Covered Entity's assessment of their compliance. The Covered Entity or its agents may examine the franchisee's facilities, systems, and procedures to certify compliance with HIPAA, the HIPAA Regulations, and the HITECH Act. Failure to comply with these requirements can lead to termination of the Business Associate Agreement and potential legal and financial repercussions.