Under what circumstances can the Business Associate for Degree Wellness disclose PHI?
Degree_Wellness Franchise · 2025 FDDAnswer from 2025 FDD Document
entiality of the PHI, to the extent such third party has obtained knowledge of such breach. Business Associate agrees to limit its disclosure of PHI to the minimum amount necessary to accomplish the intended purpose of the disclosure.
- (c) Prohibited Uses and Disclosures. Business Associate shall not use or disclose PHI for fundraising or marketing purposes. In accordance with 45 C.F.R. § 164.522(a)(1)(B)(6), Business Associate shall not disclose PHI to a health plan for payment or Health Care Operations purposes if a patient has requested this special restriction, and has paid out of pocket in full for the healthcare item or service to which the PHI solely relates. Business Associate shall not sell PHI as provided in 45 C.F.R. § 164.502.
- (d) Other Business Associates. As part of its providing functions, activities, and/or services to Covered Entity, Business Associate may disclose information, including PHI, to other business associates of Covered Entity, and Business Associate may use and disclose information, including PHI, received from other business associates of Covered Entity as if this information was received from, or originated with, Covered Entity.
- (e) Safeguards. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement and to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity. In accordance with 42 U.S.C. § 17931 of the HITECH Act, Business Associate shall be directly responsible for full compliance with the policies and procedures and documentation requirements of
the HIPAA Security Rule, including, but not limited to, 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314 and 164.316.
- (f) Reporting of Unauthorized Uses or Disclosures and Security Incidents. Business Associate agrees to report to Covered Entity in writing any access, use or disclosure of PHI not provided for or permitted by this Agreement and, any Security Incidents of which Business Associate (or Business Associate's employee, officer or agent) becomes aware. Business Associate shall so notify Covered Entity pursuant to this Section 3(f) within twenty-four (24) hours after Business Associate becomes aware of such unauthorized use, disclosure or Security Incident.
- (g) Reporting of Breach of Unsecured PHI. Business Associate agrees to report to Covered Entity any Breach of Unsecured PHI of which Business Associate (or Business Associate's employee, officer or agent) becomes aware without unreasonable delay and in no case later than twenty-four (24) hours after Business Associate knows of such Breach, except where a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security.
- (h) Agents and Subcontractors. Business Associate agrees to ensure that any agent, including a subcontractor, to whom Business Associate provides PHI, agrees in writing to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such PHI, and implement the safeguards required by Section 3(e) above with respect to ePHI. If Business Associate knows of a pattern of activity or practice of an agent that constitutes a violation of the agent's obligations to Business Associate, Business Associate shall take reasonable steps to end the violation, and if such steps are unsuccessful, Business Associate must terminate the arrangement if feasible.
- (i) Mitigation of Unauthorized Uses or Disclosures.
Source: Item 23 — Receipts (FDD pages 66–257)
What This Means (2025 FDD)
According to Degree Wellness's 2025 Franchise Disclosure Document, the Business Associate Agreement outlines specific circumstances under which the Business Associate may disclose Protected Health Information (PHI). The Business Associate is permitted to disclose PHI for its own proper administration and to fulfill its legal responsibilities. Additionally, PHI can be disclosed for Data Aggregation purposes related to the Health Care Operations of the Covered Entity, which is Wellness Provider Therapies, P.A.
However, Degree Wellness's Business Associate must obtain written assurances from any third party receiving PHI, ensuring the information remains confidential and is disclosed only as legally required or for the intended purpose. The third party must also agree to immediately report any confidentiality breaches. The Business Associate must limit PHI disclosure to the minimum amount necessary for the intended purpose.
Furthermore, the Business Associate is obligated to disclose PHI if required by law. The Business Associate must also make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for compliance audits related to HIPAA, the HIPAA Regulations, and the HITECH Act. The Business Associate must cooperate with the Secretary during investigations or compliance reviews and permit access to facilities, books, records, and other information sources, including PHI, during normal business hours.
It is important to note that the Business Associate is prohibited from using or disclosing PHI for fundraising or marketing purposes and from selling PHI. If a patient has paid out of pocket for a healthcare item or service and requested a special restriction, the Business Associate cannot disclose PHI to a health plan for payment or Health Care Operations purposes. Any unauthorized access, use, or disclosure of PHI must be reported to the Covered Entity in writing, along with any security incidents.