factual

For Dermani Medspa, what must a Business Associate document regarding disclosures of PHI?

Dermani_Medspa Franchise · 2025 FDD

Answer from 2025 FDD Document

Privacy Rule at Subpart E of 45 C.F.R. Part 164 that apply to business associates.

  • d. Mitigation. Business Associate will mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
  • e. Subcontractors. In accordance with the requirements of the Regulations, Business Associate will ensure that any Subcontractor that creates, receives, maintains or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions that apply to Business Associate with respect to that PHI.
  • f. Reports of Impermissible Use or Disclosure of PHI; Security Incident. Business Associate will report to Covered Entity any use or disclosure of PHI not provided for or permitted by this Agreement of which it becomes aware, or any Security Incident of EPHI of which it becomes aware, within five (5) days of the date on which Business Associate first discovers the use, disclosure or Security Incident. In addition to its other obligations under this Agreement, Business Associate will take prompt action to correct any Security Incident or use or disclosure of PHI not permitted under this Agreement and any action pertaining to such Security Incident or unauthorized use or disclosure as required by applicable federal or state laws and regulations. Notwithstanding the foregoing, the Parties acknowledge and agree that Business Associate need not report all attempted but unsuccessful Security Incidents to Covered Entity, and that this Agreement constitutes notice to Covered Entity that such unsuccessful Security Incidents occur periodically. Unsuccessful Security Incidents include, but are not limited to, pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denials of service, and any combination of the above, so long as such incidents do not result in actual unauthorized access, use, or disclosure of PHI.
  • g. Breaches of Unsecured PHI. Business Associate will report to Covered Entity any Breach of Unsecured PHI by Business Associate or any of its officers, directors, employees, Subcontractors or agents. All notifications of Breach of Unsecured PHI will be made by Business Associate to Covered Entity without unreasonable delay and in no event later than five (5) days of discovery. Business Associate will use the standard at 45 C.F.R. § 164.410(a) to determine when the Breach is treated as discovered. All notifications will comply with Business Associate's obligations under, and include the information specified in, 45 C.F.R.

Source: Item 23 — RECEIPTS (FDD pages 66–311)

What This Means (2025 FDD)

According to Dermani Medspa's 2025 Franchise Disclosure Document, a Business Associate must adhere to specific guidelines regarding the use and disclosure of Protected Health Information (PHI). The Business Associate must report to the Covered Entity (Dermani Medspa) any unauthorized use or disclosure of PHI not permitted by their agreement, or any Security Incident of Electronic Protected Health Information (EPHI), within five days of discovery. They are also obligated to take immediate action to correct any Security Incident or unauthorized use or disclosure of PHI as required by federal or state laws.

However, the Business Associate is not required to report all attempted but unsuccessful Security Incidents, as the agreement itself serves as notice that such incidents may occur periodically. Furthermore, the Business Associate will notify the Covered Entity regarding any PHI provided to the Secretary (likely referring to the Secretary of Health and Human Services) at the same time it is provided, and will furnish a duplicate copy to the Covered Entity upon request.

Additionally, within five days of a written request from Dermani Medspa, the Business Associate must allow a reasonable inspection of their books and records related to the use or disclosure of PHI. This inspection aims to determine compliance with the agreement and relevant regulations. However, Dermani Medspa must protect the confidentiality of the Business Associate's proprietary information during such inspections, and the scope, location, and timing of the inspection must be mutually agreed upon in advance. The cost of the audit will be covered by Dermani Medspa if the Business Associate is found to be in compliance, but the Business Associate will bear the costs if violations are discovered. Dermani Medspa is limited to conducting such inspections no more than once per calendar year.

These provisions ensure that Dermani Medspa maintains oversight and control over how PHI is handled by its Business Associates, safeguarding patient privacy and complying with HIPAA regulations. Prospective franchisees should understand these requirements and ensure that any Business Associates they engage are fully aware of and capable of meeting these obligations.

Disclaimer: This information is extracted from the 2025 Franchise Disclosure Document and is provided for research purposes only. It does not constitute legal or financial advice. Consult with a franchise attorney before making any investment decisions.
All Dermani_Medspa 2025 FAQs Ask FDD Ninja