What is Dermani Medspa's Business Associate required to do in the event of a breach of unsecured PHI?
Dermani_Medspa Franchise · 2025 FDDAnswer from 2025 FDD Document
Breaches of Unsecured PHI.
Business Associate will report to Covered Entity any Breach of Unsecured PHI by Business Associate or any of its officers, directors, employees, Subcontractors or agents.
All notifications of Breach of Unsecured PHI will be made by Business Associate to Covered Entity without unreasonable delay and in no event later than five (5) days of discovery.
Business Associate will use the standard at 45 C.F.R. § 164.410(a) to determine when the Breach is treated as discovered.
All notifications will comply with Business Associate's obligations under, and include the information specified in, 45 C.F.R. § 164.410 and include any other available information that Covered Entity is required to include in its notification to individuals pursuant to 45 C.F.R. § 164.404(c).
In the event of a Breach by Business Associate, Business Associate will cooperate with Covered Entity to notify, (i) individuals whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used or disclosed, and (ii) the media, as required pursuant to 45 C.F.R. § 164.406, if the legal requirements for media notification are triggered by the circumstances of such Breach.
Source: Item 23 — RECEIPTS (FDD pages 66–311)
What This Means (2025 FDD)
According to Dermani Medspa's 2025 Franchise Disclosure Document, a Business Associate who experiences a breach of unsecured Protected Health Information (PHI) has specific reporting and cooperation duties. The Business Associate must report any such breach to the Covered Entity (Dermani Medspa) without unreasonable delay, and absolutely no later than five days after discovering the breach.
The notification provided by the Business Associate must adhere to the standards outlined in 45 C.F.R. § 164.410(a) for determining when a breach is considered discovered. Furthermore, the notification must comply with the obligations and include all information specified in 45 C.F.R. § 164.410, along with any other information the Covered Entity needs to include in its notifications to individuals, as required by 45 C.F.R. § 164.404(c).
In the event of a breach, the Business Associate is obligated to cooperate with Dermani Medspa to notify individuals whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed. Additionally, the Business Associate must cooperate with Dermani Medspa to notify the media if the legal requirements for media notification are triggered by the circumstances of the breach, as required pursuant to 45 C.F.R. § 164.406.