What is Dermani Medspa's Business Associate required to do regarding subcontractors who handle PHI?

According to Dermani Medspa's 2025 Franchise Disclosure Document, a Business Associate must ensure that any subcontractor who creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of the Business Associate agrees in writing to the same restrictions that apply to the Business Associate regarding that PHI. This requirement is in accordance with regulations governing the handling of PHI.

In practical terms, this means that if a Dermani Medspa franchisee (acting as a Business Associate) hires a third-party vendor to manage patient records or handle billing, that vendor (the Subcontractor) must sign a written agreement to protect the confidentiality and security of the PHI. This agreement must impose the same restrictions on the Subcontractor as are imposed on the franchisee by their agreement with Dermani Medspa.

This requirement aims to create a chain of responsibility, ensuring that PHI is protected at every level. It also means that the Dermani Medspa franchisee needs to carefully vet and monitor any subcontractors who handle PHI to ensure they are complying with HIPAA and other relevant regulations. Failure to do so could result in penalties for both the subcontractor and the franchisee.

The Business Associate and its Subcontractors, if any, will only request, use and disclose the minimum amount of PHI necessary to accomplish the intended purpose of the request, use or disclosure. Business Associates agrees, and it will ensure that its Subcontractors agree, to comply with Section 13405(b) of HITECH, any regulations issued thereunder or any guidance from the Secretary regarding what constitutes the definition of minimum necessary.