What is Dermani Medspa's Business Associate's obligation regarding the use of PHI?
Dermani_Medspa Franchise · 2025 FDDAnswer from 2025 FDD Document
II. Obligations and Activities of Business Associate
a. Use and Disclosure. Business Associate will not use or further disclose PHI other than as permitted or required by this Agreement or as Required by Law. Business Associate will not use or disclose PHI in a manner that would violate the Regulations if done by Covered Entity.
b. HIPAA Security Rule. Business Associate will develop, implement, maintain and use appropriate safeguards, and comply with the Security Rule at Subpart C of 45 C.F.R. Part 164, with respect to EPHI, to prevent use or disclosure of the PHI other than as provided for by this Agreement.
c. HIPAA Privacy Rule. Business Associate will comply with all requirements of the Privacy Rule at Subpart E of 45 C.F.R. Part 164 that apply to business associates.
d.
Mitigation.
Business Associate will mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
- e.
Subcontractors.
In accordance with the requirements of the Regulations, Business Associate will ensure that any Subcontractor that creates, receives, maintains or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions that apply to Business Associate with respect to that PHI.
- f.
Reports of Impermissible Use or Disclosure of PHI; Security Incident.
Business Associate will report to Covered Entity any use or disclosure of PHI not provided for or permitted by this Agreement of which it becomes aware, or any Security Incident of EPHI of which it becomes aware, within five (5) days of the date on which Business Associate first discovers the use, disclosure or Security Incident.
In addition to its other obligations under this Agreement, Business Associate will take prompt action to correct any Security Incident or use or disclosure of PHI not permitted under this Agreement and any action pertaining to such Security Incident or unauthorized use or disclosure as required by applicable federal or state laws and regulations.
Notwithstanding the foregoing, the Parties acknowledge and agree that Business Associate need not report all attempted but unsuccessful Security Incidents to Covered Entity, and that this Agreement constitutes notice to Covered Entity that such unsuccessful Security Incidents occur periodically.
Source: Item 23 — RECEIPTS (FDD pages 66–311)
What This Means (2025 FDD)
According to Dermani Medspa's 2025 Franchise Disclosure Document, a Business Associate's obligations regarding Protected Health Information (PHI) are detailed in Item 23. The Business Associate cannot use or disclose PHI except as permitted or required by the agreement or by law. They must also avoid using or disclosing PHI in a way that would violate regulations if done by the Covered Entity.
The Business Associate is required to develop, implement, and maintain safeguards to comply with the HIPAA Security Rule, specifically 45 C.F.R. Part 164 Subpart C, to protect electronic PHI (EPHI) from unauthorized use or disclosure. They must also comply with all applicable requirements of the HIPAA Privacy Rule, outlined in 45 C.F.R. Part 164 Subpart E. If the Business Associate becomes aware of any harmful effects resulting from a use or disclosure of PHI that violates the agreement, they must take steps to mitigate those effects.
Furthermore, the Business Associate must ensure that any subcontractor who creates, receives, maintains, or transmits PHI on their behalf agrees in writing to the same restrictions and obligations regarding PHI. The Business Associate is obligated to report to the Covered Entity any unauthorized use or disclosure of PHI or any security incident involving EPHI within five days of discovery. They must also take prompt action to correct any security incident or unauthorized use or disclosure of PHI, as required by federal or state laws and regulations. The agreement also specifies that the Business Associate does not need to report all attempted but unsuccessful security incidents, as the agreement itself serves as notice that such incidents may occur periodically.
These stipulations ensure that Dermani Medspa franchisees, acting as Business Associates, handle patient health information with the utmost care and in compliance with all relevant regulations, thereby protecting patient privacy and minimizing legal risks for both the franchisee and the franchisor.