What is Dermani Medspa's Business Associate's obligation to report breaches of unsecured PHI?
Dermani_Medspa Franchise · 2025 FDDAnswer from 2025 FDD Document
Breaches of Unsecured PHI.
Business Associate will report to Covered Entity any Breach of Unsecured PHI by Business Associate or any of its officers, directors, employees, Subcontractors or agents.
All notifications of Breach of Unsecured PHI will be made by Business Associate to Covered Entity without unreasonable delay and in no event later than five (5) days of discovery.
Business Associate will use the standard at 45 C.F.R. § 164.410(a) to determine when the Breach is treated as discovered.
All notifications will comply with Business Associate's obligations under, and include the information specified in, 45 C.F.R. § 164.410 and include any other available information that Covered Entity is required to include in its notification to individuals pursuant to 45 C.F.R. § 164.404(c).
In the event of a Breach by Business Associate, Business Associate will cooperate with Covered Entity to notify, (i) individuals whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used or disclosed, and (ii) the media, as required pursuant to 45 C.F.R. § 164.406, if the legal requirements for media notification are triggered by the circumstances of such Breach.
Source: Item 23 — RECEIPTS (FDD pages 66–311)
What This Means (2025 FDD)
According to Dermani Medspa's 2025 Franchise Disclosure Document, as a Business Associate, franchisees must report any Breach of Unsecured PHI (Protected Health Information) by the franchisee or any of its officers, directors, employees, Subcontractors or agents to the Covered Entity. This notification must occur without unreasonable delay and no later than five days of discovery of the breach.
The Dermani Medspa franchisee, as the Business Associate, must adhere to the standard outlined in 45 C.F.R. § 164.410(a) to determine when a breach is considered discovered. All notifications must comply with the obligations and include the information specified in 45 C.F.R. § 164.410, along with any other available information that the Covered Entity is required to include in its notification to individuals, as per 45 C.F.R. § 164.404(c).
In the event of a breach, the franchisee must cooperate with the Covered Entity to notify individuals whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed. Additionally, the franchisee must cooperate with the Covered Entity to notify the media, as required pursuant to 45 C.F.R. § 164.406, if the legal requirements for media notification are triggered by the circumstances of such Breach.