In the event of a Breach, with whom will Dermani Medspa's Business Associate cooperate to notify?

According to Dermani Medspa's 2025 Franchise Disclosure Document, in the event of a data breach involving unsecured Protected Health Information (PHI), the Business Associate is required to cooperate with the Covered Entity to notify specific parties. These parties include (i) individuals whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed, and (ii) the media, if the legal requirements for media notification are triggered by the circumstances of such Breach, as required pursuant to 45 C.F.R. § 164.406.

This means that if a Dermani Medspa franchisee's Business Associate experiences a data breach, they must work with Dermani Medspa to inform both the individuals affected by the breach and, if necessary, the media. The notification to individuals must comply with 45 C.F.R. § 164.404(c). The FDD specifies that the Business Associate must report any Breach of Unsecured PHI to the Covered Entity without unreasonable delay and in no event later than five (5) days of discovery.

This requirement ensures that Dermani Medspa and its franchisees are proactive in addressing data breaches, protecting patient information, and maintaining compliance with privacy regulations. Franchisees should ensure their Business Associate understands these obligations and has procedures in place to promptly identify and report any breaches. This cooperation is essential for mitigating potential damage and maintaining the trust of individuals whose data may have been compromised.