In the Dermani Medspa FDD, what constitutes a 'Security Incident'?
Dermani_Medspa Franchise · 2025 FDDAnswer from 2025 FDD Document
Notwithstanding the foregoing, the Parties acknowledge and agree that Business Associate need not report all attempted but unsuccessful Security Incidents to Covered Entity, and that this Agreement constitutes notice to Covered Entity that such unsuccessful Security Incidents occur periodically.
Unsuccessful Security Incidents include, but are not limited to, pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denials of service, and any combination of the above, so long as such incidents do not result in actual unauthorized access, use, or disclosure of PHI.
Source: Item 23 — RECEIPTS (FDD pages 66–311)
What This Means (2025 FDD)
According to the 2025 Dermani Medspa FDD, a 'Security Incident' is defined in the context of Protected Health Information (PHI). The document clarifies that Dermani Medspa's 'Business Associate' (likely referring to the franchisee) does not need to report all attempted but unsuccessful security incidents to the 'Covered Entity' (likely referring to Dermani Medspa Franchising LLC), as the agreement itself serves as notification that such incidents occur periodically. This indicates that Dermani Medspa acknowledges the inevitability of attempted security breaches. However, any actual breach of unsecured PHI must be reported without unreasonable delay, and no later than five days of discovery.
The FDD specifies that unsuccessful security incidents include activities like firewall pings, port scans, unsuccessful log-on attempts, and denial-of-service attacks. The critical factor determining whether these incidents must be reported is whether they result in unauthorized access, use, or disclosure of PHI. This distinction is important for franchisees, as it sets a threshold for reporting, focusing on actual compromises of sensitive data rather than routine attempted breaches.
If a breach of unsecured PHI occurs, the franchisee must follow specific procedures outlined in 45 C.F.R. § 164.410(a) to determine when the breach is considered discovered. Furthermore, notifications must comply with 45 C.F.R. § 164.410 and include information required under 45 C.F.R. § 164.404(c). In the event of a breach, the franchisee is obligated to cooperate with Dermani Medspa to notify individuals whose unsecured PHI has been accessed, as well as the media if required by 45 C.F.R. § 164.406. This highlights the importance of data protection and incident response planning for Dermani Medspa franchisees, given the sensitive nature of medical information handled in their medspa centers.
For a prospective Dermani Medspa franchisee, understanding these definitions and obligations is crucial. It is important to have robust security measures in place to prevent breaches of PHI and to establish clear protocols for reporting and responding to security incidents. The franchisee should consult with legal and IT professionals to ensure compliance with HIPAA regulations and to develop a comprehensive data security plan.