What specific actions must Dermani Medspa's Business Associate take after discovering a Security Incident?
Dermani_Medspa Franchise · 2025 FDDAnswer from 2025 FDD Document
Business Associate will report to Covered Entity any use or disclosure of PHI not provided for or permitted by this Agreement of which it becomes aware, or any Security Incident of EPHI of which it becomes aware, within five (5) days of the date on which Business Associate first discovers the use, disclosure or Security Incident.
In addition to its other obligations under this Agreement, Business Associate will take prompt action to correct any Security Incident or use or disclosure of PHI not permitted under this Agreement and any action pertaining to such Security Incident or unauthorized use or disclosure as required by applicable federal or state laws and regulations.
Notwithstanding the foregoing, the Parties acknowledge and agree that Business Associate need not report all attempted but unsuccessful Security Incidents to Covered Entity, and that this Agreement constitutes notice to Covered Entity that such unsuccessful Security Incidents occur periodically.
Source: Item 23 — RECEIPTS (FDD pages 66–311)
What This Means (2025 FDD)
According to Dermani Medspa's 2025 Franchise Disclosure Document, a Business Associate has specific obligations regarding security incidents. Upon becoming aware of any Security Incident involving Electronic Protected Health Information (EPHI), the Business Associate must report it to the Covered Entity within five days of discovery.
In addition to reporting the incident, the Business Associate is required to take prompt action to correct the Security Incident or any unauthorized use or disclosure of Protected Health Information (PHI) that is not permitted under the agreement. These corrective actions must align with the requirements of applicable federal or state laws and regulations.
However, the document clarifies that the Business Associate does not need to report all attempted but unsuccessful Security Incidents to the Covered Entity, as the agreement itself serves as notification that such incidents occur periodically. Unsuccessful Security Incidents include activities like firewall pings, port scans, unsuccessful log-on attempts, and denials of service, provided they do not result in actual unauthorized access, use, or disclosure of PHI.