factual

Under the Dermani Medspa agreement, what constitutes a 'Security Incident'?

Dermani_Medspa Franchise · 2025 FDD

Answer from 2025 FDD Document

Notwithstanding the foregoing, the Parties acknowledge and agree that Business Associate need not report all attempted but unsuccessful Security Incidents to Covered Entity, and that this Agreement constitutes notice to Covered Entity that such unsuccessful Security Incidents occur periodically.

Unsuccessful Security Incidents include, but are not limited to, pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denials of service, and any combination of the above, so long as such incidents do not result in actual unauthorized access, use, or disclosure of PHI.

  • g.

Breaches of Unsecured PHI.

Business Associate will report to Covered Entity any Breach of Unsecured PHI by Business Associate or any of its officers, directors, employees, Subcontractors or agents.

All notifications of Breach of Unsecured PHI will be made by Business Associate to Covered Entity without unreasonable delay and in no event later than five (5) days of discovery.

Business Associate will use the standard at 45 C.F.R. § 164.410(a) to determine when the Breach is treated as discovered.

All notifications will comply with Business Associate's obligations under, and include the information specified in, 45 C.F.R. § 164.410 and include any other available information that Covered Entity is required to include in its notification to individuals pursuant to 45 C.F.R. § 164.404(c).

In the event of a Breach by Business Associate, Business Associate will cooperate with Covered Entity to notify, (i) individuals whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used or disclosed, and (ii) the media, as required pursuant to 45 C.F.R. § 164.406, if the legal requirements for media notification are triggered by the circumstances of such Breach.

Source: Item 23 — RECEIPTS (FDD pages 66–311)

What This Means (2025 FDD)

According to Dermani Medspa's 2025 Franchise Disclosure Document, a 'Security Incident' includes events like pings, broadcast attacks on firewalls, port scans, and unsuccessful log-on attempts. However, Dermani Medspa franchisees are not required to report all attempted but unsuccessful security incidents to the Covered Entity, as the agreement itself serves as notification that these types of incidents occur periodically.

Specifically, these unsuccessful security incidents do not need to be reported as long as they do not lead to unauthorized access, use, or disclosure of Protected Health Information (PHI). This means that while Dermani Medspa acknowledges the constant threat of cyberattacks, the focus is on reporting incidents that actually compromise patient data.

However, any Breach of Unsecured PHI by the Business Associate (franchisee) or their staff must be reported to the Covered Entity without unreasonable delay, and in no event later than five days of discovery. The standard at 45 C.F.R. § 164.410(a) will be used to determine when the Breach is treated as discovered. This includes cooperation with Covered Entity to notify individuals and the media, as required pursuant to 45 C.F.R. § 164.406, if the legal requirements for media notification are triggered by the circumstances of such Breach.

Disclaimer: This information is extracted from the 2025 Franchise Disclosure Document and is provided for research purposes only. It does not constitute legal or financial advice. Consult with a franchise attorney before making any investment decisions.
All Dermani_Medspa 2025 FAQs Ask FDD Ninja