If a Healthsource Chiropractic Business Associate has access to PHI, what requirements must they comply with?
Healthsource_Chiropractic Franchise · 2025 FDDAnswer from 2025 FDD Document
e meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
- (a) Business Associate. "Business Associate" shall generally have the same meaning as the term "business associate" at 45 CFR 160.103, and in reference to the party to this agreement, shall mean HealthSource Chiropractic, LLC.
- (b) Covered Entity. "Covered Entity" shall generally have the same meaning as the term "covered entity" at 45 CFR 160.103, and in reference to the party to this agreement, shall mean the undersigned franchisee.
Statement of Agreement
-
- HIPAA Compliance and Agents: Business Associate hereby agrees to fully comply with the "Business Associate" requirements under HIPAA, throughout the term of this Agreement. Further, Business Associate agrees that to the extent it has access to PHI, Business Associate will fully comply with the requirements of HIPAA and this Agreement with respect to such PHI; and, further, that every agent, employee, subsidiary, subcontractor, vendor and affiliate of Business Associate to who it provides PHI received from, or created or received by Business Associate on behalf of, Covered Entity, will be required to fully comply with HIPAA, and will be bound by written agreement to the same restrictions and terms and conditions as set forth in the Agreement. To the extent Business Associate is to carry out one or more of Covered Entity's obligations under the Security and Privacy provisions of HIPAA, Business Associate will comply with such requirements that apply to Covered Entity in the performance of such obligation(s).
-
- Use and Disclosure Rights: Business Associate agrees that it shall not use or disclose PHI except as permitted under this Agreement or as required by law. Business Associate acknowledges that this Agreement does not in any manner grant Business Associate any greater rights than Covered Entity enjoys, nor shall it be deemed to permit or authorize Business Associate to use or further
disclose PHI in a manner that would otherwise violate the requirements of HIPAA if done by Covered Entity. Business Associate shall comply with HIPAA and its applicable regulations as it pertains to marketing, fundraising and/or the sale of PHI. Business Associate shall not disclose PHI to a health plan for payment or health care operations purposes if the patient has requested this special restriction and has paid out of pocket in full for the health care item or service to which the PHI solely relates. Business Associate shall not directly or indirectly receive payment or other consideration in exchange for PHI, except as permitted under HIPAA; however, this prohibition shall not affect payment from Covered Entity to Business Associate for services provided by Business Associate.
-
- Required or Permitted Uses: Business Associate shall not and Covered Entity shall not request Business Associate to - use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity, except for any specific uses or disclosures set forth below. Business Associate may only use or disclose PHI incidental to the performance of its services required under the Franchise Agreement with Covered Entity. Business Associate agrees that it is permitted to use or disclose PHI only as follows: (a) upon obtaining the authorization of the patient to whom such information pertains in accordance with 45 C.F.R. 164.502 (a)(1)(iv) and 164.508, (b) upon obtaining the consent of a patient to whom such information pertains, if the use or disclosure is for purposes of treatment, payment, or health care operations, (c) without an authorization or consent, if in accordance with 45 C.F.R. 164.506, 164.510, 164.512, 164.514(e), 164.514(f), 164.514(g), (d) Business Associate may use PHI for data aggregation services relating to the health care operations of Covered Entity, (e) Business Associate is authorized to use PHI to de-identify the PHI, (f) Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate, (g) Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of the Business Associate, provided (1) the disclosures are required by law, or (2) Business Associate obtains reasonable assurances from the person or entity to whom the PHI is disclosed that the information will remain confidential and be used or further disclosed only as required by law or for the purposes for which it was disclosed the such person or entity, and the person notified Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached, and (h) as otherwise permitted or required by agreement or law.
-
- Subcontractors.
Source: Item 23 — Receipts (FDD pages 77–282)
What This Means (2025 FDD)
According to Healthsource Chiropractic's 2025 Franchise Disclosure Document, a Business Associate who has access to Protected Health Information (PHI) must comply with several HIPAA requirements. The Business Associate must fully comply with HIPAA requirements throughout the agreement's term. They must also ensure that any agent, employee, or subcontractor who receives PHI also complies with HIPAA and is bound by a written agreement with the same restrictions and conditions. If the Business Associate carries out obligations under HIPAA's Security and Privacy provisions that would normally fall to the Covered Entity (the franchisee), the Business Associate must meet all requirements that would apply to the Covered Entity in performing those obligations. The agreement also states that the Business Associate cannot use or disclose PHI except as permitted under the agreement or as required by law.
Healthsource Chiropractic's Business Associate must develop and use appropriate administrative, procedural, physical, and electronic safeguards as required by HIPAA to prevent misuse or disclosure of PHI. They must also notify the Covered Entity of the location of any PHI disclosed by the Covered Entity or created by the Business Associate. The Business Associate must also make reasonable efforts to limit any use, disclosure, or request for use or disclosure to the minimum amount necessary to accomplish the intended purpose, in accordance with HIPAA requirements. The Business Associate is required to maintain records of PHI received and document subsequent uses and disclosures of such information. The Covered Entity has the right to examine and copy these records during normal business hours.
Furthermore, the Business Associate must make PHI available to the Covered Entity for amendment and incorporate any amendments to PHI accordingly. If the Business Associate receives a request for amendment to PHI directly from an individual patient, they must forward the request to the Covered Entity within ten business days. The Covered Entity has the sole responsibility for determining whether to approve an amendment to PHI. The Business Associate must also comply with HIPAA regulations pertaining to marketing, fundraising, and the sale of PHI. They cannot disclose PHI to a health plan for payment or healthcare operations purposes if the patient has requested this restriction and paid out-of-pocket for the service. The Business Associate also cannot receive payment in exchange for PHI, except for payments from the Covered Entity for services provided by the Business Associate.
These stipulations are included in the agreement to ensure compliance with HIPAA regulations and to protect patient information. Healthsource Chiropractic franchisees should understand these requirements and ensure that they and their business associates adhere to them to avoid penalties and maintain patient trust. The agreement can be terminated immediately if either party fails to comply with HIPAA requirements concerning PHI.