What provisions of HIPAA must the Healthsource Chiropractic Business Associate comply with regarding electronic PHI?
Healthsource_Chiropractic Franchise · 2025 FDDAnswer from 2025 FDD Document
dentiality of the PHI has been breached, and (h) as otherwise permitted or required by agreement or law.
-
- Subcontractors. If applicable, Business Associate will ensure that any subcontractors or agents that create, receive, maintain, or transmit PHI or electronic PHI on behalf of Business Associate will agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information. As necessary, Business Associate will enter into a business associate agreement that is in compliance with the requirements of HIPAA with any and all subcontractors of Business Associate in order to disclose PHI to such subcontractor. For purposes hereof, HealthCore Technology, LLC and HS Worx are subcontractors of Covered Entity, not Business Associate.
-
- Safeguards; Location: Business Associate agrees to (1) develop and use appropriate administrative, procedural, physical, and electronic safeguards in accordance with and as required by HIPPA, as may be amended, and (2) comply with the Security and Privacy provisions of HIPAA with respect to electronic PHI, to prevent misuse or disclosure of PHI (including unsecured PHI) other than as
provided by this Agreement. Business Associate agrees to notify Covered Entity of the location of any PHI disclosed by Covered Entity or created by Business Associate on behalf of Covered Entity and held by or under the control of Business Associate or those to whom Business Associate has disclosed such PHI. Business Associate will only disclose PHI to a subcontractor if it receives satisfactory assurances from the subcontractor in accordance with applicable law that the subcontractor will appropriately safeguard the PHI.
-
- Minimum Necessary: Covered Entity and Business Associate must make reasonable efforts to limit any use, disclosure, or request for use or disclosure to the minimum amount necessary to accomplish the intended purpose of the use, disclosure, or request in accordance with the requirements of HIPAA. Covered Entity may, pursuant to HIPAA, reasonably rely on any requested disclosure as the minimum necessary for the stated purpose when the information is requested by Business Associate.
Source: Item 23 — Receipts (FDD pages 77–282)
What This Means (2025 FDD)
According to the 2025 Healthsource Chiropractic FDD, the Business Associate, HealthSource Chiropractic, LLC, must comply with the Security and Privacy provisions of HIPAA regarding electronic Protected Health Information (PHI). This includes developing and using appropriate administrative, procedural, physical, and electronic safeguards as required by HIPAA to prevent misuse or unauthorized disclosure of PHI. The Business Associate must also notify the Covered Entity (the franchisee) of the location of any PHI disclosed by the Covered Entity or created by the Business Associate.
Healthsource Chiropractic, LLC must ensure that any subcontractors or agents that handle PHI agree to the same restrictions and conditions as the Business Associate. They must enter into a business associate agreement compliant with HIPAA requirements with any subcontractors to whom PHI is disclosed. The agreement specifies that Healthsource Chiropractic, LLC must fully comply with HIPAA's "Business Associate" requirements throughout the agreement's term and ensure that any party they provide PHI to also complies with HIPAA.
Furthermore, Healthsource Chiropractic, LLC must not use or disclose PHI in a manner that would violate HIPAA if done by the Covered Entity, and they must comply with HIPAA regulations regarding marketing, fundraising, and the sale of PHI. They cannot disclose PHI to a health plan for payment or healthcare operations if the patient has requested a special restriction and paid out-of-pocket for the service. The Business Associate must also make available to the Secretary of the Department of Health and Human Services (DHHS) its internal practices, books, and records relating to the use and disclosure of PHI for compliance determination.