U.S. Code
- Title 1 General Provisions
- Title 2 The Congress
- Title 3 The President
- Title 4 Flag and Seal, Seat Of Government,and the States
- Title 5 Government Organization and Employees
- Appendix to Title 5
- Title 6 Domestic Security
- Title 7 Agriculture
- Title 8 Aliens and Nationality
- Title 9 Arbitration
- Title 10 Armed Forces
- Appendix to Title 10 (Rules of Court of Appeals for the Armed Forces)
- Title 11 Bankruptcy
- Appendix to Title 11
- Title 12 Banks and Banking
- Title 13 Census
- Title 14 Coast Guard
- Title 15 Commerce and Trade
- Title 16 Conservation
- Title 17 Copyrights
- Title 18 Crimes and Criminal Procedure
- Appendix to Title 18
- Title 19 Customs Duties
- Title 20 Education
- Title 21 Food and Drugs
- Title 22 Foreign Relations and Intercourse
- Title 23 Highways
- Title 24 Hospitals and Asylums
- Title 25 Indians
- Title 26 Internal Revenue Code
- Appendix to Title 26
- Title 27 Intoxicating Liquors
- Title 28 Judiciary and Judicial Procedure
- Appendix to Title 28
- Title 29 Labor
- Title 30 Mineral Lands and Mining
- Title 31 Money and Finance
- Title 32 National Guard
- Title 33 Navigation and Navigable Waters
- Title 34 Navy (repealed)
- Title 35 Patents
- Title 36 Patriotic Societies and Observances
- Title 37 Pay and Allowances Of the Uniformed Services
- Title 38 Veterans' Benefits
- Appendix to Title 38 (Rules of Court of Appeals for Veterans Claims()
- Title 39 Postal Service
- Title 40 Public Buildings, Property, and Works
- Title 41 Public Contracts
- Title 42 The Public Health and Welfare
- Title 43 Public Lands
- Title 44 Public Printing and Documents
- Title 45 Railroads
- Title 46 Shipping
- Appendix to Title 46
- Title 47 Telegraphs, Telephones, and Radiotelegraphs
- Title 48 Territories and Insular Possessions
- Title 49 Transportation
- Title 50 War and National Defense
- Appendix to Title 50
§ 17937. Temporary breach notification requirement for vendors of personal health records and other non-HIPAA covered entities
(a)
In general
In accordance with subsection (c), each vendor of personal health records, following the discovery of a breach of security of unsecured PHR identifiable health information that is in a personal health record maintained or offered by such vendor, and each entity described in clause (ii), (iii), or (iv) of section
17953
(b)(1)(A) of this title, following the discovery of a breach of security of such information that is obtained through a product or service provided by such entity, shall—
(b)
Notification by third party service providers
A third party service provider that provides services to a vendor of personal health records or to an entity described in clause (ii), (iii).[1] or (iv) of section
17953
(b)(1)(A) of this title in connection with the offering or maintenance of a personal health record or a related product or service and that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured PHR identifiable health information in such a record as a result of such services shall, following the discovery of a breach of security of such information, notify such vendor or entity, respectively, of such breach. Such notice shall include the identification of each individual whose unsecured PHR identifiable health information has been, or is reasonably believed to have been, accessed, acquired, or disclosed during such breach.
(c)
Application of requirements for timeliness, method, and content of notifications
Subsections (c), (d), (e), and (f) of section
17932 of this title shall apply to a notification required under subsection (a) and a vendor of personal health records, an entity described in subsection (a) and a third party service provider described in subsection (b), with respect to a breach of security under subsection (a) of unsecured PHR identifiable health information in such records maintained or offered by such vendor, in a manner specified by the Federal Trade Commission.
(d)
Notification of the Secretary
Upon receipt of a notification of a breach of security under subsection (a)(2), the Federal Trade Commission shall notify the Secretary of such breach.
(f)
Definitions
For purposes of this section:
(1)
Breach of security
The term “breach of security” means, with respect to unsecured PHR identifiable health information of an individual in a personal health record, acquisition of such information without the authorization of the individual.
(2)
PHR identifiable health information
(3)
Unsecured PHR identifiable health information
(B)
Exception in case timely guidance not issued
In the case that the Secretary does not issue guidance under section
17932
(h)(2) of this title by the date specified in such section, for purposes of this section, the term “unsecured PHR identifiable health information” shall mean PHR identifiable health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and that is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute.
(g)
Regulations; effective date; sunset
(1)
Regulations; effective date
To carry out this section, the Federal Trade Commission shall promulgate interim final regulations by not later than the date that is 180 days after February 17, 2009. The provisions of this section shall apply to breaches of security that are discovered on or after the date that is 30 days after the date of publication of such interim final regulations.
(2)
Sunset
If Congress enacts new legislation establishing requirements for notification in the case of a breach of security, that apply to entities that are not covered entities or business associates, the provisions of this section shall not apply to breaches of security discovered on or after the effective date of regulations implementing such legislation.
[1] So in original. The period probably should be a comma.
Tips