42 USC § 17937 - Temporary breach notification requirement for vendors of personal health records and other non-HIPAA covered entities | Title 42 - The Public Health and Welfare | U.S. Code

USCPrelim is a preliminary release and may be subject to further revision before it is released again as a final version.

Current through Pub. L. 112-238. (See Public Laws for the current Congress.)

(a) In general

In accordance with subsection (c), each vendor of personal health records, following the discovery of a breach of security of unsecured PHR identifiable health information that is in a personal health record maintained or offered by such vendor, and each entity described in clause (ii), (iii), or (iv) of section 17953 (b)(1)(A) of this title, following the discovery of a breach of security of such information that is obtained through a product or service provided by such entity, shall—

(1) notify each individual who is a citizen or resident of the United States whose unsecured PHR identifiable health information was acquired by an unauthorized person as a result of such a breach of security; and

(2) notify the Federal Trade Commission.

(b) Notification by third party service providers

A third party service provider that provides services to a vendor of personal health records or to an entity described in clause (ii), (iii). ^[1] or (iv) of section 17953 (b)(1)(A) of this title in connection with the offering or maintenance of a personal health record or a related product or service and that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured PHR identifiable health information in such a record as a result of such services shall, following the discovery of a breach of security of such information, notify such vendor or entity, respectively, of such breach. Such notice shall include the identification of each individual whose unsecured PHR identifiable health information has been, or is reasonably believed to have been, accessed, acquired, or disclosed during such breach.

(c) Application of requirements for timeliness, method, and content of notifications

Subsections (c), (d), (e), and (f) ofsection 17932 of this title shall apply to a notification required under subsection (a) and a vendor of personal health records, an entity described in subsection (a) and a third party service provider described in subsection (b), with respect to a breach of security under subsection (a) of unsecured PHR identifiable health information in such records maintained or offered by such vendor, in a manner specified by the Federal Trade Commission.

(d) Notification of the Secretary

Upon receipt of a notification of a breach of security under subsection (a)(2), the Federal Trade Commission shall notify the Secretary of such breach.

(e) Enforcement

A violation of subsection (a) or (b) shall be treated as an unfair and deceptive act or practice in violation of a regulation under section 57a (a)(1)(B) of title 15 regarding unfair or deceptive acts or practices.

(f) Definitions

For purposes of this section:

(1) Breach of security

The term “breach of security” means, with respect to unsecured PHR identifiable health information of an individual in a personal health record, acquisition of such information without the authorization of the individual.

(2) PHR identifiable health information

The term “PHR identifiable health information” means individually identifiable health information, as defined in section 1320d (6) of this title, and includes, with respect to an individual, information—

(A) that is provided by or on behalf of the individual; and

(B) that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

(3) Unsecured PHR identifiable health information

(A) In general

Subject to subparagraph (B), the term “unsecured PHR identifiable health information” means PHR identifiable health information that is not protected through the use of a technology or methodology specified by the Secretary in the guidance issued under section 17932 (h)(2) of this title.

(B) Exception in case timely guidance not issued

In the case that the Secretary does not issue guidance under section 17932 (h)(2) of this title by the date specified in such section, for purposes of this section, the term “unsecured PHR identifiable health information” shall mean PHR identifiable health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and that is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute.

(g) Regulations; effective date; sunset

(1) Regulations; effective date

To carry out this section, the Federal Trade Commission shall promulgate interim final regulations by not later than the date that is 180 days after February 17, 2009. The provisions of this section shall apply to breaches of security that are discovered on or after the date that is 30 days after the date of publication of such interim final regulations.

(2) Sunset

If Congress enacts new legislation establishing requirements for notification in the case of a breach of security, that apply to entities that are not covered entities or business associates, the provisions of this section shall not apply to breaches of security discovered on or after the effective date of regulations implementing such legislation.

[1] So in original. The period probably should be a comma.

prev | next

(a) In general

In accordance with subsection (c), each vendor of personal health records, following the discovery of a breach of security of unsecured PHR identifiable health information that is in a personal health record maintained or offered by such vendor, and each entity described in clause (ii), (iii), or (iv) of section 17953 (b)(1)(A) of this title, following the discovery of a breach of security of such information that is obtained through a product or service provided by such entity, shall—

(1) notify each individual who is a citizen or resident of the United States whose unsecured PHR identifiable health information was acquired by an unauthorized person as a result of such a breach of security; and

(2) notify the Federal Trade Commission.

(b) Notification by third party service providers

A third party service provider that provides services to a vendor of personal health records or to an entity described in clause (ii), (iii). ^[1] or (iv) of section 17953 (b)(1)(A) of this title in connection with the offering or maintenance of a personal health record or a related product or service and that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured PHR identifiable health information in such a record as a result of such services shall, following the discovery of a breach of security of such information, notify such vendor or entity, respectively, of such breach. Such notice shall include the identification of each individual whose unsecured PHR identifiable health information has been, or is reasonably believed to have been, accessed, acquired, or disclosed during such breach.

(c) Application of requirements for timeliness, method, and content of notifications

Subsections (c), (d), (e), and (f) ofsection 17932 of this title shall apply to a notification required under subsection (a) and a vendor of personal health records, an entity described in subsection (a) and a third party service provider described in subsection (b), with respect to a breach of security under subsection (a) of unsecured PHR identifiable health information in such records maintained or offered by such vendor, in a manner specified by the Federal Trade Commission.

(d) Notification of the Secretary

Upon receipt of a notification of a breach of security under subsection (a)(2), the Federal Trade Commission shall notify the Secretary of such breach.

(e) Enforcement

A violation of subsection (a) or (b) shall be treated as an unfair and deceptive act or practice in violation of a regulation under section 57a (a)(1)(B) of title 15 regarding unfair or deceptive acts or practices.

(f) Definitions

For purposes of this section:

(1) Breach of security

The term “breach of security” means, with respect to unsecured PHR identifiable health information of an individual in a personal health record, acquisition of such information without the authorization of the individual.

(2) PHR identifiable health information

The term “PHR identifiable health information” means individually identifiable health information, as defined in section 1320d (6) of this title, and includes, with respect to an individual, information—

(A) that is provided by or on behalf of the individual; and

(B) that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

(3) Unsecured PHR identifiable health information

(A) In general

Subject to subparagraph (B), the term “unsecured PHR identifiable health information” means PHR identifiable health information that is not protected through the use of a technology or methodology specified by the Secretary in the guidance issued under section 17932 (h)(2) of this title.

(B) Exception in case timely guidance not issued

In the case that the Secretary does not issue guidance under section 17932 (h)(2) of this title by the date specified in such section, for purposes of this section, the term “unsecured PHR identifiable health information” shall mean PHR identifiable health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and that is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute.

(g) Regulations; effective date; sunset

(1) Regulations; effective date

To carry out this section, the Federal Trade Commission shall promulgate interim final regulations by not later than the date that is 180 days after February 17, 2009. The provisions of this section shall apply to breaches of security that are discovered on or after the date that is 30 days after the date of publication of such interim final regulations.

(2) Sunset

If Congress enacts new legislation establishing requirements for notification in the case of a breach of security, that apply to entities that are not covered entities or business associates, the provisions of this section shall not apply to breaches of security discovered on or after the effective date of regulations implementing such legislation.

[1] So in original. The period probably should be a comma.

Source

(Pub. L. 111–5, div. A, title XIII, § 13407,Feb. 17, 2009, 123 Stat. 269.)

The table below lists the classification updates, since Jan. 3, 2012, for this section. Updates to a broader range of sections may be found at the update page for containing chapter, title, etc.

The most recent Classification Table update that we have noticed was Wednesday, February 6, 2013

An empty table indicates that we see no relevant changes listed in the classification tables. If you suspect that our system may be missing something, please double-check with the Office of the Law Revision Counsel.

How To Use

Multiple entries for a section are listed most recent first, within the section.

The Session Year indicates which session of Congress was responsible for the changes classified. The Congress number forms the first part of the Public Law number; each Congress has two sessions.

Abbreviations used in the Description of Change column:

An empty field implies a standard amendment.
"new" means a new section or new note, or all new text of an existing section or note.
"nt" means note.
"nt [tbl]" means note [table].
"prec" means preceding.
"fr" means a transfer from another section.
"to" means a transfer to another section.
"omitted" means the section is omitted.
"repealed" means the section is repealed.
"nt ed change" and "ed change" - See the Editorial Classification Change Table [pdf].

The Public Law field is linked to the development of the law in the Thomas system at the Library of Congress.

The Statutes at Large field is linked to the text of the law, in the context of its volume of the Statutes at Large, at the Government Printing Office. Please note that it takes a while for these pages to get posted, so for very recent legislation, you need to look at the "enrolled" version at the Thomas site.

The Statutes at Large references have been rendered in the format used as page numbers in the Public Law web pages to which we link, to facilitate copy-paste into browser "find on this (web) page" tools. We are still working on a more direct link facility.

For serious comparison work, we suggest copying all or a portion of the Public Law text into your favorite text editor, for convenient content traversal and window control.

Sections with change type "new" are a special case, still under development. All are now listed, at the title level only.

You will find that occassionally a specific update you notice in a Public Law listed in a classification table will already have made it into the Code. We assume this is an artifact of the LRC edit process. The LII does not edit the LRC content.

top

General Reference

Refer to the LRC (Law Revision Council) for explanations about the US Code from the folks who put it all together.

You can look for information about what it is and is not, which titles are positive law, the schedule of Supplements, etc. Under download you can find the source data we use here (GPO locator files), as well as, PDF files that look just like the paper books (these may be rather large).

Refer to the Thomas site for changes that have not yet made it into the classification tables.

42 USC	Description of Change	Session Year	Public Law	Statutes at Large

42 USC § 17937 - Temporary breach notification requirement for vendors of personal health records and other non-HIPAA covered entities

U.S. Code Toolbox

Law about... Articles from Wex

Find a Lawyer

Get Involved