16 CFR § 318.1 - Purpose and scope.
(a) This part, which shall be called the “Health Breach Notification Rule,” implements section 13407 of the American Recovery and Reinvestment Act of 2009, 42 U.S.C. 17937. This part applies to foreign and domestic vendors of personal health records, PHR related entities, and third party service providers, irrespective of any jurisdictional tests in the Federal Trade Commission (FTC) Act, that maintain information of U.S. citizens or residents. This part does not apply to HIPAA-covered entities, or to any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity.
(b) This part preempts State law as set forth in section 13421 of the American Recovery and Reinvestment Act of 2009, 42 U.S.C 17951.