Collapse to view only § 17931. Application of security provisions and penalties to business associates of covered entities; annual guidance on security provisions

§ 17931. Application of security provisions and penalties to business associates of covered entities; annual guidance on security provisions
(a) Application of security provisions
(b) Application of civil and criminal penalties
(c) Annual guidance
(Pub. L. 111–5, div. A, title XIII, § 13401, Feb. 17, 2009, 123 Stat. 260.)
§ 17932. Notification in the case of breach
(a) In general
(b) Notification of covered entity by business associate
(c) Breaches treated as discovered
(d) Timeliness of notification
(1) In general
(2) Burden of proof
(e) Methods of notice
(1) Individual notice
Notice required under this section to be provided to an individual, with respect to a breach, shall be provided promptly and in the following form:
(A) Written notification by first-class mail to the individual (or the next of kin of the individual if the individual is deceased) at the last known address of the individual or the next of kin, respectively, or, if specified as a preference by the individual, by electronic mail. The notification may be provided in one or more mailings as information is available.
(B) In the case in which there is insufficient, or out-of-date contact information (including a phone number, email address, or any other form of appropriate communication) that precludes direct written (or, if specified by the individual under subparagraph (A), electronic) notification to the individual, a substitute form of notice shall be provided, including, in the case that there are 10 or more individuals for which there is insufficient or out-of-date contact information, a conspicuous posting for a period determined by the Secretary on the home page of the Web site of the covered entity involved or notice in major print or broadcast media, including major media in geographic areas where the individuals affected by the breach likely reside. Such a notice in media or web posting will include a toll-free phone number where an individual can learn whether or not the individual’s unsecured protected health information is possibly included in the breach.
(C) In any case deemed by the covered entity involved to require urgency because of possible imminent misuse of unsecured protected health information, the covered entity, in addition to notice provided under subparagraph (A), may provide information to individuals by telephone or other means, as appropriate.
(2) Media notice
(3) Notice to Secretary
(4) Posting on HHS public website
(f) Content of notification
Regardless of the method by which notice is provided to individuals under this section, notice of a breach shall include, to the extent possible, the following:
(1) A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
(2) A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
(3) The steps individuals should take to protect themselves from potential harm resulting from the breach.
(4) A brief description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches.
(5) Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
(g) Delay of notification authorized for law enforcement purposes
(h) Unsecured protected health information
(1) Definition
(A) In general
(B) Exception in case timely guidance not issued
(2) Guidance
(i) Report to Congress on breaches
(1) In general
(2) Information
The information described in this paragraph regarding breaches specified in paragraph (1) shall include—
(A) the number and nature of such breaches; and
(B) actions taken in response to such breaches.
(j) Regulations; effective date
(Pub. L. 111–5, div. A, title XIII, § 13402, Feb. 17, 2009, 123 Stat. 260.)
§ 17933. Education on health information privacy
(a) Regional office privacy advisors
(b) Education initiative on uses of health information
(Pub. L. 111–5, div. A, title XIII, § 13403, Feb. 17, 2009, 123 Stat. 263.)
§ 17934. Application of privacy provisions and penalties to business associates of covered entities
(a) Application of contract requirements
(b) Application of knowledge elements associated with contracts
(c) Application of civil and criminal penalties
(Pub. L. 111–5, div. A, title XIII, § 13404, Feb. 17, 2009, 123 Stat. 264.)
§ 17935. Restrictions on certain disclosures and sales of health information; accounting of certain protected health information disclosures; access to certain information in electronic format
(a) Requested restrictions on certain disclosures of health information
In the case that an individual requests under paragraph (a)(1)(i)(A) of section 164.522 of title 45, Code of Federal Regulations, that a covered entity restrict the disclosure of the protected health information of the individual, notwithstanding paragraph (a)(1)(ii) of such section, the covered entity must comply with the requested restriction if—
(1) except as otherwise required by law, the disclosure is to a health plan for purposes of carrying out payment or health care operations (and is not for purposes of carrying out treatment); and
(2) the protected health information pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full.
(b) Disclosures required to be limited to the limited data set or the minimum necessary
(1) In general
(A) In general
(B) Guidance
(C) Sunset
(2) Determination of minimum necessary
(3) Application of exceptions
(4) Rule of construction
(c) Accounting of certain protected health information disclosures required if covered entity uses electronic health record
(1) In general
In applying section 164.528 of title 45, Code of Federal Regulations, in the case that a covered entity uses or maintains an electronic health record with respect to protected health information—
(A) the exception under paragraph (a)(1)(i) of such section shall not apply to disclosures through an electronic health record made by such entity of such information; and
(B) an individual shall have a right to receive an accounting of disclosures described in such paragraph of such information made by such covered entity during only the three years prior to the date on which the accounting is requested.
(2) Regulations
(3) Process
In response to an 4
4 So in original. Probably should be “a”.
request from an individual for an accounting, a covered entity shall elect to provide either an—
(A) accounting, as specified under paragraph (1), for disclosures of protected health information that are made by such covered entity and by a business associate acting on behalf of the covered entity; or
(B) accounting, as specified under paragraph (1), for disclosures that are made by such covered entity and provide a list of all business associates acting on behalf of the covered entity, including contact information for such associates (such as mailing address, phone, and email address).
A business associate included on a list under subparagraph (B) shall provide an accounting of disclosures (as required under paragraph (1) for a covered entity) made by the business associate upon a request made by an individual directly to the business associate for such an accounting.
(4) Effective date
(A) Current users of electronic records
(B) Others
In the case of a covered entity insofar as it acquires an electronic health record after January 1, 2009, paragraph (1) shall apply to disclosures, with respect to protected health information, made by the covered entity from such record on and after the later of the following:
(i)January 1, 2011; or
(ii) the date that it acquires an electronic health record.
(C) Later date
The Secretary may set an effective date that is later that 5
5 So in original. Probably should be “than”.
the date specified under subparagraph (A) or (B) if the Secretary determines that such later date is necessary, but in no case may the date specified under—
(i) subparagraph (A) be later than 2016; or
(ii) subparagraph (B) be later than 2013.
(d) Prohibition on sale of electronic health records or protected health information
(1) In general
(2) Exceptions
Paragraph (1) shall not apply in the following cases:
(A) The purpose of the exchange is for public health activities (as described in section 164.512(b) of title 45, Code of Federal Regulations).
(B) The purpose of the exchange is for research (as described in sections 164.501 and 164.512(i) of title 45, Code of Federal Regulations) and the price charged reflects the costs of preparation and transmittal of the data for such purpose.
(C) The purpose of the exchange is for the treatment of the individual, subject to any regulation that the Secretary may promulgate to prevent protected health information from inappropriate access, use, or disclosure.
(D) The purpose of the exchange is the health care operation specifically described in subparagraph (iv) of paragraph (6) of the definition of healthcare operations in section 164.501 of title 45, Code of Federal Regulations.
(E) The purpose of the exchange is for remuneration that is provided by a covered entity to a business associate for activities involving the exchange of protected health information that the business associate undertakes on behalf of and at the specific request of the covered entity pursuant to a business associate agreement.
(F) The purpose of the exchange is to provide an individual with a copy of the individual’s protected health information pursuant to section 164.524 of title 45, Code of Federal Regulations.
(G) The purpose of the exchange is otherwise determined by the Secretary in regulations to be similarly necessary and appropriate as the exceptions provided in subparagraphs (A) through (F).
(3) Regulations
Not later than 18 months after February 17, 2009, the Secretary shall promulgate regulations to carry out this subsection. In promulgating such regulations, the Secretary—
(A) shall evaluate the impact of restricting the exception described in paragraph (2)(A) to require that the price charged for the purposes described in such paragraph reflects the costs of the preparation and transmittal of the data for such purpose, on research or public health activities, including those conducted by or for the use of the Food and Drug Administration; and
(B) may further restrict the exception described in paragraph (2)(A) to require that the price charged for the purposes described in such paragraph reflects the costs of the preparation and transmittal of the data for such purpose, if the Secretary finds that such further restriction will not impede such research or public health activities.
(4) Effective date
(e) Access to certain information in electronic format
In applying section 164.524 of title 45, Code of Federal Regulations, in the case that a covered entity uses or maintains an electronic health record with respect to protected health information of an individual—
(1) the individual shall have a right to obtain from such covered entity a copy of such information in an electronic format and, if the individual chooses, to direct the covered entity to transmit such copy directly to an entity or person designated by the individual, provided that any such choice is clear, conspicuous, and specific;
(2) if the individual makes a request to a business associate for access to, or a copy of, protected health information about the individual, or if an individual makes a request to a business associate to grant such access to, or transmit such copy directly to, a person or entity designated by the individual, a business associate may provide the individual with such access or copy, which may be in an electronic form, or grant or transmit such access or copy to such person or entity designated by the individual; and
(3) notwithstanding paragraph (c)(4) of such section, any fee that the covered entity may impose for providing such individual with a copy of such information (or a summary or explanation of such information) if such copy (or summary or explanation) is in an electronic form shall not be greater than the entity’s labor costs in responding to the request for the copy (or summary or explanation).
(Pub. L. 111–5, div. A, title XIII, § 13405, Feb. 17, 2009, 123 Stat. 264; Pub. L. 114–255, div. A, title IV, § 4006(b), Dec. 13, 2016, 130 Stat. 1183.)
§ 17936. Conditions on certain contacts as part of health care operations
(a) Marketing
(1) In general
(2) Payment for certain communicationsA communication by a covered entity or business associate that is described in subparagraph (i), (ii), or (iii) of paragraph (1) of the definition of marketing in section 164.501 of title 45, Code of Federal Regulations, shall not be considered a health care operation for purposes of subpart E of part 164 of title 45, Code of Federal Regulations if the covered entity receives or has received direct or indirect payment in exchange for making such communication, except where—
(A)
(i) such communication describes only a drug or biologic that is currently being prescribed for the recipient of the communication; and
(ii) any payment received by such covered entity in exchange for making a communication described in clause (i) is reasonable in amount;
(B) each of the following conditions apply—
(i) the communication is made by the covered entity; and
(ii) the covered entity making such communication obtains from the recipient of the communication, in accordance with section 164.508 of title 45, Code of Federal Regulations, a valid authorization (as described in paragraph (b) of such section) with respect to such communication; or
(C) each of the following conditions apply—
(i) the communication is made by a business associate on behalf of the covered entity; and
(ii) the communication is consistent with the written contract (or other written arrangement described in section 164.502(e)(2) of such title) between such business associate and covered entity.
(3) Reasonable in amount defined
(4) Direct or indirect payment
(b) Opportunity to opt out of fundraising
(c) Effective date
(Pub. L. 111–5, div. A, title XIII, § 13406, Feb. 17, 2009, 123 Stat. 268.)
§ 17937. Temporary breach notification requirement for vendors of personal health records and other non-HIPAA covered entities
(a) In general
In accordance with subsection (c), each vendor of personal health records, following the discovery of a breach of security of unsecured PHR identifiable health information that is in a personal health record maintained or offered by such vendor, and each entity described in clause (ii), (iii), or (iv) of section 17953(b)(1)(A) of this title, following the discovery of a breach of security of such information that is obtained through a product or service provided by such entity, shall—
(1) notify each individual who is a citizen or resident of the United States whose unsecured PHR identifiable health information was acquired by an unauthorized person as a result of such a breach of security; and
(2) notify the Federal Trade Commission.
(b) Notification by third party service providers
(c) Application of requirements for timeliness, method, and span of notifications
(d) Notification of the Secretary
(e) Enforcement
(f) Definitions
For purposes of this section:
(1) Breach of security
(2) PHR identifiable health information
The term “PHR identifiable health information” means individually identifiable health information, as defined in section 1320d(6) of this title, and includes, with respect to an individual, information—
(A) that is provided by or on behalf of the individual; and
(B) that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
(3) Unsecured PHR identifiable health information
(A) In general
(B) Exception in case timely guidance not issued
(g) Regulations; effective date; sunset
(1) Regulations; effective date
(2) Sunset
(Pub. L. 111–5, div. A, title XIII, § 13407, Feb. 17, 2009, 123 Stat. 269.)
§ 17938. Business associate contracts required for certain entities

Each organization, with respect to a covered entity, that provides data transmission of protected health information to such entity (or its business associate) and that requires access on a routine basis to such protected health information, such as a Health Information Exchange Organization, Regional Health Information Organization, E-prescribing Gateway, or each vendor that contracts with a covered entity to allow that covered entity to offer a personal health record to patients as part of its electronic health record, is re

(Pub. L. 111–5, div. A, title XIII, § 13408, Feb. 17, 2009, 123 Stat. 271.)
§ 17939. Improved enforcement
(a) In general
(1) Omitted
(2) Enforcement under Social Security Act
(b) Effective date; regulations
(1) The amendments made by subsection (a) shall apply to penalties imposed on or after the date that is 24 months after February 17, 2009.
(2) Not later than 18 months after February 17, 2009, the Secretary of Health and Human Services shall promulgate regulations to implement such amendments.
(c) Distribution of certain civil monetary penalties collected
(1) In general
(2) GAO report
(3) Establishment of methodology to distribute percentage of CMPS collected to harmed individuals
(4) Application of methodology
(d) Tiered increase in amount of civil monetary penalties
(1) to (3) Omitted
(4) Effective date
(e) Enforcement through State attorneys general
(1), (2) Omitted
(3) Effective date
(Pub. L. 111–5, div. A, title XIII, § 13410, Feb. 17, 2009, 123 Stat. 271.)
§ 17940. Audits

The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of this subchapter and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of February 17, 2009, comply with such requirements.

(Pub. L. 111–5, div. A, title XIII, § 13411, Feb. 17, 2009, 123 Stat. 276.)
§ 17941. Recognition of security practices
(a) In general
Consistent with the authority of the Secretary under sections 1320d–5 and 1320d–6 of this title, when making determinations relating to fines under such section 1320d–5 (as amended by section 13410 of Pub. L. 111–5) or such section 1320d–6, decreasing the length and extent of an audit under section 17940 of this title, or remedies otherwise agreed to by the Secretary, the Secretary shall consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place that may—
(1) mitigate fines under section 1320d–5 of this title (as amended by section 13410 of Pub. L. 111–5);
(2) result in the early, favorable termination of an audit under section 17940 of this title; and
(3) mitigate the remedies that would otherwise be agreed to in any agreement with respect to resolving potential violations of the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title) between the covered entity or business associate and the Department of Health and Human Services.
(b) Definition and miscellaneous provisions
(1) Recognized security practices
(2) Limitation
(3) No liability for nonparticipation
(4) Rule of construction
(Pub. L. 111–5, div. A, title XIII, § 13412, as added Pub. L. 116–321, § 1, Jan. 5, 2021, 134 Stat. 5072.)