View all text of Part B [§ 17951 - § 17953]

§ 17953. Studies, reports, guidance
(a) Report on compliance
(1) In generalFor the first year beginning after February 17, 2009, and annually thereafter, the Secretary shall prepare and submit to the Committee on Health, Education, Labor, and Pensions of the Senate and the Committee on Ways and Means and the Committee on Energy and Commerce of the House of Representatives a report concerning complaints of alleged violations of law, including the provisions of this subchapter as well as the provisions of subparts C and E of part 164 of title 45, Code of Federal Regulations, (as such provisions are in effect as of February 17, 2009) relating to privacy and security of health information that are received by the Secretary during the year for which the report is being prepared. Each such report shall include, with respect to such complaints received during the year—
(A) the number of such complaints;
(B) the number of such complaints resolved informally, a summary of the types of such complaints so resolved, and the number of covered entities that received technical assistance from the Secretary during such year in order to achieve compliance with such provisions and the types of such technical assistance provided;
(C) the number of such complaints that have resulted in the imposition of civil monetary penalties or have been resolved through monetary settlements, including the nature of the complaints involved and the amount paid in each penalty or settlement;
(D) the number of compliance reviews conducted and the outcome of each such review;
(E) the number of subpoenas or inquiries issued;
(F) the Secretary’s plan for improving compliance with and enforcement of such provisions for the following year; and
(G) the number of audits performed and a summary of audit findings pursuant to section 17940 of this title.
(2) Availability to public
(b) Study and report on application of privacy and security requirements to non-HIPAA covered entities
(1) StudyNot later than one year after February 17, 2009
(A) requirements relating to security, privacy, and notification in the case of a breach of security or privacy (including the applicability of an exemption to notification in the case of individually identifiable health information that has been rendered unusable, unreadable, or indecipherable through technologies or methodologies recognized by appropriate professional organization or standard setting bodies to provide effective security for the information) that should be applied to—
(i) vendors of personal health records;
(ii) entities that offer products or services through the website of a vendor of personal health records;
(iii) entities that are not covered entities and that offer products or services through the websites of covered entities that offer individuals personal health records;
(iv) entities that are not covered entities and that access information in a personal health record or send information to a personal health record; and
(v) third party service providers used by a vendor or entity described in clause (i), (ii), (iii), or (iv) to assist in providing personal health record products or services;
(B) a determination of which Federal government agency is best equipped to enforce such requirements recommended to be applied to such vendors, entities, and service providers under subparagraph (A); and
(C) a timeframe for implementing regulations based on such findings.
(2) Report
(c) Guidance on implementation specification to de-identify protected health information
(d) GAO report on treatment disclosures
(e) Report required
(f) Study
(Pub. L. 111–5, div. A, title XIII, § 13424, Feb. 17, 2009, 123 Stat. 276.)