View all text of Part A [§ 17931 - § 17941]
§ 17937. Temporary breach notification requirement for vendors of personal health records and other non-HIPAA covered entities
(a) In general
In accordance with subsection (c), each vendor of personal health records, following the discovery of a breach of security of unsecured PHR identifiable health information that is in a personal health record maintained or offered by such vendor, and each entity described in clause (ii), (iii), or (iv) of section 17953(b)(1)(A) of this title, following the discovery of a breach of security of such information that is obtained through a product or service provided by such entity, shall—
(1) notify each individual who is a citizen or resident of the United States whose unsecured PHR identifiable health information was acquired by an unauthorized person as a result of such a breach of security; and
(2) notify the Federal Trade Commission.
(b) Notification by third party service providers
(c) Application of requirements for timeliness, method, and span of notifications
(d) Notification of the Secretary
(e) Enforcement
(f) Definitions
For purposes of this section:
(1) Breach of security
(2) PHR identifiable health information
The term “PHR identifiable health information” means individually identifiable health information, as defined in section 1320d(6) of this title, and includes, with respect to an individual, information—
(A) that is provided by or on behalf of the individual; and
(B) that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
(3) Unsecured PHR identifiable health information
(A) In general
(B) Exception in case timely guidance not issued
(g) Regulations; effective date; sunset
(1) Regulations; effective date
(2) Sunset
(Pub. L. 111–5, div. A, title XIII, § 13407, Feb. 17, 2009, 123 Stat. 269.)