123 STAT. 260 PUBLIC LAW 111–5—FEB. 17, 2009
PART 1—IMPROVED PRIVACY PROVISIONS
AND SECURITY PROVISIONS
SEC. 13401. APPLICATION OF SECURITY PROVISIONS AND PENALTIES
TO BUSINESS ASSOCIATES OF COVERED ENTITIES;
ANNUAL GUIDANCE ON SECURITY PROVISIONS.
(a) A
PPLICATION OF
S
ECURITY
P
ROVISIONS
.—Sections 164.308,
164.310, 164.312, and 164.316 of title 45, Code of Federal Regula-
tions, shall apply to a business associate of a covered entity in
the same manner that such sections apply to the covered entity.
The additional requirements of this title that relate to security
and that are made applicable with respect to covered entities shall
also be applicable to such a business associate and shall be incor-
porated into the business associate agreement between the business
associate and the covered entity.
(b) A
PPLICATION OF
C
IVIL AND
C
RIMINAL
P
ENALTIES
.—In the
case of a business associate that violates any security provision
specified in subsection (a), sections 1176 and 1177 of the Social
Security Act (42 U.S.C. 1320d–5, 1320d–6) shall apply to the busi-
ness associate with respect to such violation in the same manner
such sections apply to a covered entity that violates such security
provision.
(c) A
NNUAL
G
UIDANCE
.—For the first year beginning after the
date of the enactment of this Act and annually thereafter, the
Secretary of Health and Human Services shall, after consultation
with stakeholders, annually issue guidance on the most effective
and appropriate technical safeguards for use in carrying out the
sections referred to in subsection (a) and the security standards
in subpart C of part 164 of title 45, Code of Federal Regulations,
including the use of standards developed under section
3002(b)(2)(B)(vi) of the Public Health Service Act, as added by
section 13101 of this Act, as such provisions are in effect as of
the date before the enactment of this Act.
SEC. 13402. NOTIFICATION IN THE CASE OF BREACH.
(a) I
N
G
ENERAL
.—A covered entity that accesses, maintains,
retains, modifies, records, stores, destroys, or otherwise holds, uses,
or discloses unsecured protected health information (as defined
in subsection (h)(1)) shall, in the case of a breach of such information
that is discovered by the covered entity, notify each individual
whose unsecured protected health information has been, or is
reasonably believed by the covered entity to have been, accessed,
acquired, or disclosed as a result of such breach.
(b) N
OTIFICATION OF
C
OVERED
E
NTITY BY
B
USINESS
A
SSO
-
CIATE
.—A business associate of a covered entity that accesses, main-
tains, retains, modifies, records, stores, destroys, or otherwise holds,
uses, or discloses unsecured protected health information shall,
following the discovery of a breach of such information, notify
the covered entity of such breach. Such notice shall include the
identification of each individual whose unsecured protected health
information has been, or is reasonably believed by the business
associate to have been, accessed, acquired, or disclosed during such
breach.
(c) B
REACHES
T
REATED AS
D
ISCOVERED
.—For purposes of this
section, a breach shall be treated as discovered by a covered entity
or by a business associate as of the first day on which such breach
is known to such entity or associate, respectively, (including any
42 USC 17932.
42 USC 17931.
VerDate Nov 24 2008 08:20 Mar 03, 2009 Jkt 079139 PO 00000 Frm 00146 Fmt 6580 Sfmt 6581 E:\PUBLAW\PUBL005.111 GPO1 PsN: PUBL005
ebenthall on POQ96SHH1 with PUBLAW