123STA T . 2 60PUBLIC LA W 111 –5—FE B.1 7, 200 9PART1—IM PR OVED PRIVA CY PROVI S IO N S AND SEC U RITY PROVISIONS SEC.1340 1. AP P LI CA T I ON O F SEC UR IT Y PRO V ISIONS AN D PENALTIES TO B USINESS ASSOCIATES OF COVERED ENTITIES
ANNUAL G UIDANCE ON SECURITY PROVISIONS. (a)AP P LICAT I ON O FSE C UR IT YP RO V I S IONS .— S ections164 . 308, 164.310, 164.31 2 ,an d 164.316 o f tit l e4 5 , C ode of F ede r al R e gu la - tions, s h all a p pl y toa b usiness associate of a co v ered entity in the sa m e manner that such sections apply to the covered entity. T he additional re q uirements of this title that relate to security and that are made applicable w ith respect to covered entities shall also be applicable to such a business associate and shall be incor- porated into the business associate agreement between the business associate and the covered entity. (b) APPLICATION OF CIVIL AN D CRI M INAL PENALTIES.— I n the case of a business associate that violates any security provision specified in subsection (a), sections 11 7 6 and 1177 of the Social Security Act (42 U .S.C. 1320d – 5, 1320d–6) shall apply to the busi- ness associate with respect to such violation in the same manner such sections apply to a covered entity that violates such security provision. (c) ANNUAL G UIDANCE.—For the first year beginning after the date of the enactment of this Act and annually thereafter, the Secretary of H ealth and Human Services shall, after consultation with sta k eholders, annually issue guidance on the most effective and appropriate technical safeguards for use in carrying out the sections referred to in subsection (a) and the security standards in subpart C of part 164 of title 45, Code of Federal Regulations, including the use of standards developed under section 3002(b)(2)( B )(vi) of the Public Health Service Act, as added by section 13101 of this Act, as such provisions are in effect as of the date before the enactment of this Act. SEC. 1340 2 . NOTIFICATION IN T H E CASE OF BREACH. (a) IN GENERAL.—A covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information (as defined in subsection (h)(1)) shall, in the case of a breach of such information that is discovered by the covered entity, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach. (b) N OTIFICATION OF COVERED E NTITY B Y BUSINESS ASSO- CIATE.—A business associate of a covered entity that accesses, main- tains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information shall, following the discovery of a breach of such information, notify the covered entity of such breach. Such notice shall include the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, or disclosed during such breach. (c) BREAC H ES TREATED AS D ISCOVERED.—For purposes of this section, a breach shall be treated as discovered by a covered entity or by a business associate as of the first day on which such breach is known to such entity or associate, respectively, (including any 42USC1793 2 . 42 USC 17931.
