123STA T . 2 6 3 PUBLIC LA W 111 –5—FE B.1 7, 2 0 0 9unread a bl e ,o r i nde c i ph erable t o unauthori z ed indi v idual s and is developed or endorsed b y a standards developin g organization that is accredited by the Am erican N ational S tandards I nstitute .(2)GUIDANCE . —F or purposes o f paragraph ( 1 ) and section 1 3407 (f)(3), not later than the date that is 6 0 days after the date of the enactment of this Act, the Secretary shall, after consultation w ith sta k eholders, issue (and annually update) guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, including the use of standards developed under section 3002(b)(2)( B )(vi) of the P ublic H ealth Service Act, as added by section 13101 of this Act. (i) R E PORT TO C ON G RE S S ON BREAC H ES.— (1) IN GENERA L .—Not later than 12 months after the date of the enactment of this Act and annually thereafter, the Sec - retary shall prepare and submit to the Committee on Finance and the Committee on Health, E ducation, L abor, and Pensions of the Senate and the Committee on W ays and M eans and the Committee on Energy and Commerce of the House of Rep- resentatives a report containing the information described in paragraph (2) regarding breaches for which notice was provided to the Secretary under subsection (e)(3). (2) IN F OR M ATION.— T he information described in this para- graph regarding breaches specified in paragraph (1) shall include— (A) the number and nature of such breaches
and (B) actions taken in response to such breaches. ( j ) REGULATIONS; EFFECTI V E D ATE.—To carry out this section, the Secretary of Health and Human Services shall promulgate interim final regulations by not later than the date that is 1 8 0 days after the date of the enactment of this title. The provisions of this section shall apply to breaches that are discovered on or after the date that is 30 days after the date of publication of such interim final regulations. SEC.1340 3.E DU C ATION ON H EA L TH IN F O RM ATION P RI V AC Y . (a) REGIONAL O FFICE PRIVAC Y ADVISORS.—Not later than 6 months after the date of the enactment of this Act, the Secretary shall designate an individual in each regional office of the Depart- ment of Health and Human Services to offer guidance and education to covered entities, business associates, and individuals on their rights and responsibilities related to Federal privacy and security re q uirements for protected health information. (b) EDUCATION INITIATIVE ON U SES OF HEALTH INFORMATION.— Not later than 12 months after the date of the enactment of this Act, the Office for Civil Rights within the Department of Health and Human Services shall develop and maintain a multi-faceted national education initiative to enhance public transparency regarding the uses of protected health information, including pro- grams to educate individuals about the potential uses of their protected health information, the effects of such uses, and the rights of individuals with respect to such uses. Such programs shall be conducted in a variety of languages and present information in a clear and understandable manner. Deadlin e . Deadline. De s i g na t i o n. 42USC1793 3. Ap pli c a b ilit y . Deadlines.
