123STA T . 2 69PUBLIC LA W 111 –5—FE B.1 7, 2 0 09 (i)thecom m un ic a tion i s ma d e by a business asso - ciate on beha lf of the co v e r ed entity
and (ii) the communication is consistent w ith the writ- ten contract (or other written arran g ement described in section 164.502 (e)(2) of such title) between such business associate and covered entity. ( 3 ) REASON A BL E I NA M O U N TD E F INED. —F or p urposes of paragraph (2) , the term ‘ ‘reasonable in amount ’ ’ shall have the meaning given such term by the S ecretary by regulation. (4) D I R E C T OR INDIRECT P A Y MENT.—For purposes of para- graph (2), the term ‘‘direct or indirect payment’’ shall not include any payment for treatment (as defined in section 164.501 of title 45, C ode of Federal Regulations) of an indi- vidual. (b) O PPORTUNITY TO OPT OUT OF FUNDRAISIN G .— T he Secretary shall by rule provide that any written fundraising communication that is a healthcare operation as defined under section 164.501 of title 45, Code of Federal Regulations, shall, in a clear and conspicuous manner, provide an opportunity for the recipient of the communications to elect not to receive any further such commu- nication. W hen an individual elects not to receive any further such communication, such election shall be treated as a revocation of authori z ation under section 164.50 8 of title 45, Code of Federal Regulations. (c) E FFECTI V E DATE.—This section shall apply to written communications occurring on or after the effective date specified under section 13423. SEC.13407 . T E MPORA R YB REAC HN OT IF ICATION RE QU IREMENT FOR V EN D ORS OF PERSONA L HEALTH RECORDS AND OTHER NON - HIPAA COVERED ENTITIES. (a) I N G ENERAL.—In accordance with subsection (c), each vendor of personal health records, following the discovery of a breach of security of unsecured PH R identifiable health information that is in a personal health record maintained or offered by such vendor, and each entity described in clause (ii), (iii), or (iv) of section 13424(b)(1)( A ), following the discovery of a breach of security of such information that is obtained through a product or service provided by such entity, shall— (1) notify each individual who is a citizen or resident of the U nited States whose unsecured PHR identifiable health information was ac q uired by an unauthorized person as a result of such a breach of security; and (2) notify the Federal Trade Commission. (b) N OTIFICATION BY T H IRD PARTY SERVICE PROVIDERS.—A third party service provider that provides services to a vendor of personal health records or to an entity described in clause (ii), (iii). or (iv) of section 13424(b)(1)(A) in connection with the offering or maintenance of a personal health record or a related product or service and that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured PHR identifiable health information in such a record as a result of such services shall, following the discovery of a breach of security of such information, notify such vendor or entity, respectively, of such breach. Such notice shall include the identification of each individual whose unsecured PHR identifiable health information 42USC1793 7 .Regulations .
