123STA T . 2 70PUBLIC LA W 111 –5—FE B. 17 , 200 9hasbe e n,ori s reasonab ly belie v e dt o have been, a c cessed, ac qu ired, or disclosed durin g such breach .( c )AP P LICAT I ON O FREQU I R E M ENT S FOR T IMELINESS, M ET H O D , AND C ONTENT OF N OTIFICATIONS. —S ubsections (c), (d), (e), and ( f ) of section 13402 shall a p ply to a notification required under sub - section (a) and a vendor of personal health records, an entity described in subsection (a) and a third party service provider described in subsection (b), w ith respect to a breach of security under subsection (a) of unsecured PH R identifiable health infor m a- tion in such records maintained or offered by such vendor, in a manner specified by the F ederal Trade Commission. (d) NOTIFICATION OF THE SECRETAR Y .— U pon receipt of a notification of a breach of security under subsection (a)(2), the Federal Trade Commission shall notify the Secretary of such breach. (e) E NFORCEMENT.—A violation of subsection (a) or (b) shall be treated as an unfair and deceptive act or practice in violation of a regulation under section 1 8 (a)(1)( B ) of the Federal Trade Commission Act (1 5 U.S.C. 5 7a (a)(1)(B)) regarding unfair or decep- tive acts or practices. (f) D EFINITIONS.—For purposes of this section
(1) BREACH OF SECURITY.—The term ‘ ‘breach of security ’ ’ means, with respect to unsecured PHR identifiable health information of an individual in a personal health record, acquisition of such information without the authori z ation of the individual. (2) PHR IDENTIFIA B LE HEALTH INFORMATION.—The term ‘‘PHR identifiable health information’’ means individually identifiable health information, as defined in section 1171( 6 ) of the Social Security Act (42 U.S.C. 1320d(6)), and includes, with respect to an individual, information— (A) that is provided by or on behalf of the individual
and (B) that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual. (3) UNSECURED PHR IDENTIFIABLE HEALTH INFORMATION.— (A) I N G ENERAL.—Sub j ect to subparagraph (B), the term ‘‘unsecured PHR identifiable health information’’ means PHR identifiable health information that is not protected through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2). (B) E X CEPTION IN CASE TIMELY GUIDANCE NOT ISSUED.— In the case that the Secretary does not issue guidance under section 13402(h)(2) by the date specified in such section, for purposes of this section, the term ‘‘unsecured PHR identifiable health information’’ shall mean PHR identifiable health information that is not secured by a technology standard that renders protected health informa- tion unusable, unreadable, or indecipherable to unauthor- ized individuals and that is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute. (g) REGULATIONS; EFFECTI V E DATE; SUNSET.— (1) REGULATIONS; EFFECTIVE DATE.—To carry out this sec- tion, the Federal Trade Commission shall promulgate interim final regulations by not later than the date that is 180 days
