123STA T . 2 7 1 PUBLIC LA W 111 –5—FE B. 17 , 2 0 0 9after t h e d ate o fthee n a c t m ent of th is section .T he p ro v isions of this section sha l l appl y to b reaches of sec u rity that are discovered on or after the date that is 30 days after the date of publication of such interim final re g ulations. (2)SUNSET . —I f C ongress enacts ne w legislation estab - lishing re q uirements for notification in the case of a breach of security , that apply to entities that are not covered entities or business associates, the provisions of this section shall not apply to breaches of security discovered on or after the effective date of regulations implementing such legislation. SEC.13408 . BU S IN ESS A SS O CIA T E CONT R ACTS RE Q UIRE DF OR CER - TAIN ENTITIES. E ach organi z ation, with respect to a covered entity, that pro- vides data transmission of protected health information to such entity (or its business associate) and that requires access on a routine basis to such protected health information, such as a H ealth Information E x change O rganization, R egional Health Information Organization, E-prescribing G ateway, or each vendor that contracts with a covered entity to allow that covered entity to offer a personal health record to patients as part of its electronic health record, is required to enter into a written contract (or other written arrange- ment) described in section 164 . 5 02(e)(2) of title 45, Code of F ederal Regulations and a written contract (or other arrangement) described in section 164.30 8 (b) of such title, with such entity and shall be treated as a business associate of the covered entity for purposes of the provisions of this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this title. SEC. 1340 9 .C L ARIFICATION OF A P PLICATION OF W RON G FUL DISCLO- SURES CRI M INAL PENALTIES. Section 11 7 7(a) of the Social Security A ct (42 U .S.C. 1320d – 6(a)) is amended by adding at the end the following new sentence
- ‘
‘For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HI P AA privacy regulation described in section 1180(b)(3)) and the individual obtained or disclosed such informa- tion without authorization. ’ ’. SEC. 13410. IMPRO V ED ENFORCEMENT. (a) IN GENE RAL .— (1) NO N C O MP L I ANCE D UE TO W ILL F UL NE G LECT.—Section 1176 of the Social Security Act (42 U.S.C. 1320d–5) is amended— (A) in subsection (b)(1), by stri k ing ‘‘the act constitutes an offense punishable under section 1177’’ and inserting ‘‘a penalty has been imposed under section 1177 with respect to such act’’
and ( B ) by adding at the end the following new subsection: ‘‘(c) NONCOMPLIANCE D UE TO W ILLFUL NEGLECT.— ‘‘(1) IN GENERAL.—A violation of a provision of this part due to willful neglect is a violation for which the Secretary is required to impose a penalty under subsection (a)(1). ‘‘(2) RE Q UIRED IN V ESTIGATION.—For purposes of paragraph (1), the Secretary shall formally investigate any complaint of 42USC1793 9 . 42 USC 1793 8 . Ap p licab ili ty .
