PRIA Logo
Take the PRIA Score
Title 42The Public Health and WelfareRelease 119-73

§17937 Temporary breach notification requirement for vendors of personal health records and other non-HIPAA covered entities

Title 42 › Chapter CHAPTER 156— - HEALTH INFORMATION TECHNOLOGY › Subchapter SUBCHAPTER III— - PRIVACY › Part Part A— - Improved Privacy Provisions and Security Provisions › § 17937

Last updated Apr 6, 2026|Official source

Summary

Vendors that run personal health record (PHR) websites or services must tell each U.S. person whose unsecured PHR health information was taken without permission. They also must tell the Federal Trade Commission (FTC). If a company that provides services to a PHR vendor (a third‑party service provider) finds a breach, it must tell the vendor or other responsible entity and say which people’ information was involved. A breach means someone got the PHR health information without the person’s OK. PHR identifiable health information means health details tied to a person or given by the person. “Unsecured” means the information is not protected by the security method the Secretary of Health sets, or if the Secretary hasn’t issued that guidance, not protected by an ANSI‑accredited standard that makes the data unreadable to others. The FTC must make interim final rules to run this program no later than 180 days after February 17, 2009. The breach rules apply to breaches found 30 days after those rules are published. When the FTC gets a breach notice it must tell the Secretary of Health. Breaking these notice duties is treated as an unfair or deceptive practice under federal consumer‑protection law. If Congress later passes a new law with notification rules for non‑HIPAA entities, those new rules will replace these ones for breaches found after the new rules take effect.

Full Legal Text

Title 42, §17937

The Public Health and Welfare — Source: USLM XML via OLRC

(a)In accordance with subsection (c), each vendor of personal health records, following the discovery of a breach of security of unsecured PHR identifiable health information that is in a personal health record maintained or offered by such vendor, and each entity described in clause (ii), (iii), or (iv) of section 17953(b)(1)(A) of this title, following the discovery of a breach of security of such information that is obtained through a product or service provided by such entity, shall—
(1)notify each individual who is a citizen or resident of the United States whose unsecured PHR identifiable health information was acquired by an unauthorized person as a result of such a breach of security; and
(2)notify the Federal Trade Commission.
(b)A third party service provider that provides services to a vendor of personal health records or to an entity described in clause (ii), (iii).11 So in original. The period probably should be a comma. or (iv) of section 17953(b)(1)(A) of this title in connection with the offering or maintenance of a personal health record or a related product or service and that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured PHR identifiable health information in such a record as a result of such services shall, following the discovery of a breach of security of such information, notify such vendor or entity, respectively, of such breach. Such notice shall include the identification of each individual whose unsecured PHR identifiable health information has been, or is reasonably believed to have been, accessed, acquired, or disclosed during such breach.
(c)Subsections (c), (d), (e), and (f) of section 17932 of this title shall apply to a notification required under subsection (a) and a vendor of personal health records, an entity described in subsection (a) and a third party service provider described in subsection (b), with respect to a breach of security under subsection (a) of unsecured PHR identifiable health information in such records maintained or offered by such vendor, in a manner specified by the Federal Trade Commission.
(d)Upon receipt of a notification of a breach of security under subsection (a)(2), the Federal Trade Commission shall notify the Secretary of such breach.
(e)A violation of subsection (a) or (b) shall be treated as an unfair and deceptive act or practice in violation of a regulation under section 57a(a)(1)(B) of title 15 regarding unfair or deceptive acts or practices.
(f)For purposes of this section:
(1)The term “breach of security” means, with respect to unsecured PHR identifiable health information of an individual in a personal health record, acquisition of such information without the authorization of the individual.
(2)The term “PHR identifiable health information” means individually identifiable health information, as defined in section 1320d(6) of this title, and includes, with respect to an individual, information—
(A)that is provided by or on behalf of the individual; and
(B)that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
(3)(A)Subject to subparagraph (B), the term “unsecured PHR identifiable health information” means PHR identifiable health information that is not protected through the use of a technology or methodology specified by the Secretary in the guidance issued under section 17932(h)(2) of this title.
(B)In the case that the Secretary does not issue guidance under section 17932(h)(2) of this title by the date specified in such section, for purposes of this section, the term “unsecured PHR identifiable health information” shall mean PHR identifiable health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and that is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute.
(g)(1)To carry out this section, the Federal Trade Commission shall promulgate interim final regulations by not later than the date that is 180 days after February 17, 2009. The provisions of this section shall apply to breaches of security that are discovered on or after the date that is 30 days after the date of publication of such interim final regulations.
(2)If Congress enacts new legislation establishing requirements for notification in the case of a breach of security, that apply to entities that are not covered entities or business associates, the provisions of this section shall not apply to breaches of security discovered on or after the effective date of regulations implementing such legislation.

Legislative History

Notes & Related Subsidiaries

Statutory Notes and Related Subsidiaries

Effective Date

Section effective 12 months after Feb. 17, 2009, except as otherwise specifically provided, see section 13423 of Pub. L. 111–5, set out as a note under section 17931 of this title.

Reference

Citations & Metadata

Citation

42 U.S.C. § 17937

Title 42The Public Health and Welfare

Last Updated

Apr 6, 2026

Release point: 119-73