PRIA Logo
Take the PRIA Score
Title 42The Public Health and WelfareRelease 119-73

§17939 Improved enforcement

Title 42 › Chapter CHAPTER 156— - HEALTH INFORMATION TECHNOLOGY › Subchapter SUBCHAPTER III— - PRIVACY › Part Part A— - Improved Privacy Provisions and Security Provisions › § 17939

Last updated Apr 6, 2026|Official source

Summary

If a covered entity breaks these rules, it can be punished under the enforcement rules found in sections 1176 and 1177 of the Social Security Act (42 U.S.C. 1320d–5, 1320d–6). The changes take effect for penalties imposed on or after 24 months after February 17, 2009. The Secretary of Health and Human Services must issue rules to put these changes into effect within 18 months after February 17, 2009. Any civil penalty or settlement for a privacy or security offense under this law (or under section 1176 as it relates to privacy or security) must be sent to the HHS Office for Civil Rights and used to enforce the privacy and security rules in this subchapter and in subparts C and E of part 164 of title 45, Code of Federal Regulations, as they were on February 17, 2009. The Comptroller General must give the Secretary a report, within 18 months after February 17, 2009, with ideas for a way to give harmed individuals a share of those penalties or settlements. The Secretary must make a rule, within 3 years after February 17, 2009 and based on that report, that sets how an injured person may receive a percentage of any penalty or settlement; that rule will apply to penalties or settlements imposed on or after the rule’s effective date. Certain amendments apply only to violations that happen after February 17, 2009.

Full Legal Text

Title 42, §17939

The Public Health and Welfare — Source: USLM XML via OLRC

(a)(1)
(2)Any violation by a covered entity under thus 11 So in original. Probably should be “this”. subchapter is subject to enforcement and penalties under section 22 So in original. Probably should be “sections”. 1176 and 1177 of the Social Security Act [42 U.S.C. 1320d–5, 1320d–6].
(b)(1)The amendments made by subsection (a) shall apply to penalties imposed on or after the date that is 24 months after February 17, 2009.
(2)Not later than 18 months after February 17, 2009, the Secretary of Health and Human Services shall promulgate regulations to implement such amendments.
(c)(1)Subject to the regulation promulgated pursuant to paragraph (3), any civil monetary penalty or monetary settlement collected with respect to an offense punishable under this subchapter or section 1176 of the Social Security Act (42 U.S.C. 1320d–5) insofar as such section relates to privacy or security shall be transferred to the Office for Civil Rights of the Department of Health and Human Services to be used for purposes of enforcing the provisions of this subchapter and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of February 17, 2009.
(2)Not later than 18 months after February 17, 2009, the Comptroller General shall submit to the Secretary a report including recommendations for a methodology under which an individual who is harmed by an act that constitutes an offense referred to in paragraph (1) may receive a percentage of any civil monetary penalty or monetary settlement collected with respect to such offense.
(3)Not later than 3 years after February 17, 2009, the Secretary shall establish by regulation and based on the recommendations submitted under paragraph (2), a methodology under which an individual who is harmed by an act that constitutes an offense referred to in paragraph (1) may receive a percentage of any civil monetary penalty or monetary settlement collected with respect to such offense.
(4)The methodology under paragraph (3) shall be applied with respect to civil monetary penalties or monetary settlements imposed on or after the effective date of the regulation.
(d)(1)
(4)The amendments made by this subsection shall apply to violations occurring after February 17, 2009.
(e)(1)
(3)The amendments made by this subsection shall apply to violations occurring after February 17, 2009.

Legislative History

Notes & Related Subsidiaries

Editorial Notes

References in Text

This subchapter, referred to in subsecs. (a)(2) and (c)(1), was in the original “this subtitle”, meaning subtitle D (§ 13400 et seq.) of title XIII of div. A of Pub. L. 111–5, Feb. 17, 2009, 123 Stat. 258, which is classified principally to this subchapter. For complete classification of subtitle D to the Code, see Tables. For reference to “the

Amendments

made by subsection (a)” in subsec. (b)(1) and “the

Amendments

made by this subsection” in subsecs. (d)(4) and (e)(3), see Codification note below. Codification Section is comprised of section 13410 of Pub. L. 111–5. Subsecs. (a)(1), (d)(1)–(3), (e)(1), (2), and (f) of section 13410 of Pub. L. 111–5 amended section 1320d–5 of this title.

Statutory Notes and Related Subsidiaries

Effective Date

Section effective 12 months after Feb. 17, 2009, except as otherwise specifically provided, see section 13423 of Pub. L. 111–5, set out as a note under section 17931 of this title.

Reference

Citations & Metadata

Citation

42 U.S.C. § 17939

Title 42The Public Health and Welfare

Last Updated

Apr 6, 2026

Release point: 119-73