§17931 — Title 42 The Public Health and Welfare | U.S. Code

Summary

Make the security rules in 45 C.F.R. 164.308, 164.310, 164.312, and 164.316 apply to a business associate the same way they apply to a covered entity. Any other security requirements that apply to covered entities must also apply to business associates and must be included in the contract between them. If a business associate breaks those security rules, the penalty rules in sections 1320d–5 and 1320d–6 apply to that business associate the same as to a covered entity. Starting the first year after February 17, 2009, and every year after, the HHS Secretary must consult stakeholders and issue guidance on technical safeguards, including standards under section 300jj–12(b)(2)(B)(vi) (added by section 13101), as they were in effect before February 17, 2009.

Title 42, §17931

The Public Health and Welfare — Source: USLM XML via OLRC

(a)section 164.308, 164.310, 164.312, and 164.316 of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. The additional requirements of this title 11 See References in Text note below. that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.

(b)In the case of a business associate that violates any security provision specified in subsection (a), section 1320d–5 and 1320d–6 of this title shall apply to the business associate with respect to such violation in the same manner such sections apply to a covered entity that violates such security provision.

(c)For the first year beginning after February 17, 2009, and annually thereafter, the Secretary of Health and Human Services shall, after consultation with stakeholders, annually issue guidance on the most effective and appropriate technical safeguards for use in carrying out the sections referred to in subsection (a) and the security standards in subpart C of part 164 of title 45, Code of Federal Regulations, including the use of standards developed under section 300jj–12(b)(2)(B)(vi) 1 of this title, as added by section 13101 of this Act, as such provisions are in effect as of the date before February 17, 2009.

Notes & Related Subsidiaries

Editorial Notes

References in Text

This title, referred to in subsec. (a), is title XIII of div. A of Pub. L. 111–5, which enacted this chapter and subchapter XXVIII (§ 300jj et seq.) of chapter 6A this title, amended section 1320d, 1320d–5, and 1320d–6 of this title, and enacted provisions set out as a note under this section and section 201 of this title. For complete classification of title XIII to the Code, see

Short Title

of 2009 Amendment note set out under section 201 of this title and Tables. section 300jj–12(b)(2)(B)(vi) of this title, referred to in subsec. (c), was repealed by Pub. L. 114–255, div. A, title IV, § 4003(e)(1), Dec. 13, 2016, 130 Stat. 1168. Similar provisions as pertaining to the HIT Advisory Committee are contained in section 300jj–12(b)(2)(C)(vii) of this title as enacted by Pub. L. 114–255. section 13101 of this Act, referred to in subsec. (c), means section 13101 of div. A of Pub. L. 111–5.

Statutory Notes and Related Subsidiaries

Effective Date

Pub. L. 111–5, div. A, title XIII, § 13423, Feb. 17, 2009, 123 Stat. 276, provided that: “Except as otherwise specifically provided, the provisions of part I [probably means part 1 (§§ 13401–13411) of subtitle D of title XIII of div. A of Pub. L. 111–5, enacting this part and amending section 1320d–5 and 1320d–6 of this title] shall take effect on the date that is 12 months after the date of the enactment of this title [Feb. 17, 2009].”

§17931 Application of Security Provisions and Penalties to Business Associates of Covered Entities; Annual Guidance on Security Provisions