Regulations last checked for updates: Nov 22, 2024

Title 16 - Commercial Practices last revised: Nov 20, 2024
§ 318.1 - Purpose and scope.

(a) This part, which shall be called the “Health Breach Notification Rule,” implements section 13407 of the American Recovery and Reinvestment Act of 2009, 42 U.S.C. 17937. This part applies to foreign and domestic vendors of personal health records, PHR related entities, and third party service providers, irrespective of any jurisdictional tests in the Federal Trade Commission (FTC) Act, that maintain information of U.S. citizens or residents. This part does not apply to HIPAA-covered entities, or to any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity.

(b) This part preempts State law as set forth in section 13421 of the American Recovery and Reinvestment Act of 2009, 42 U.S.C 17951.

authority: 42 U.S.C. 17937 and 17953
source: 74 FR 42980, Aug. 25, 2009, as amended at 89 FR 47054, May 30, 2024, unless otherwise noted.
cite as: 16 CFR 318.1