Regulations last checked for updates: Nov 22, 2024

Title 16 - Commercial Practices last revised: Nov 20, 2024
§ 318.2 - Definitions.

Breach of security means, with respect to unsecured PHR identifiable health information of an individual in a personal health record, acquisition of such information without the authorization of the individual. Unauthorized acquisition will be presumed to include unauthorized access to unsecured PHR identifiable health information unless the vendor of personal health records, PHR related entity, or third party service provider that experienced the breach has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information. A breach of security includes an unauthorized acquisition of unsecured PHR identifiable health information in a personal health record that occurs as a result of a data breach or an unauthorized disclosure.

Business associate means a business associate under the Health Insurance Portability and Accountability Act, Public Law 104-191, 110 Stat. 1936, as defined in 45 CFR 160.103.

Clear and conspicuous means that a notice is reasonably understandable and designed to call attention to the nature and significance of the information in the notice.

(1) Reasonably understandable. You make your notice reasonably understandable if you:

(i) Present the information in the notice in clear, concise sentences, paragraphs, and sections;

(ii) Use short explanatory sentences or bullet lists whenever possible;

(iii) Use definite, concrete, everyday words and active voice whenever possible;

(iv) Avoid multiple negatives;

(v) Avoid legal and highly technical business terminology whenever possible; and

(vi) Avoid explanations that are imprecise and readily subject to different interpretations.

(2) Designed to call attention. You design your notice to call attention to the nature and significance of the information in it if you:

(i) Use a plain-language heading to call attention to the notice;

(ii) Use a typeface and type size that are easy to read;

(iii) Provide wide margins and ample line spacing;

(iv) Use boldface or italics for key words; and

(v) In a form that combines your notice with other information, use distinctive type size, style, and graphic devices, such as shading or sidebars, when you combine your notice with other information. The notice should stand out from any accompanying text or other visual elements so that it is easily noticed, read, and understood.

(3) Notices on websites or within-application messaging. If you provide a notice on a web page or using within-application messaging, you design your notice to call attention to the nature and significance of the information in it if you use text or visual cues to encourage scrolling down the page if necessary to view the entire notice and ensure that other elements on the website or software application (such as text, graphics, hyperlinks, or sound) do not distract attention from the notice, and you either:

(i) Place the notice on a screen that consumers frequently access, such as a page on which transactions are conducted; or

(ii) Place a link on a screen that consumers frequently access, such as a page on which transactions are conducted, that connects directly to the notice and is labeled appropriately to convey the importance, nature and relevance of the notice.

Covered health care provider means a provider of services (as defined in 42 U.S.C. 1395x(u)), a provider of medical or other health services (as defined in 42 U.S.C. 1395x(s)), or any other entity furnishing health care services or supplies.

Electronic mail means email in combination with one or more of the following: text message, within-application messaging, or electronic banner.

Health care services or supplies means any online service such as a website, mobile application, or internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools.

HIPAA-covered entity means a covered entity under the Health Insurance Portability and Accountability Act (HIPAA), Public Law 104-191, 110 Stat. 1936, as defined in 45 CFR 160.103.

Personal health record (PHR) means an electronic record of PHR identifiable health information on an individual that has the technical capacity to draw information from multiple sources and that is managed, shared, and controlled by or primarily for the individual.

PHR identifiable health information means information that:

(1) Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and

(i) Identifies the individual; or

(ii) With respect to which there is a reasonable basis to believe that the information can be used to identify the individual; and

(2) Is created or received by a:

(i) Covered health care provider;

(ii) Health plan (as defined in 42 U.S.C. 1320d(5));

(iii) Employer; or

(iv) Health care clearinghouse (as defined in 42 U.S.C. 1320d(2)); and

(3) With respect to an individual, includes information that is provided by or on behalf of the individual.

PHR related entity means an entity, other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that:

(1) Offers products or services through the website, including any online service, of a vendor of personal health records;

(2) Offers products or services through the websites, including any online service, of HIPAA-covered entities that offer individuals personal health records; or

(3) Accesses unsecured PHR identifiable health information in a personal health record or sends unsecured PHR identifiable health information to a personal health record.

State means any of the several States, the District of Columbia, Puerto Rico, the Virgin Islands, Guam, American Samoa, and the Northern Mariana Islands.

Third party service provider means an entity that:

(1) Provides services to a vendor of personal health records in connection with the offering or maintenance of a personal health record or to a PHR related entity in connection with a product or service offered by that entity; and

(2) Accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured PHR identifiable health information as a result of such services.

Unsecured means PHR identifiable information that is not protected through the use of a technology or methodology specified by the Secretary of Health and Human Services in the guidance issued under section 13402(h)(2) of the American Reinvestment and Recovery Act of 2009, 42 U.S.C. 17932(h)(2).

Vendor of personal health records means an entity, other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that offers or maintains a personal health record.

authority: 42 U.S.C. 17937 and 17953
source: 74 FR 42980, Aug. 25, 2009, as amended at 89 FR 47054, May 30, 2024, unless otherwise noted.
cite as: 16 CFR 318.2