Page:United States Statutes at Large Volume 123.djvu/278

 123STA T . 2 58PUBLIC LA W 111 – 5 —FE B.1 7, 2 0 0 9‘ ‘ (1)an ana lysi s ofthe effe c ti v eness of the activities fo rw hich the entity receives s u ch assistance , as co mp are d to the g oals for such activities and ‘‘( 2 ) an analysis of the impact of the pro j ect on health care q uality and safety . ‘‘( b ) REQUIR E M E NT T OI M P RO V E Q U AL IT Y O FC ARE AN DD E C REA S E IN COSTS. —T he N ational Coordinator shall annually evaluate the activities conducted under this subtitle and shall, in awarding grants, implement the lessons learned from such evaluation in a manner so that awards made subsequent to each such evaluation are made in a manner that, in the determination of the National Coordinator, will result in the greatest improvement in the quality and efficiency of health care. ‘ ‘ SEC.3018 . AUTHORIZ ATIO NF ORA P PROPRIATIONS. ‘‘ F or the purposes of carrying out this subtitle, there is author - i z ed to be appropriated such sums as may be necessary for each of the fiscal years 2 0 0 9 through 201 3 . ’ ’. Subti t leD—Pr i vacy SEC. 13 4 00. D EFINITIONS. In this subtitle, e x cept as specified otherwise (1) B REAC H .— ( A )IN G ENERAL.—The term ‘‘breach’’ means the unauthorized acquisition, access, use, or disclosure of pro- tected health information which compromises the security or privacy of such information, except where an unauthor- ized person to whom such information is disclosed would not reasonably have been able to retain such information. (B) EX CEPTIONS.—The term ‘‘breach’’ does not include— (i) any unintentional acquisition, access, or use of protected health information by an employee or indi- vidual acting under the authority of a covered entity or business associate if— (I) such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relation- ship of such employee or individual, respectively, with the covered entity or business associate; and (II) such information is not further acquired, accessed, used, or disclosed by any person; or (ii) any inadvertent disclosure from an individual who is otherwise authorized to access protected health information at a facility operated by a covered entity or business associate to another similarly situated indi- vidual at same facility; and (iii) any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without authorization by any person. (2) BUSINESS ASSOCIATE.—The term ‘‘business associate’’ has the meaning given such term in section 1 6 0.103 of title 45, Code of Federal Regulations. (3) COVERED ENTITY.—The term ‘‘covered entity’’ has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations. 42USC179 21 . 42 USC 30 0 j j – 3 8 . Evalu a tion . De a d line.