Page:United States Statutes at Large Volume 123.djvu/297

 123STA T . 2 7 7 PUBLIC LA W 111 –5—FE B. 17 , 2 0 0 9(1)INGE NE RAL.—Forthefi r s t y e a r b e g i n ning after the d ate of the ena c t m ent of this A ct and ann u a l ly thereafter , the S ecretary shall p repare and submit to the C ommittee on H ealth, E ducation, L abor, and P ensions of the Senate and the Committee on W ays and M eans and the Committee on Energy and Commerce of the House of R epresentati v es a report concerning complaints of alleged violations of la w, including the provisions of this subtitle as well as the provisions of subparts C and E of part 1 64 of title 4 5, Code of Federal Regulations, (as such provisions are in effect as of the date of enactment of this Act) relating to privacy and security of health information that are received by the Secretary during the year for which the report is being prepared. Each such report shall include, with respect to such complaints received during the year— (A) the number of such complaints ( B ) the number of such complaints resolved informally, a summary of the types of such complaints so resolved, and the number of covered entities that received technical assistance from the Secretary during such year in order to achieve compliance with such provisions and the types of such technical assistance provided; (C) the number of such complaints that have resulted in the imposition of civil monetary penalties or have been resolved through monetary settlements, including the nature of the complaints involved and the amount paid in each penalty or settlement; ( D ) the number of compliance reviews conducted and the outcome of each such review; (E) the number of subpoenas or in q uiries issued; (F) the Secretary ’ s plan for improving compliance with and enforcement of such provisions for the following year; and ( G ) the number of audits performed and a summary of audit findings pursuant to section 1 3 411. ( 2 )A V A I LA B ILI TY T OPU BLI C .—Each report under paragraph (1) shall be made available to the public on the Internet website of the Department of Health and Human Services. (b) STU D Y AND REPORT ON APPLICATION O F PRIVACY AND SECU - RITY RE Q UIRE M ENT S TO N ON-HIPAA COVERED ENTITIES.— (1) STUDY.—Not later than one year after the date of the enactment of this title, the Secretary, in consultation with the Federal T rade Commission, shall conduct a study, and submit a report under paragraph (2), on privacy and security requirements for entities that are not covered entities or busi- ness associates as of the date of the enactment of this title, including— (A) requirements relating to security, privacy, and notification in the case of a breach of security or privacy (including the applicability of an e x emption to notification in the case of individually identifiable health information that has been rendered unusable, unreadable, or indeci- pherable through technologies or methodologies recogni z ed by appropriate professional organization or standard set- ting bodies to provide effective security for the information) that should be applied to— (i) vendors of personal health records; Webposting.