Skip to content
LexBuild

42 USC § 17931 - Application of security provisions and penalties to business associates of covered entities; annual guidance on security provisions 

---
identifier: "/us/usc/t42/s17931"
source: "usc"
legal_status: "official_prima_facie"
title: "42 USC § 17931 - Application of security provisions and penalties to business associates of covered entities; annual guidance on security provisions"
title_number: 42
title_name: "THE PUBLIC HEALTH AND WELFARE"
section_number: "17931"
section_name: "Application of security provisions and penalties to business associates of covered entities; annual guidance on security provisions"
chapter_number: 156
chapter_name: "HEALTH INFORMATION TECHNOLOGY"
subchapter_number: "III"
subchapter_name: "PRIVACY"
part_number: "A"
part_name: "Improved Privacy Provisions and Security Provisions"
positive_law: false
currency: "119-84"
last_updated: "2026-04-17"
format_version: "1.1.0"
generator: "[email protected]"
source_credit: "(Pub. L. 111–5, div. A, title XIII, § 13401, Feb. 17, 2009, 123 Stat. 260.)"
---

# § 17931. Application of security provisions and penalties to business associates of covered entities; annual guidance on security provisions

**1** **Application of security provisions** [^1]

Sections 164.308, 164.310, 164.312, and 164.316 of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. The additional requirements of this title  that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.

See References in Text note below.

**(b)** **Application of civil and criminal penalties** In the case of a business associate that violates any security provision specified in subsection (a), sections 1320d–5 and 1320d–6 of this title shall apply to the business associate with respect to such violation in the same manner such sections apply to a covered entity that violates such security provision.

**(c)** **Annual guidance** February 17, 2009<sup>1</sup>February 17, 2009

For the first year beginning after , and annually thereafter, the Secretary of Health and Human Services shall, after consultation with stakeholders, annually issue guidance on the most effective and appropriate technical safeguards for use in carrying out the sections referred to in subsection (a) and the security standards in subpart C of part 164 of title 45, Code of Federal Regulations, including the use of standards developed under section 300jj–12(b)(2)(B)(vi)  of this title, as added by section 13101 of this Act, as such provisions are in effect as of the date before .

---

**Source Credit**: (Pub. L. 111–5, div. A, title XIII, § 13401, Feb. 17, 2009, 123 Stat. 260.)

## Editorial Notes

### References in Text

This title, referred to in subsec. (a), is title XIII of div. A of , which enacted this chapter and subchapter XXVIII (§ 300jj et seq.) of chapter 6A this title, amended sections 1320d, 1320d–5, and 1320d–6 of this title, and enacted provisions set out as a note under this section and . For complete classification of title XIII to the Code, see Short Title of 2009 Amendment note set out under  and Tables.

, referred to in subsec. (c), was repealed by , , . Similar provisions as pertaining to the HIT Advisory Committee are contained in  as enacted by .

Section 13101 of this Act, referred to in subsec. (c), means .

## Statutory Notes and Related Subsidiaries

### Effective Date

> “Except as otherwise specifically provided, the provisions of part I [probably means part 1 (§§ 13401–13411) of subtitle D of title XIII of div. A of
> 
> , enacting this part and amending sections 1320d–5 and 1320d–6 of this title] shall take effect on the date that is 12 months after the date of the enactment of this title [
> 
> ].”

, , , provided that: