16 C.F.R. § 318.3
(a) In general. In accordance with §§ 318.4 (regarding timeliness of notification), 318.5 (regarding methods of notice), and 318.6 (regarding content of notice), each vendor of personal health records, following the discovery of a breach of security of unsecured PHR identifiable health information that is in a personal health record maintained or offered by such vendor, and each PHR related entity, following the discovery of a breach of security of such information that is obtained through a product or service provided by such entity, shall: