Section 4532 - Exemptions(a) Licensee criteria.--A licensee meeting any of the following criteria shall be exempt from sections 4512 (relating to risk assessment), 4513 (relating to information security program), 4514 (relating to corporate oversight), 4515 (relating to oversight of third-party service provider arrangements) and 4516 (relating to certification): (1) The licensee has fewer than 10 employees.(2) The licensee has less than $5,000,000 in gross revenue.(3) The licensee has less than $10,000,000 in year-end total assets.(b)Federal law.--A licensee that is subject to and governed by the privacy, security and breach notification rules issued by the United States Department of Health and Human Services under 45 CFR Pts. 160 (relating to general administrative requirements) and 164 (relating to security and privacy), established in accordance with the Health Insurance Portability and Accountability Act of 1996 ( Public Law 104-191, 110 Stat. 1936) and the Health Information Technology for Economic and Clinical Health Act ( Public Law 111-5, 123 Stat. 226-279 and 467-496), and which maintains nonpublic information in the same manner as protected health information shall be deemed to comply with the requirements of this chapter except for the notification requirements of section 4518(a), (b) and (c) (relating to notification of cybersecurity event).(c) Employees, agents, representatives and designees.--An employee, agent, representative or designee of a licensee, who is also a licensee, shall be exempt from sections 4512, 4513, 4514, 4515 and 4516 and need not develop its own information security program to the extent that the employee, agent, representative or designee is covered by the information security program of the other licensee.(d) Compliance.--If a licensee ceases to qualify for an exemption under this section, the licensee shall have 180 days to comply with this chapter.Added by P.L. 4 2023 No. 2,§ 1, eff. 12/11/2023.