including any independent contractors, is exempt from Section 10.

compliant with the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, and the Health Information Technology for Economic and Clinical Health Act, Public Law 111-5, HITECH, and that maintains nonpublic information in the same manner as protected health information pursuant to an information security program shall be considered to meet the requirements of Section 10 and Section 15 of this Act. To claim this exemption, the licensee must submit an annual statement by April 15 certifying its compliance with the applicable provisions of federal law referenced in this paragraph.

of a licensee that is also a licensee is exempt from Section 10 and need not develop its own information security program to the extent that the employee, agent, representative, or designee is covered by the information security program of the other licensee.