Bill Sponsor
House Bill 5386
116th Congress(2019-2020)
Promoting Better Patient Data Security Act of 2019
Introduced
Introduced
Introduced in House on Dec 10, 2019
Overview
Text
Introduced in House 
Dec 10, 2019
Not Scanned for Linkage
About Linkage
Multiple bills can contain the same text. This could be an identical bill in the opposite chamber or a smaller bill with a section embedded in a larger bill.
Bill Sponsor regularly scans bill texts to find sections that are contained in other bill texts. When a matching section is found, the bills containing that section can be viewed by clicking "View Bills" within the bill text section.
Bill Sponsor is currently only finding exact word-for-word section matches. In a future release, partial matches will be included.
Introduced in House(Dec 10, 2019)
Dec 10, 2019
Not Scanned for Linkage
About Linkage
Multiple bills can contain the same text. This could be an identical bill in the opposite chamber or a smaller bill with a section embedded in a larger bill.
Bill Sponsor regularly scans bill texts to find sections that are contained in other bill texts. When a matching section is found, the bills containing that section can be viewed by clicking "View Bills" within the bill text section.
Bill Sponsor is currently only finding exact word-for-word section matches. In a future release, partial matches will be included.
H. R. 5386 (Introduced-in-House)


116th CONGRESS
1st Session
H. R. 5386


To amend the Health Information Technology for Economic and Clinical Health Act to require consideration, in certain circumstances, of whether a covered entity or business associate has adequately demonstrated that it had recognized security practices, and for other purposes.


IN THE HOUSE OF REPRESENTATIVES

December 10, 2019

Mr. McNerney (for himself and Mr. Bucshon) introduced the following bill; which was referred to the Committee on Energy and Commerce, and in addition to the Committee on Ways and Means, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned


A BILL

To amend the Health Information Technology for Economic and Clinical Health Act to require consideration, in certain circumstances, of whether a covered entity or business associate has adequately demonstrated that it had recognized security practices, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. Short title.

This Act may be cited as the “Promoting Better Patient Data Security Act of 2019”.

SEC. 2. Recognition of security practices.

Part 1 of subtitle D of the Health Information Technology for Economic and Clinical Health Act (42 U.S.C. 17931 et seq.) is amended by adding at the end the following:

“SEC. 13412. Recognition of security practices.

“(a) In general.—Consistent with the authority of the Secretary under sections 1176 and 1177 of the Social Security Act, when making determinations relating to fines under section 13410, decreasing the length and extent of an audit under section 13411, or remedies otherwise agreed to by the Secretary, the Secretary shall consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place that may—

“(1) mitigate fines under section 13410;

“(2) result in the early, favorable termination of an audit under section 13411; and

“(3) mitigate the remedies that would otherwise be agreed to in any agreement with respect to resolving potential violations of the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title) between the covered entity or business associate and the Department of Health and Human Services.

“(b) Definition and miscellaneous provisions.—

“(1) RECOGNIZED SECURITY PRACTICES.—The term ‘recognized security practices’ means the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities. Such practices shall be determined by the covered entity or business associate.

“(2) LIMITATION.—Nothing in this section shall be construed as providing the Secretary authority to increase fines under section 13410, or the length, extent or quantity of audits under section 13411, due to a lack of compliance with the recognized security practices.

“(3) NO LIABILITY FOR NONPARTICIPATION.—Subject to paragraph (4), nothing in this section shall be construed to subject a covered entity or business associate to liability for electing not to engage in the recognized security practices defined by this section.

“(4) RULE OF CONSTRUCTION.—Nothing in this section shall be construed to limit the Secretary’s authority to enforce the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title), or to supersede or conflict with an entity or business associate’s obligations under the HIPAA Security rule.”.