[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5386 Introduced in House (IH)]

<DOC>






116th CONGRESS
  1st Session
                                H. R. 5386

 To amend the Health Information Technology for Economic and Clinical 
   Health Act to require consideration, in certain circumstances, of 
     whether a covered entity or business associate has adequately 
 demonstrated that it had recognized security practices, and for other 
                               purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           December 10, 2019

  Mr. McNerney (for himself and Mr. Bucshon) introduced the following 
 bill; which was referred to the Committee on Energy and Commerce, and 
  in addition to the Committee on Ways and Means, for a period to be 
subsequently determined by the Speaker, in each case for consideration 
  of such provisions as fall within the jurisdiction of the committee 
                               concerned

_______________________________________________________________________

                                 A BILL


 
 To amend the Health Information Technology for Economic and Clinical 
   Health Act to require consideration, in certain circumstances, of 
     whether a covered entity or business associate has adequately 
 demonstrated that it had recognized security practices, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Promoting Better Patient Data 
Security Act of 2019''.

SEC. 2. RECOGNITION OF SECURITY PRACTICES.

    Part 1 of subtitle D of the Health Information Technology for 
Economic and Clinical Health Act (42 U.S.C. 17931 et seq.) is amended 
by adding at the end the following:

``SEC. 13412. RECOGNITION OF SECURITY PRACTICES.

    ``(a) In General.--Consistent with the authority of the Secretary 
under sections 1176 and 1177 of the Social Security Act, when making 
determinations relating to fines under section 13410, decreasing the 
length and extent of an audit under section 13411, or remedies 
otherwise agreed to by the Secretary, the Secretary shall consider 
whether the covered entity or business associate has adequately 
demonstrated that it had, for not less than the previous 12 months, 
recognized security practices in place that may--
            ``(1) mitigate fines under section 13410;
            ``(2) result in the early, favorable termination of an 
        audit under section 13411; and
            ``(3) mitigate the remedies that would otherwise be agreed 
        to in any agreement with respect to resolving potential 
        violations of the HIPAA Security rule (part 160 of title 45 
        Code of Federal Regulations and subparts A and C of part 164 of 
        such title) between the covered entity or business associate 
        and the Department of Health and Human Services.
    ``(b) Definition and Miscellaneous Provisions.--
            ``(1) Recognized security practices.--The term `recognized 
        security practices' means the standards, guidelines, best 
        practices, methodologies, procedures, and processes developed 
        under section 2(c)(15) of the National Institute of Standards 
        and Technology Act, the approaches promulgated under section 
        405(d) of the Cybersecurity Act of 2015, and other programs and 
        processes that address cybersecurity and that are developed, 
        recognized, or promulgated through regulations under other 
        statutory authorities. Such practices shall be determined by 
        the covered entity or business associate.
            ``(2) Limitation.--Nothing in this section shall be 
        construed as providing the Secretary authority to increase 
        fines under section 13410, or the length, extent or quantity of 
        audits under section 13411, due to a lack of compliance with 
        the recognized security practices.
            ``(3) No liability for nonparticipation.--Subject to 
        paragraph (4), nothing in this section shall be construed to 
        subject a covered entity or business associate to liability for 
        electing not to engage in the recognized security practices 
        defined by this section.
            ``(4) Rule of construction.--Nothing in this section shall 
        be construed to limit the Secretary's authority to enforce the 
        HIPAA Security rule (part 160 of title 45 Code of Federal 
        Regulations and subparts A and C of part 164 of such title), or 
        to supersede or conflict with an entity or business associate's 
        obligations under the HIPAA Security rule.''.
                                 <all>