Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 114th Congress · S. 754 (Engrossed in Senate) — To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, an... · Sec. 405

Sec. 405. Improving cybersecurity in the health care industry

888 words·~4 min read·/bill/114/s/754/es/section-405

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

In this section: The term business associate has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations. The term covered entity has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations. The terms health care clearinghouse , health care provider , and health plan have the meanings given the terms in section 160.103 of title 45, Code of Federal Regulations. The term health care industry stakeholder means any— health plan, health care clearinghouse, or health care provider; patient advocate; pharmacist; developer of health information technology; laboratory; pharmaceutical or medical device manufacturer; or additional stakeholder the Secretary determines necessary for purposes of subsection (d)(1), (d)(3), or (e).
The term Secretary means the Secretary of Health and Human Services. Not later than 1 year after the date of enactment of this Act, the Secretary shall submit, to the Committee on Health, Education, Labor, and Pensions of the Senate and the Committee on Energy and Commerce of the House of Representatives, a report on the preparedness of the health care industry in responding to cybersecurity threats. With respect to the internal response of the Department of Health and Human Services to emerging cybersecurity threats, the report shall include— a clear statement of the official within the Department of Health and Human Services to be responsible for leading and coordinating efforts of the Department regarding cybersecurity threats in the health care industry; and a plan from each relevant operating division and subdivision of the Department of Health and Human Services on how such division or subdivision will address cybersecurity threats in the health care industry, including a clear delineation of how each such division or subdivision will divide responsibility among the personnel of such division or subdivision and communicate with other such divisions and subdivisions regarding efforts to address such threats.
Not later than 60 days after the date of enactment of this Act, the Secretary, in consultation with the Director of the National Institute of Standards and Technology and the Secretary of Homeland Security, shall convene health care industry stakeholders, cybersecurity experts, and any Federal agencies or entities the Secretary determines appropriate to establish a task force to— analyze how industries, other than the health care industry, have implemented strategies and safeguards for addressing cybersecurity threats within their respective industries; analyze challenges and barriers private entities (notwithstanding section 102(15)(B), excluding any State, tribal, or local government) in the health care industry face securing themselves against cyber attacks; review challenges that covered entities and business associates face in securing networked medical devices and other software or systems that connect to an electronic health record; provide the Secretary with information to disseminate to health care industry stakeholders for purposes of improving their preparedness for, and response to, cybersecurity threats affecting the health care industry; establish a plan for creating a single system for the Federal Government to share information on actionable intelligence regarding cybersecurity threats to the health care industry in near real time, requiring no fee to the recipients of such information, including which Federal agency or other entity may be best suited to be the central conduit to facilitate the sharing of such information; and report to Congress on the findings and recommendations of the task force regarding carrying out subparagraphs
(A)through (E). The task force established under this subsection shall terminate on the date that is 1 year after the date of enactment of this Act. Not later than 60 days after the termination of the task force established under this subsection, the Secretary shall disseminate the information described in paragraph (1)(D) to health care industry stakeholders in accordance with such paragraph. Nothing in this subsection shall be construed to limit the antitrust exemption under section 104(e) or the protection from liability under section 106. The Secretary shall establish, through a collaborative process with the Secretary of Homeland Security, health care industry stakeholders, the National Institute of Standards and Technology, and any Federal agency or entity the Secretary determines appropriate, a single, voluntary, national health-specific cybersecurity framework that— establishes a common set of voluntary, consensus-based, and industry-led standards, security practices, guidelines, methodologies, procedures, and processes that serve as a resource for cost-effectively reducing cybersecurity risks for a range of health care organizations; supports voluntary adoption and implementation efforts to improve safeguards to address cybersecurity threats; is consistent with the security and privacy regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 ( 42 U.S.C. 1320d–2 note) and with the Health Information Technology for Economic and Clinical Health Act (title XIII of division A, and title IV of division B, of Public Law 111–5 ), and the amendments made by such Act; and is updated on a regular basis and applicable to the range of health care organizations described in subparagraph (A). Nothing in this subsection shall be interpreted as granting the Secretary authority to— provide for audits to ensure that health care organizations are in compliance with the voluntary framework under this subsection; or mandate, direct, or condition the award of any Federal grant, contract, or purchase on compliance with such voluntary framework. Nothing in this title shall be construed to subject a health care organization to liability for choosing not to engage in the voluntary activities authorized under this subsection.
Connections2 off-index
2 references not yet in our index
  • 42 USC 1320d–2
  • Pub. L. 111-5
Citation graph
cites case law
Sec. 405
Improving cybersecurity in the health care industry
Cite42 USC 1320d–2
Pub. L.Pub. L. 111-5
Cites 2Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.