Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 116th Congress · S. 1895 (Reported in Senate) — To lower health care costs. · Sec. 502

Sec. 502. Recognition of security practices

411 words·~2 min read·/bill/116/s/1895/rs/section-502

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Part 1 of subtitle D of the Health Information Technology for Economic and Clinical Health Act ( 42 U.S.C. 17931 et seq.) is amended by adding at the end the following: Consistent with the authority of the Secretary under sections 1176 and 1177 of the Social Security Act, when making determinations relating to fines under section 13410, decreasing the length and extent of an audit under section 13411, or remedies otherwise agreed to by the Secretary, the Secretary shall consider whether the entity or business associate had, for not less than the previous 12 months, recognized security practices in place that may— mitigate fines under section 13410; result in the early, favorable termination of an audit under section 13411; and limit the remedies that would otherwise be agreed to in any agreement between the entity or business associate and the Department of Health and Human Services.
At the election of the entity or business associate, the Secretary may provide further consideration to an entity or business associate that can adequately demonstrate that such recognized security practices were in place, as determined by the Secretary. The term recognized security practices means the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Information Sharing Act of 2015, and any other program or processes that are equivalent to such requirements as may be developed through regulations.
Such practices shall be determined by the entity or business associate, except where additional consideration is requested under subsection (b). Nothing in this section shall be construed as providing the Secretary authority to— increase fines under section 13410, or the length, extent or quantity of audits under section 13411, due to a lack of compliance with the recognized security practices; or mandate, direct, or condition the award of any Federal grant, contract, or purchase, on compliance with such recognized security practices.
Nothing in this section shall be construed to subject an entity or business associate to liability for electing not to engage in the recognized security practices defined by this section. Nothing in this section shall be construed to limit the Secretary’s authority to enforce the HIPAA Security rule (part 160 of title 45, Code of Federal Regulations, and subparts A and C of part 164 of such title), or to supersede or conflict with an entity or business associate’s obligations under the HIPAA Security rule. .
Connectionstraces to 1
Citation graph
cites case law
Sec. 502
Recognition of security practices
U.S.C.§ 17931
Cites 1Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.