Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 118th Congress · S. 5218 (Introduced in Senate) — To amend titles XI and XVIII of the Social Security Act to strengthen, increase oversight of, and compliance with, se... · Sec. 102

Sec. 102. Security risk management, reporting requirements, and audits for covered entities and business associates

1,571 words·~7 min read·/bill/118/s/5218/is/section-102

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Section 1173(d) of the Social Security Act ( 42 U.S.C. 1320d–2(d) ) is amended by adding at the end the following new paragraph: Each covered entity and business associate shall at a minimum, on an annual basis— conduct and document a security risk analysis, including information regarding the manner and extent to which such entity or associate is exposed to risk through its business associates; document a plan for a rapid and orderly resolution in the event of a natural disaster, disruptive cyber incident, or other technological failure to its information systems or those of its business associates; conduct a stress test to evaluate whether such entity or associate has the capabilities and planning necessary to recover essential functions, such as patient care operations and transactions described in subsection (a)(2), following a cyber incident, a natural disaster, or other substantial threat to health care operations, as determined by the Secretary; document whether, based upon the results of the stress test described in clause (iii), the covered entity or business associate revised the most recent plan described in clause (ii); provide a written statement signed by the chief executive officer and chief information security officer (or equivalent thereof) stating that the covered entity or business associate is in compliance with security requirements adopted under part 160 of title 45, Code of Federal Regulations, and subparts A and C of part 164 of title 45, Code of Federal Regulations (or a successor regulation), including the applicable security requirements adopted under paragraph (1)(B); and publish on a publicly accessible website— whether the covered entity or business associate has received a notification from the Secretary pursuant to paragraph (1)(B)(ii)(I); whether the covered entity or business associate meets the minimum security requirements and, if applicable, the enhanced security requirements under paragraph (1)(B); and a copy of each statement provided under clause
(v)with respect to each year in a machine-readable format. The Secretary shall provide for not less than 2 different sets of conditions under which the test described in subparagraph (A)(iii) is to be conducted. The Secretary may waive the requirements of this paragraph with respect to a covered entity or business associate if the burden on the entity or associate significantly outweighs the benefits, taking into account the revenue of the entity or associate, the volume of protected health information or health care transactions processed by the entity or associate, and such other factors as the Secretary determines appropriate. Subject to clause (ii), each covered entity and business associate shall submit the documentation required under subparagraph
(A)at such time, in such form, and containing such information as the Secretary may require. Each covered entity and business associate that is subject to enhanced security requirements shall submit the documentation required under subparagraph
(A)to the Secretary not less frequently than on an annual basis. For purposes of this subsection: The term cyber incident has the meaning given the term incident in section 2200(12) of the Homeland Security Act of 2002 ( 6 U.S.C. 650(12) ). The term machine-readable has the meaning given such term in section 3502 of title 44, United States Code. The term stress test means an extensive real-world simulation intended to test the operational resilience of the health care operations of a covered entity or business associate in response to a substantial interruption in information systems, including the ability to— continue to provide essential care and services during and in the recovery period from such substantial interruption; and timely rebuild the information systems (as defined in section 2200(14) of the Homeland Security Act of 2002 ( 6 U.S.C. 650(14) )) of such covered entity or business associate. The requirements under this paragraph shall take effect on the date that is 3 years after the date of enactment of this paragraph. . Section 1173(d) of the Social Security Act ( 42 U.S.C. 1320d–2(d) ), as amended by subsection (a), is amended by adding at the end the following new paragraph: Each covered entity and business associate must— contract with an independent auditor that meets such requirements for independence and technical expertise as the Inspector General of the Department of Health and Human Services may establish to conduct an annual audit in accordance with subparagraph (B); and document the findings of each audit conducted under clause (i). An audit conducted under subparagraph (A)(i) shall— assess compliance of the covered entity or business associate with— during the period prior to the effective date of the requirements under paragraph (1)(B), the Healthcare and Public Health Sector Cybersecurity Performance Goals as described in the report published by the Department of Health and Human Services as of the date of enactment of this paragraph, and titled Healthcare and Public Health Sector-Specific Cybersecurity Performance Goals: Strengthening the Cybersecurity of the Healthcare Sector and Keeping Patients Safe and Secure ; and on or after the effective date of the requirements under paragraph (1)(B), the minimum and enhanced security requirements adopted under such paragraph, as applicable; identify any areas in which the covered entity or business associate did not meet such goals or requirements, as applicable; and certify that the covered entity or business associate— has resolved any areas of noncompliance; or is implementing an appropriate plan to resolve such areas of noncompliance in a timely manner. The Secretary may waive the requirements of this paragraph with respect to a covered entity or business associate if the burden on the entity or associate significantly outweighs the benefits, taking into account the revenue of the entity or associate, the volume of protected health information or health care transactions processed by the entity or associate, and such as other factors as the Secretary determines appropriate. Subject to clause (ii), each covered entity and business associate shall submit the documentation required under subparagraph (A)(ii) at such time, in such form, and containing such information as the Secretary may require. Each covered entity and business associate that is subject to enhanced security requirements shall submit the documentation required under subparagraph (A)(ii) to the Secretary not less frequently than on an annual basis. The requirements under this paragraph shall take effect on the date that is 180 days after the date of enactment of this paragraph. . Section 1173(d) of the Social Security Act ( 42 U.S.C. 1320d–2(d) ), as amended by subsections
(a)and (b), is amended by adding at the end the following new paragraph: Each year (beginning on or after the date this is 4 years after the date of enactment of this paragraph) the Secretary shall conduct an annual audit of the data security practices of at least 20 covered entities or business associates under this part. The Comptroller General of the United States shall monitor auditing activities conducted under this paragraph. In selecting covered entities or business associates for audit under subparagraph
(A)the Secretary shall consider— whether the covered entity or business associate is of systemic importance; whether any complaints have been made with respect to the data security practices of the covered entity or business associate; and whether the covered entity or business associate has a history of previous violations. The findings of an audit under this paragraph may result in a civil money penalty based on the failure of a covered entity or business associate to submit documentation demonstrating that the covered entity or business associate has taken corrective actions to achieve compliance in response to a finding of a potential violation of a provision of this part within a period of time specified by the Secretary after receipt of such findings. The Secretary shall submit to Congress reports summarizing the results of the audits conducted under this paragraph biennially ending on the date that is 10 years after the date on which the first report is submitted under this subparagraph. . Section 1173(d) of the Social Security Act ( 42 U.S.C. 1320d–2(d) ), as amended by subsections (a), (b), and (c), is amended by adding at the end the following new paragraph: A covered entity or business associate that— fails to timely submit documentation or a report required under paragraph (3), (4), or (5), fails to comply with an audit under paragraph (5), or fails to comply with a responsibility of a covered entity or a business associate under section 160.310 of title 45, Code of Federal Regulations (or a successor regulation), shall be subject to a civil money penalty of not more than $5,000 per day for each such failure. The provisions of section 1128A (other than subsections (a), (b), and (d)(1), and the second sentence of subsection (f)) shall apply to the imposition of a civil money penalty under this subparagraph in the same manner as such provisions apply to the imposition of a penalty under such section 1128A. Any civil money penalty under this subparagraph with respect to a failure described in clause
(i)shall be in lieu of the penalties described in section 1176. In addition to any penalties imposed under subparagraph (A), whoever submits, or causes to be submitted, any documentation or report required of a covered entity or business associate under paragraph (3), (4), or
(5)knowing that such documentation or report contains false information, or willfully fails to timely submit, or willfully causes to not be timely submitted, such a document or report, shall be guilty of a felony and upon conviction thereof fined not more than $1,000,000 or imprisoned for not more than 10 years, or both. .
Connectionstraces to 1
Traces to 1 document
1 reference not yet in our index
  • 42 USC 1320d–2(d)
Citation graph
cites case law
Sec. 102
Security risk management, reporting requirements, and audits for covered entities and business associates
U.S.C.§ 650
Cite42 USC 1320d–2(d)
Cites 2Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.