[116th Congress Public Law 321]
[From the U.S. Government Publishing Office]



[[Page 134 STAT. 5072]]

Public Law 116-321
116th Congress

                                 An Act


 
  To amend the Health Information Technology for Economic and Clinical 
  Health Act to require the Secretary of Health and Human Services to 
 consider certain recognized security practices of covered entities and 
 business associates when making certain determinations, and for other 
            purposes. <<NOTE: Jan. 5, 2021 -  [H.R. 7898]>> 

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,
SECTION 1. RECOGNITION OF SECURITY PRACTICES.

    Part 1 of subtitle D of the Health Information Technology for 
Economic and Clinical Health Act (42 U.S.C. 17931 et seq.) is amended by 
adding at the end the following:
``SEC. 13412. <<NOTE: 42 USC 17941.>>  RECOGNITION OF SECURITY 
                            PRACTICES.

    ``(a) In General.--Consistent with the authority of the Secretary 
under sections 1176 and 1177 of the Social Security Act, when making 
determinations relating to fines under such section 1176 (as amended by 
section 13410) or such section 1177, decreasing the length and extent of 
an audit under section 13411, or remedies otherwise agreed to by the 
Secretary, the Secretary shall consider whether the covered entity or 
business associate has adequately demonstrated that it had, for not less 
than the previous 12 months, recognized security practices in place that 
may--
            ``(1) mitigate fines under section 1176 of the Social 
        Security Act (as amended by section 13410);
            ``(2) result in the early, favorable termination of an audit 
        under section 13411; and
            ``(3) mitigate the remedies that would otherwise be agreed 
        to in any agreement with respect to resolving potential 
        violations of the HIPAA Security rule (part 160 of title 45 Code 
        of Federal Regulations and subparts A and C of part 164 of such 
        title) between the covered entity or business associate and the 
        Department of Health and Human Services.

    ``(b) Definition and Miscellaneous Provisions.--
            ``(1) Recognized security practices.--The term `recognized 
        security practices' means the standards, guidelines, best 
        practices, methodologies, procedures, and processes developed 
        under section 2(c)(15) of the National Institute of Standards 
        and Technology Act, the approaches promulgated under section 
        405(d) of the Cybersecurity Act of 2015, and other programs and 
        processes that address cybersecurity and that are developed, 
        recognized, or promulgated through regulations under other 
        statutory authorities. Such practices shall be determined by the 
        covered entity or business associate, consistent with

[[Page 134 STAT. 5073]]

        the HIPAA Security rule (part 160 of title 45 Code of Federal 
        Regulations and subparts A and C of part 164 of such title).
            ``(2) Limitation.--Nothing in this section shall be 
        construed as providing the Secretary authority to increase fines 
        under section 1176 of the Social Security Act (as amended by 
        section 13410), or the length, extent or quantity of audits 
        under section 13411, due to a lack of compliance with the 
        recognized security practices.
            ``(3) No liability for nonparticipation.--Subject to 
        paragraph (4), nothing in this section shall be construed to 
        subject a covered entity or business associate to liability for 
        electing not to engage in the recognized security practices 
        defined by this section.
            ``(4) Rule of construction.--Nothing in this section shall 
        be construed to limit the Secretary's authority to enforce the 
        HIPAA Security rule (part 160 of title 45 Code of Federal 
        Regulations and subparts A and C of part 164 of such title), or 
        to supersede or conflict with an entity or business associate's 
        obligations under the HIPAA Security rule.''.
SEC. 2. TECHNICAL CORRECTION.

    (a) In General.--Section 3022(b) of the Public Health Service Act 
(42 U.S.C. 300jj-52(b)) is amended by adding at the end the following 
new paragraph:
            ``(4) Application of authorities under inspector general act 
        of 1978.--In carrying out this subsection, the Inspector General 
        shall have the same authorities as provided under section 6 of 
        the Inspector General Act of 1978 (5 U.S.C. App.).''.

    (b) <<NOTE: 42 USC 300jj-52 note.>>  Effective Date.--The amendment 
made by subsection (a) shall take effect as if included in the enactment 
of the 21st Century Cures Act (Public Law 114-255).

    Approved January 5, 2021.

LEGISLATIVE HISTORY--H.R. 7898:
---------------------------------------------------------------------------

CONGRESSIONAL RECORD, Vol. 166 (2020):
            Dec. 9, considered and passed House.
            Dec. 19, considered and passed Senate.

                                  <all>