View all text of Part A [§ 17931 - § 17941]
§ 17941. Recognition of security practices
(a) In general
Consistent with the authority of the Secretary under sections 1320d–5 and 1320d–6 of this title, when making determinations relating to fines under such section 1320d–5 (as amended by section 13410 of Pub. L. 111–5) or such section 1320d–6, decreasing the length and extent of an audit under section 17940 of this title, or remedies otherwise agreed to by the Secretary, the Secretary shall consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place that may—
(1) mitigate fines under section 1320d–5 of this title (as amended by section 13410 of Pub. L. 111–5);
(2) result in the early, favorable termination of an audit under section 17940 of this title; and
(3) mitigate the remedies that would otherwise be agreed to in any agreement with respect to resolving potential violations of the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title) between the covered entity or business associate and the Department of Health and Human Services.
(b) Definition and miscellaneous provisions
(1) Recognized security practices
(2) Limitation
(3) No liability for nonparticipation
(4) Rule of construction
(Pub. L. 111–5, div. A, title XIII, § 13412, as added Pub. L. 116–321, § 1, Jan. 5, 2021, 134 Stat. 5072.)