{"identifier":"/us/usc/t42/s17941","title":42,"num":"\u00a7\u202f17941.","heading":"Recognition of security practices","text":"\u00a7\u202f17941.\nRecognition of security practices\n(a)\nIn general\nConsistent with the authority of the Secretary under sections 1320d\u20135 and 1320d\u20136 of this title, when making determinations relating to fines under such section 1320d\u20135 (as amended by\n(1) mitigate fines under\nsection 1320d\u20135 of this title\nsection 13410 of Pub. L. 111\u20135\n(2) result in the early, favorable termination of an audit under\nsection 17940 of this title\n(3) mitigate the remedies that would otherwise be agreed to in any agreement with respect to resolving potential violations of the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title) between the covered entity or business associate and the Department of Health and Human Services.\n(b)\nDefinition and miscellaneous provisions\n(1)\nRecognized security practices\nThe term \u201crecognized security practices\u201d means the standards, guidelines, best practices, methodologies, procedures, and processes developed under\nsection 272(c)(15) of title 15\nsection 1533(d) of title 6\n(2)\nLimitation\nNothing in this section shall be construed as providing the Secretary authority to increase fines under\nsection 1320d\u20135 of this title\nsection 13410 of Pub. L. 111\u20135\nsection 17940 of this title\n(3)\nNo liability for nonparticipation\nSubject to paragraph (4), nothing in this section shall be construed to subject a covered entity or business associate to liability for electing not to engage in the recognized security practices defined by this section.\n(4)\nRule of construction\nNothing in this section shall be construed to limit the Secretary\u2019s authority to enforce the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title), or to supersede or conflict with an entity or business associate\u2019s obligations under the HIPAA Security rule.","url":"https://projectusc.org/usc/t42/s17941.html","content":[{"t":"sec","id":"/us/usc/t42/s17941","children":[{"t":"num","text":"\u00a7\u202f17941."},{"t":"heading","text":"Recognition of security practices"},{"t":"subsec","id":"/us/usc/t42/s17941/a","children":[{"t":"num","text":"(a)"},{"t":"heading","text":"In general"},{"t":"chapeau","text":"Consistent with the authority of the Secretary under sections 1320d\u20135 and 1320d\u20136 of this title, when making determinations relating to fines under such section 1320d\u20135 (as amended by ","children":[{"t":"ref","text":"section 13410 of Pub. L. 111\u20135","href":"/us/pl/111/5/s13410","tail":") or such section 1320d\u20136, decreasing the length and extent of an audit under "},{"t":"ref","text":"section 17940 of this title","href":"/us/usc/t42/s17940","tail":", or remedies otherwise agreed to by the Secretary, the Secretary shall consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place that may\u2014"}]},{"t":"para","id":"/us/usc/t42/s17941/a/1","children":[{"t":"num","text":"(1)"},{"t":"content","text":" mitigate fines under ","children":[{"t":"ref","text":"section 1320d\u20135 of this title","href":"/us/usc/t42/s1320d\u20135","tail":" (as amended by "},{"t":"ref","text":"section 13410 of Pub. L. 111\u20135","href":"/us/pl/111/5/s13410","tail":");"}],"tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t42/s17941/a/2","children":[{"t":"num","text":"(2)"},{"t":"content","text":" result in the early, favorable termination of an audit under ","children":[{"t":"ref","text":"section 17940 of this title","href":"/us/usc/t42/s17940","tail":"; and"}],"tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t42/s17941/a/3","children":[{"t":"num","text":"(3)"},{"t":"content","text":" mitigate the remedies that would otherwise be agreed to in any agreement with respect to resolving potential violations of the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title) between the covered entity or business associate and the Department of Health and Human Services.","tail":"\n"}],"tail":"\n"}],"tail":"\n"},{"t":"subsec","id":"/us/usc/t42/s17941/b","children":[{"t":"num","text":"(b)"},{"t":"heading","text":"Definition and miscellaneous provisions"},{"t":"para","id":"/us/usc/t42/s17941/b/1","children":[{"t":"num","text":"(1)"},{"t":"heading","text":"Recognized security practices"},{"t":"content","children":[{"t":"p","text":"The term \u201crecognized security practices\u201d means the standards, guidelines, best practices, methodologies, procedures, and processes developed under ","children":[{"t":"ref","text":"section 272(c)(15) of title 15","href":"/us/usc/t15/s272/c/15","tail":", the approaches promulgated under "},{"t":"ref","text":"section 1533(d) of title 6","href":"/us/usc/t6/s1533/d","tail":", and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities. Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title)."}],"tail":"\n"}],"tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t42/s17941/b/2","children":[{"t":"num","text":"(2)"},{"t":"heading","text":"Limitation"},{"t":"content","children":[{"t":"p","text":"Nothing in this section shall be construed as providing the Secretary authority to increase fines under ","children":[{"t":"ref","text":"section 1320d\u20135 of this title","href":"/us/usc/t42/s1320d\u20135","tail":" (as amended by "},{"t":"ref","text":"section 13410 of Pub. L. 111\u20135","href":"/us/pl/111/5/s13410","tail":"), or the length, extent or quantity of audits under "},{"t":"ref","text":"section 17940 of this title","href":"/us/usc/t42/s17940","tail":", due to a lack of compliance with the recognized security practices."}],"tail":"\n"}],"tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t42/s17941/b/3","children":[{"t":"num","text":"(3)"},{"t":"heading","text":"No liability for nonparticipation"},{"t":"content","children":[{"t":"p","text":"Subject to paragraph (4), nothing in this section shall be construed to subject a covered entity or business associate to liability for electing not to engage in the recognized security practices defined by this section.","tail":"\n"}],"tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t42/s17941/b/4","children":[{"t":"num","text":"(4)"},{"t":"heading","text":"Rule of construction"},{"t":"content","children":[{"t":"p","text":"Nothing in this section shall be construed to limit the Secretary\u2019s authority to enforce the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title), or to supersede or conflict with an entity or business associate\u2019s obligations under the HIPAA Security rule.","tail":"\n"}],"tail":"\n"}],"tail":"\n"}],"tail":"\n"},{"t":"text","text":"\n"}]}]}