Their Biographies, Issue Positions, Voting Records, Public Statements, Ratings and their Funders.

Requiring Secretary of Health and Human Services to Consider Certain Recognized Security Practices

Floor Speech

Date: Dec. 9, 2020
Location: Washington, DC


Mr. PALLONE. Mr. Speaker, I move to suspend the rules and pass the bill (H.R. 7898) to amend title XXX of the Public Health Services Act to provide for a technical correction to provide the Inspector General of the Department of Health and Human Service certain authorities with respect to investigations of information blocking, and for other purposes, as amended.

The Clerk read the title of the bill.

The text of the bill is as follows: H.R. 7898

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. RECOGNITION OF SECURITY PRACTICES.

Part 1 of subtitle D of the Health Information Technology for Economic and Clinical Health Act (42 U.S.C. 17931 et seq.) is amended by adding at the end the following: ``SEC. 13412. RECOGNITION OF SECURITY PRACTICES.

``(a) In General.--Consistent with the authority of the Secretary under sections 1176 and 1177 of the Social Security Act, when making determinations relating to fines under such section 1176 (as amended by section 13410) or such section 1177, decreasing the length and extent of an audit under section 13411, or remedies otherwise agreed to by the Secretary, the Secretary shall consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place that may--

``(1) mitigate fines under section 1176 of the Social Security Act (as amended by section 13410);

``(2) result in the early, favorable termination of an audit under section 13411; and

``(3) mitigate the remedies that would otherwise be agreed to in any agreement with respect to resolving potential violations of the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title) between the covered entity or business associate and the Department of Health and Human Services.

``(b) Definition and Miscellaneous Provisions.--

``(1) Recognized security practices.--The term `recognized security practices' means the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities. Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title).

``(2) Limitation.--Nothing in this section shall be construed as providing the Secretary authority to increase fines under section 1176 of the Social Security Act (as amended by section 13410), or the length, extent or quantity of audits under section 13411, due to a lack of compliance with the recognized security practices.

``(3) No liability for nonparticipation.--Subject to paragraph (4), nothing in this section shall be construed to subject a covered entity or business associate to liability for electing not to engage in the recognized security practices defined by this section.

``(4) Rule of construction.--Nothing in this section shall be construed to limit the Secretary's authority to enforce the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title), or to supersede or conflict with an entity or business associate's obligations under the HIPAA Security rule.''. SEC. 2. TECHNICAL CORRECTION.

(a) In General.--Section 3022(b) of the Public Health Service Act (42 U.S.C. 300jj-52(b)) is amended by adding at the end the following new paragraph:

``(4) Application of authorities under inspector general act of 1978.--In carrying out this subsection, the Inspector General shall have the same authorities as provided under section 6 of the Inspector General Act of 1978 (5 U.S.C. App.).''.

(b) Effective Date.--The amendment made by subsection (a) shall take effect as if included in the enactment of the 21st Century Cures Act (Public Law 114-255).


Mr. PALLONE. 7898.

Mr. Speaker, in 2016, the Energy and Commerce Committee led the charge in passing the 21st Century Cures Act.

In addition to investing billions in cutting-edge research and opioid abuse prevention and treatment, the Cures Act also included several provisions related to improving the interoperability of health information technology. Specifically, the act defined the practice of information blocking. It also provided the Department of Health and Human Services Office of the Inspector General, or OIG, with the authority to investigate and levy penalties on entities found to be engaging in information blocking.

Examples of information blocking could include a developer placing unnecessary restrictions on authorized exchanges of information. Another example would be when a developer implements their electronic health record, EHR, technology in such a nonstandard way that it becomes incredibly difficult to exchange a patient's health information with a system not owned by that developer.

Practices like these simply stand in the way of patients accessing their own data and carrying their data with them as they move between plans and providers.

I am pleased that the Office of the National Coordinator for Health Information Technology, ONC, and the OIG have worked since the passage of the Cures Act to implement these important policies.

The bill before us today, H.R. 7898, provides for a technical correction to the Cures Act to ensure that the OIG has the authority they fully need to enforce the information blocking prohibitions.

H.R. 7898 also includes another health IT-related policy that was part of a bipartisan, bicameral health agreement released by the Energy and Commerce Committee and the Senate Committee on Health, Education, Labor, and Pensions last December.

This policy incentivizes healthcare entities to adopt strong cybersecurity practices by encouraging the Secretary of HHS to consider entities' adoption of recognized cybersecurity practices when conducting audits or administering HIPAA fines.

Cyberattacks are increasingly a major concern for healthcare providers. It is important that we acknowledge those providers that are acting in good faith and doing everything in their power to safeguard patient data.

This provision encourages providers to follow widely recognized best practices in the field with the goal of helping all providers be better prepared for potential cybersecurity attacks.

These both are commonsense policies, and I urge my colleagues to join me in supporting them.

Mr. Speaker, I was hoping I wasn't going to have to make this statement about Greg Walden retiring because I really didn't want him to retire. I guess I kept hoping that he wouldn't or that he would still be here in some fashion--and he will be in some fashion.

But I wanted to thank him for 20 years of extraordinary service on the Energy and Commerce Committee, in particular. And I want to particularly thank him for his leadership and friendship over the last 4 years as he served as the top Republican on the committee.

During those first 2 years, he chaired the committee, and then over the last 2 years, he served as the ranking member. Our committee, as he knows and I think a lot of people know, has a long and proud tradition of bipartisanship, and Greg has really been a great partner, particularly over the last year as we faced the unprecedented challenges of COVID-19.

We have worked very closely over the last 11 months on all the legislation that was signed into law to respond to the pandemic. Among those laws was the CARES Act, which provided essential assistance to the American people, healthcare workers, hospitals, small businesses, and State and local government. We have taken some significant steps, but the work continues as we hope to complete another COVID-19 relief package in the coming days before we adjourn.

Prior to the pandemic this year, we were able to come together over the last 4 years, thanks to Greg's leadership, to pass a lot of other substantial bills that actually became law.

We passed comprehensive legislation to address the opioid epidemic by expanding treatment to people fighting opioid use disorder and supporting those affected by the opioid crisis.

We reauthorized the Safe Drinking Water Act for the first time in 20 years.

We eliminated annoying robocalls--I don't know, ``eliminating'' may not be accurate, but we eliminated a lot of them.

We passed the RAY BAUM'S Act, named after the late Republican staff director of the committee and Greg's longtime friend, which reauthorized the Federal Communications Commission for the first time in 28 years.

I know the law is very important to Greg, not only because it was named after Ray but also because of Greg's longtime love for broadcasting.

Of course, not everything is bipartisan. He will probably never forget his initiation as chairman. His first full committee markup--as was already mentioned by other colleagues--was the longest markup in the Energy and Commerce Committee's history, 27 hours as we debated the Republican Affordable Care Act repeal bill. That was really baptism by fire.

At the end of the day, I am going to remember Greg most for the commitment he made day in and day out to help everyday Americans. It is really special.

A lot of people have a bad opinion of Congress. They think that we come here for self-aggrandizement because somehow we want to get a better job after we leave--not that there is one--or that we are trying to help our families or trying to help special interests. The one thing I will say about Greg is that none of that is true.

One thing I will say about Greg is that none of that is true. He has a strong dose of humility, and humility is something that I would say oftentimes is lacking, not just in Congress, but in general. Sometimes I wonder if people even value it as something that they cherish. But certainly Greg does. He is not only humble, he really cares about everyone, and he is not just out for himself.

I also want to thank his wife, Mylene, for sharing him with us for all these years. We are going to miss Greg, and we will miss Mylene also.

Greg, I wish you nothing but the best in your future endeavors. I have been hearing different rumors from other Members. Earl actually told me about some trip you took in the mountains in Oregon.

Everybody is sort of secret about these different things that he is doing, but I suspect that they are going to be endeavors that he loves and that, when I hear about them, will be fantastic.

I just feel bad about even making this speech about his leaving, but that is the way it is, and I am going to miss him.

Mr. Speaker,


Mr. PALLONE. Mr. Speaker, I urge support for passage of the bill, and I also yield back the balance of my time.