Page:United States Statutes at Large Volume 117.djvu/2406

 PUBLIC LAW 108–173—DEC. 8, 2003

117 STAT. 2387

SEC. 912. REQUIREMENTS FOR INFORMATION SECURITY FOR MEDICARE ADMINISTRATIVE CONTRACTORS.

(a) IN GENERAL.—Section 1874A, as added by section 911(a)(1), is amended by adding at the end the following new subsection: ‘‘(e) REQUIREMENTS FOR INFORMATION SECURITY.— ‘‘(1) DEVELOPMENT OF INFORMATION SECURITY PROGRAM.— A medicare administrative contractor that performs the functions referred to in subparagraphs (A) and (B) of subsection (a)(4) (relating to determining and making payments) shall implement a contractor-wide information security program to provide information security for the operation and assets of the contractor with respect to such functions under this title. An information security program under this paragraph shall meet the requirements for information security programs imposed on Federal agencies under paragraphs (1) through (8) of section 3544(b) of title 44, United States Code (other than the requirements under paragraphs (2)(D)(i), (5)(A), and (5)(B) of such section). ‘‘(2) INDEPENDENT AUDITS.— ‘‘(A) PERFORMANCE OF ANNUAL EVALUATIONS.—Each year a medicare administrative contractor that performs the functions referred to in subparagraphs (A) and (B) of subsection (a)(4) (relating to determining and making payments) shall undergo an evaluation of the information security of the contractor with respect to such functions under this title. The evaluation shall— ‘‘(i) be performed by an entity that meets such requirements for independence as the Inspector General of the Department of Health and Human Services may establish; and ‘‘(ii) test the effectiveness of information security control techniques of an appropriate subset of the contractor’s information systems (as defined in section 3502(8) of title 44, United States Code) relating to such functions under this title and an assessment of compliance with the requirements of this subsection and related information security policies, procedures, standards and guidelines, including policies and procedures as may be prescribed by the Director of the Office of Management and Budget and applicable information security standards promulgated under section 11331 of title 40, United States Code. ‘‘(B) DEADLINE FOR INITIAL EVALUATION.— ‘‘(i) NEW CONTRACTORS.—In the case of a medicare administrative contractor covered by this subsection that has not previously performed the functions referred to in subparagraphs (A) and (B) of subsection (a)(4) (relating to determining and making payments) as a fiscal intermediary or carrier under section 1816 or 1842, the first independent evaluation conducted pursuant to subparagraph (A) shall be completed prior to commencing such functions. ‘‘(ii) OTHER CONTRACTORS.—In the case of a medicare administrative contractor covered by this subsection that is not described in clause (i), the first independent evaluation conducted pursuant to subparagraph (A) shall be completed within 1 year

VerDate 11-MAY-2000

13:59 Aug 30, 2004

Jkt 019194

PO 00000

Frm 00323

Fmt 6580

Sfmt 6581

D:\STATUTES\2003\19194PT3.001

APPS10

PsN: 19194PT3

�