Health Care Cybersecurity and Resiliency Act of 2026
- Bill Number
- S. 3315
- Origin Chamber
- Senate
- Congress
- 119th Congress, Session 1
- Policy Area
- Health
- Status
- Introduced
- Latest Action
- 2026-03-23: Placed on Senate Legislative Calendar under General Orders. Calendar No. 365.
- Last Updated
- 2026-07-07T20:28:48Z
AI-Generated Summary
Purpose
The Health Care Cybersecurity and Resiliency Act of 2026 aims to strengthen cybersecurity in the healthcare and public health sectors by mandating coordination between the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA). It focuses on preventing cyber threats, improving incident response, and supporting vulnerable entities like rural health providers, ultimately protecting sensitive health data and ensuring continuity of care.
Key Provisions
- Coordination Between HHS and CISA (Section 3): Requires the HHS Secretary and CISA Director to collaborate through agreements, share cyber threat information (e.g., indicators of attacks and defenses), develop sector-specific tools, and provide technical assistance to healthcare entities. Includes a joint plan for responding to major cyber incidents, with protocols for information sharing, coordination with state-level experts, and submission of the plan to Congress.
- HHS Cybersecurity Responsibilities (Section 4): HHS must appoint a representative to oversee internal and external cybersecurity efforts, excluding enforcement of existing privacy rules like HIPAA's Security Rule (which governs how health data is protected electronically). Requires reports to Congress on delegation, annual assessments of threats, incidents, and recommendations.
- Cybersecurity Incident Response Plan (Section 5): Amends the Cybersecurity Act of 2015 to require HHS to expand its existing emergency plan (the "Cyber Annex") within one year. The plan covers risk assessment, prevention, detection, damage minimization, data protection, recovery, and information sharing with the sector. It must be updated every two years or after major incidents, with consultation from CISA, the Office of Management and Budget, and the National Institute of Standards and Technology (NIST). A report on the plan is due to congressional committees.
- Breach Reporting Clarifications (Section 6): Updates the Health Information Technology for Economic and Clinical Health (HITECH) Act to require breach notifications (unsecured disclosures of protected health information) to include the number of affected individuals.
- Enhancing Recognition of Security Practices (Section 7): Amends HITECH to consider "recognized security practices" (proven methods like regular audits or encryption) more explicitly when assessing fines or audits for violations. HHS must issue regulations within one year detailing these practices, submission procedures, and how they mitigate penalties. Annual reports to Congress will track their use.
- Required Cybersecurity Standards (Section 8): Updates HIPAA security regulations to mandate minimum practices for non-governmental healthcare entities, including multifactor authentication (a login method using multiple verification steps), encryption (scrambling data to prevent unauthorized access), system monitoring like penetration testing (simulated attacks to find weaknesses), and other standards based on NIST frameworks and sector goals. These take effect 36 months after enactment, with flexibility for entities facing unusual challenges.
- Guidance for Rural Cybersecurity (Section 9): Amends the Cybersecurity Act of 2015 to require HHS guidance within one year for rural health entities (defined by the Federal Office of Rural Health Policy). Covers infrastructure improvements, workforce training, incident reporting, and options like outsourcing IT services or using cloud platforms. Includes technical assistance and a Government Accountability Office (GAO) study after three years assessing implementation, challenges, and collaboration opportunities.
- Grants for Cybersecurity Enhancements (Section 10): Authorizes HHS to award up to three-year grants to eligible entities like federally qualified health centers, Indian Health Service facilities, nonprofit hospitals, rural clinics, and partnering nonprofits. Funds can hire experts, update systems, join threat-sharing groups, conduct assessments, and develop response plans. Prioritizes high-need applicants; requires performance measures and sustainability plans. Appropriations authorized for fiscal years 2026–2030.
- Healthcare Cybersecurity Workforce (Section 11): HHS, with CISA and others, must provide training on risks and mitigation. Within one year, develop a strategic plan through the Health Resources and Services Administration, including educational programs, materials, best practices (with rural and AI focus), and public-private partnerships, aligned with national cybersecurity education initiatives.
- Incident Reporting Coordination Working Group (Section 12): HHS convenes a group within one year, including federal agencies (CISA, FBI, etc.), state officials, and private healthcare representatives, to reduce overlapping cyber incident reports. The group concludes in 18 months, leading to a congressional report with streamlining recommendations and state law coordination.
Significant Changes to Existing Law
- Amendments to Key Statutes: Updates the Cybersecurity Act of 2015 (expands response planning and rural guidance), HITECH Act (adds breach details, enhances security practice considerations, and mandates regulations), and Public Health Service Act (adds oversight and grants). Shifts references from outdated directives (e.g., Presidential Policy Directive 21) to current ones like National Security Memorandum-22.
- Regulatory Updates: Introduces mandatory cybersecurity standards in HIPAA rules, previously advisory; clarifies breach reporting to include affected individual counts; expands "recognized security practices" to include investments, with detailed enforcement guidance.
- New Mechanisms: Establishes joint HHS-CISA planning, a dedicated HHS cybersecurity representative, workforce strategic plan, and interagency working group—none of which existed before.
Potential Impacts
- Government Agencies: Increases coordination and reporting burdens on HHS and CISA, potentially improving federal efficiency in cyber defense but requiring new resources for plans, grants, and training. May enhance interagency collaboration, reducing silos in threat response.
- Citizens: Strengthens protection of personal health data against breaches, potentially reducing identity theft or service disruptions from cyberattacks. Rural residents may benefit from targeted guidance and grants, addressing access gaps in underserved areas.
- International Relations: Minimal direct impact, though improved U.S. healthcare cybersecurity could indirectly bolster global health security by making the sector more resilient to state-sponsored or international cyber threats.
Main Stakeholders Affected
- Federal Agencies: HHS (leads implementation, grants, and reporting), CISA (provides expertise and coordination), NIST (informs standards), and others like the FBI and GAO (involved in studies and enforcement).
- Healthcare Entities: Hospitals, clinics, federally qualified health centers, rural and Indian Health Service facilities, business associates (e.g., IT vendors handling health data), and nonprofits—required to adopt standards and may access grants/training.
- Private Sector and States: Information sharing organizations, sector councils, state health departments, and attorneys general (participate in working group); private experts contribute to training and plans.
- Citizens and Patients: Indirectly affected as end-users of secure health services, with better data protection but possible short-term costs passed on from compliance.
Notable Legal, Constitutional, or Political Implications
- Legal: Bolsters HIPAA enforcement by mandating specific cybersecurity measures, potentially increasing fines for non-compliance while offering mitigation through recognized practices. Clarifies reporting to avoid duplication, aligning federal rules with state breach laws, but may face challenges in rulemaking if standards are seen as overly prescriptive.
- Constitutional: No direct implications; focuses on regulatory authority under existing health and security laws, respecting federalism by involving states in coordination without overriding them.
- Political: Bipartisan sponsorship (introduced by Sens. Cassidy, Hassan, Cornyn, Warner) highlights consensus on critical infrastructure protection. Emphasizes rural and public-private partnerships, potentially appealing across ideologies, but grant funding and regulatory timelines could spark debates on costs and federal overreach in private healthcare.
This summary was generated by AI and may contain inaccuracies. Refer to the official source document for the authoritative text.
Sponsor
Cosponsors (3)
Sen. Hassan, Margaret Wood [D-NH], Sen. Cornyn, John [R-TX], Sen. Warner, Mark R. [D-VA]
Recent Actions
- 2026-03-23: Placed on Senate Legislative Calendar under General Orders. Calendar No. 365.
- 2026-03-23: Committee on Health, Education, Labor, and Pensions. Reported by Senator Cassidy with an amendment in the nature of a substitute. Without written report.
- 2026-03-23: Committee on Health, Education, Labor, and Pensions. Reported by Senator Cassidy with an amendment in the nature of a substitute. Without written report.
- 2026-02-26: Committee on Health, Education, Labor, and Pensions. Ordered to be reported with an amendment in the nature of a substitute favorably.
- 2025-12-02: Read twice and referred to the Committee on Health, Education, Labor, and Pensions.
- 2025-12-02: Introduced in Senate
Bill Versions
- Health Care Cybersecurity and Resiliency Act of 2025 — issued 2025-12-02 — PDF (17 pages)
- Health Care Cybersecurity and Resiliency Act of 2026 — issued 2026-03-23 — PDF (40 pages)