S3315-119

Reported

Health Care Cybersecurity and Resiliency Act of 2026

119th Congress Introduced Dec 2, 2025

Summary

What This Bill Does

The Health Care Cybersecurity and Resiliency Act creates a health-sector cybersecurity package. It requires HHS and CISA coordination, gives HHS a designated lead for health care cybersecurity oversight, updates cybersecurity incident response planning, clarifies breach reporting obligations and the number of affected individuals, recognizes security practices and investments, requires updates to HIPAA security regulations, requires rural cybersecurity readiness guidance, authorizes grants for public and nonprofit health-sector entities to adopt cybersecurity best practices, requires health care cybersecurity workforce training with CISA state coordinators and private experts, and convenes a working group to reduce duplicative incident reporting.

Who Benefits and How

Hospitals benefit from grants, guidance, and clearer federal cybersecurity practices for health-sector systems. Rural health clinics benefit from rural cybersecurity readiness guidance tailored to smaller providers. Patients benefit when stronger security and breach reporting reduce risk to health information and care continuity. Health care cybersecurity workers benefit from training and coordination among HHS, CISA, ONCD, and private-sector experts. Public health agencies benefit from a clearer incident-response plan and less duplicative reporting. Healthcare grant recipients benefit from new federal support for adopting best practices.

Who Bears the Burden and How

HHS must lead sector cybersecurity oversight, update regulations, run grants, issue guidance, train the workforce, and convene the working group. CISA must coordinate with HHS and its state cybersecurity coordinators on health-sector readiness. Covered entities must comply with updated HIPAA security regulations and clarified breach reporting. Business associates must meet stronger security expectations and breach-reporting obligations. Healthcare providers must invest in cybersecurity practices and report incidents more consistently. Cybersecurity vendors face stronger demand but also more scrutiny around best-practice implementation.

Key Provisions

  • Requires HHS coordination with CISA for health-sector cybersecurity.
  • Clarifies HHS cybersecurity leadership and oversight responsibilities.
  • Updates cybersecurity incident response planning and breach reporting obligations.
  • Requires recognition of security practices and investments.
  • Requires HHS to update health information security regulations.
  • Provides rural cybersecurity readiness guidance and grants for health-sector cybersecurity best practices.
  • Requires cybersecurity workforce training and a working group to streamline incident reporting.

Evidence Chain:

This summary is generated from the full bill text using AI analysis. Expand "Detailed Analysis" below for identified beneficiaries/burden bearers with clause-level evidence links.

At a Glance

What This Bill Does

Strengthens health-sector cybersecurity by coordinating HHS with CISA, clarifying HHS cybersecurity leadership, updating incident and breach reporting, recognizing security investments, requiring security standards, supporting rural readiness, authorizing grants, training the workforce, and convening a reporting coordination working group.

Key Policy Areas

Health Care, Cybersecurity, Public Health

Primary Purpose

Strengthens health-sector cybersecurity by coordinating HHS with CISA, clarifying HHS cybersecurity leadership, updating incident and breach reporting, recognizing security investments, requiring security standards, supporting rural readiness, authorizing grants, training the workforce, and convening a reporting coordination working group.

Policy Domains

Health Care Cybersecurity Public Health

Bill provisions

Identified Gains
  • Hospitals
  • Rural health clinics
  • Patients
  • Health care cybersecurity workers
  • Public health agencies
  • Healthcare grant recipients
Model: codex-gpt-5 | Version: bill_summary_v2 | Source: rs
Patients: , , , , , , , , , , , , , , ,
Hospitals: , , , , , , , , , , , , , , ,
Rural health clinics: , , , , , , , , , , , , , , ,
Public health agencies: , , , , , , , , , , , , , , ,
Healthcare grant recipients: , , , , , , , , , , , , , , ,
Health care cybersecurity workers: , , , , , , , , , , , , , , ,
Identified Costs
  • HHS
  • CISA
  • Covered entities
  • Business associates
  • Healthcare providers
  • Cybersecurity vendors
Model: codex-gpt-5 | Version: bill_summary_v2 | Source: rs
HHS: , , , , , , , , , , , , , , ,
CISA: , , , , , , , , , , , , , , ,
Covered entities: , , , , , , , , , , , , , , ,
Business associates: , , , , , , , , , , , , , , ,
Healthcare providers: , , , , , , , , , , , , , , ,
Cybersecurity vendors: , , , , , , , , , , , , , , ,

Legislative Progress

Reported
Introduced Committee Passed
Mar 23, 2026

Committee on Health, Education, Labor, and Pensions. Reported by Senator …

Mar 23, 2026

Placed on Senate Legislative Calendar under General Orders. Calendar No. …

Mar 23, 2026

Reported by Mr. Cassidy, with an amendment

Feb 26, 2026

Committee on Health, Education, Labor, and Pensions. Ordered to be …

Dec 2, 2025

Mr. Cassidy (for himself, Ms. Hassan, Mr. Cornyn, and Mr. …

Dec 2, 2025

Introduced in Senate

Dec 2, 2025

Read twice and referred to the Committee on Health, Education, …

Stakeholder Effects

cui bono?

How this legislation distributes effects. Mention counts reflect frequency, not effect magnitude.

Healthcare
168 mentions across 28 clauses
+112 positive -56 negative

Business associates, Covered entities, Healthcare grant recipients

Positive-direction: Healthcare grant recipients, Hospitals, Patients, Rural health clinics

Negative-direction: Business associates, Covered entities

Government
84 mentions across 28 clauses
+28 positive -56 negative

CISA, HHS, Public health agencies

Positive-direction: Public health agencies

Negative-direction: CISA, HHS

Technology
56 mentions across 28 clauses
+56 positive

Cybersecurity vendors, Health care cybersecurity workers

18/26
sections analyzed
Full impact breakdown

Bill Structure & Actor Mappings

Who is "The Secretary" in each section?

Domains
Health Care Cybersecurity Public Health
Actor Mappings
"director"
→ Director of the Cybersecurity and Infrastructure Security Agency
"secretary"
→ Secretary of Health and Human Services

We use a combination of our own taxonomy and classification in addition to large language models to assess meaning and potential beneficiaries. High confidence means strong textual evidence. Always verify with the original bill text.

Learn more about our methodology