The Health Care Cybersecurity and Resiliency Act of 2026 directs the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) to coordinate on protecting hospitals, clinics, and other health-care providers from cyberattacks, including building a joint plan within one year for responding to major sector-wide incidents. It requires HHS to update the HIPAA security rules so that health-care providers, insurers, and their vendors ("covered entities and business associates") adopt minimum safeguards such as multifactor authentication, encryption of protected health information, and penetration testing, with those rules taking effect 36 months after enactment. HHS would name a representative to lead its cybersecurity coordination (excluding HIPAA enforcement) and send Congress an annual report on health-sector cyber threats and posture. The bill lets HHS award grants of up to three years to safety-net providers—federally qualified health centers, rural health clinics, Indian Health Service facilities, and nonprofit hospitals—to hire cyber staff, replace legacy systems, and migrate to secure cloud platforms, authorizing "such sums as necessary" for fiscal years 2026 through 2030. It also adds the number of affected individuals to health-data breach reports, directs HHS to weigh a provider's recognized security practices when setting fines or resolving audits, and creates a federal-state working group to reduce duplicative cyber-incident reporting. Additional provisions require rural cybersecurity guidance with technical assistance, a GAO study of rural readiness, and a strategic plan to grow the health-care cybersecurity workforce.
Transparency & Accountability
- Reporting requirements — Annual HHS report to Congress on health-sector cyber threats
- Incident-response planning — HHS–CISA joint plan required within one year
- Breach-report disclosure — Affected-individual count added to health-data breach reports
- Duplicative incident reporting — Federal-state working group formed to reduce it
- Oversight study — GAO review of rural provider cyber readiness required
Corporate Benefits
- HIPAA fine exposure — Reduced for entities using recognized security practices
Average Household Impact
- Provider cybersecurity grants — Authorized for safety-net and rural health providers, FY2026–2030
Congressional Summary
Health Care Cybersecurity and Resiliency Act of 2026This bill expands federal requirements and resources for preventing and responding to cybersecurity incidents in the health care and public health sectors.The bill directs the Department of Health and Human Services (HHS) to require private health care-related entities to adopt minimum cybersecurity practices (e.g., multifactor authentication),more specifically identify the standards for mitigating penalties relating to violations of health information privacy and security,expand and update biennially a specified plan that details cybersecurity protocols for HHS personnel,provide training and best practices to support the expansion of the workforce for health care cybersecurity, provide guidance on cybersecurity readiness to rural entities, anddesignate one representative to lead oversight and coordination of cybersecurity activities within HHS.Also, HHS and the Cybersecurity and Infrastructure Security Agency (CISA) must coordinate to improve health care cybersecurity, including by (1) providing resources for entities receiving information from HHS or CISA programs, and (2) establishing a joint cybersecurity capability plan to coordinate responses to significant incidents.Additionally, the bill requires health care providers and plans to include the number of individuals affected when notifying individuals of unauthorized access to health information (i.e., a breach).
Legislative Subjects
Details
- Congress
- 119th
- Chamber
- Senate
- Status
- summarized
- Action
- Reported to Senate
- Action Date
- 2026-03-23
- Date Added
- 2026-07-08
- Source
- Congress.gov →
Like reading a bill in plain English?
We're building an app that does this for every bill in Congress and lets you tell your reps how you want them to vote. We're a small team getting ready to launch, and we're trying to show investors that real people want this. Be one of them. Help us get it built. Leave your email and we'll tell you the moment the app is ready.