Senate Advances Bipartisan Health Care Cybersecurity Reform

What You Need to Know

Key takeaway #1

If passed, the Health Care Cybersecurity and Resiliency Act of 2026 would require HIPAA-regulated entities to make significant investments in cybersecurity infrastructure, including implementing multifactor authentication, encryption, penetration testing, and alignment with national frameworks such as NIST — obligations that will necessitate a thorough review of existing compliance programs.

Key takeaway #2

HIPAA-regulated entities that proactively adopt recognized cybersecurity practices stand to benefit from a formalized safe harbor that could reduce penalties in the event of an HHS investigation, audit, or cybersecurity incident — providing a concrete incentive for early and sustained compliance investment.

Key takeaway #3

Although the Act still must clear additional legislative hurdles before becoming law, its overwhelming bipartisan advancement out of committee signals that HIPAA-regulated entities may benefit from proactively assessing gaps in their current cybersecurity posture, breach notification procedures, and incident response plans now, rather than waiting for final passage.

On February 26, 2026, the Senate Health, Education, Labor, and Pensions (HELP) Committee voted 22-1 to advance the  Health Care Cybersecurity and Resiliency Act of 2026. Sponsored by a bipartisan group — led by HELP Committee Chair Senator Bill Cassidy (R-LA); and Senators Mark Warner (D-VA), Maggie Hassan (D-NH), and John Cornyn (R-TX) — the bill represents perhaps the most significant federal legislative effort to overhaul health care cybersecurity since the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, and would compel health care companies to make major investments in cybersecurity.

As the HELP Committee acknowledged, the proposed legislation is a direct response to recent large-scale health care breaches. The bill also comes on the heels of a  2024 report  published by the U.S. Government Accountability Office (GAO), which recognized the growing threat of ransomware and urged the U.S. Department of Health and Human Services (HHS) to more closely monitor health care organizations’ implementation of leading cybersecurity practices. As noted in the GAO report, health care organizations are particularly vulnerable targets for ransomware actors because of their willingness to pay ransoms and avoid disruptions of critical and life-saving care. If passed, the bill would impose more stringent, granular cybersecurity requirements on entities subject to the Health Insurance Portability and Accountability Act (collectively, with its implementing regulations, HIPAA).

Key provisions of the bill relevant to HIPAA-regulated entities (e.g., health care payors, providers, research institutions, etc.) are briefly described below and explored in greater detail in the following sections.

• Imposes Mandatory Cybersecurity Standards:  If passed, the bill would mandate minimum cybersecurity practices for HIPAA-regulated entities — including multifactor authentication, encryption of protected health information, and alignment with national frameworks — while allowing HHS enforcement discretion for entities facing extraordinary compliance burdens.
• Formalizes “Safe Harbor” Provision for Certain HIPAA-Regulated Entities:  Within one year of passage, the bill would require HHS to issue regulations that formally define a safe harbor, reducing penalties for HIPAA-regulated entities that have proactively maintained recognized cybersecurity practices for at least 12 months prior to a violation or audit.
• Intensifies Breach Reporting Requirements for Health Care Organizations:  Under the proposed legislation, HIPAA-regulated entities would need to update their breach notification policies, incident response plans, and template letters to include the number of affected individuals — a requirement that may increase organizations’ exposure to class action liability, reputational harm, and administrative burdens.
• Establishes Cybersecurity Grant Program for Underserved Health Care Providers:  The bill proposes to establish a  federal grant program and requires HHS to provide guidance and technical assistance to help smaller and rural health care providers implement cybersecurity best practices.

Key Provisions of the Act

Imposes Mandatory Cybersecurity Standards

The proposed legislation would require HIPAA-regulated entities to implement minimum risk-based cybersecurity practices, including multifactor authentication, encryption of protected health information, and certain monitoring and testing practices (e.g., penetration testing). It would also mandate implementation of cybersecurity standards reflected in national cybersecurity frameworks, such as:

• National Institute of Standards and Technology (NIST) Risk Management Framework.
• Cybersecurity Framework, SP 800-53 Rev. 5, and Artificial Intelligence Risk Management Framework.
• Health Sector Coordinating Council (HSCC) Cybersecurity Healthcare and Public Health Cybersecurity Performance Goals.
• Health care-specific cybersecurity performance goals of the Cybersecurity and Infrastructure Security Agency (CISA).

Some of these requirements were addressed in  proposed modifications to the HIPAA Security Rule  (HIPAA Security Rule NPRM) published at the end of the Biden administration. The requirements proposed in HIPAA Security Rule NPRM — which  were much more prescriptive than those proposed in the bill — and their associated burden were not popular among HIPAA-regulated entities, particularly providers that devote considerable resources to providing health care services. Recognizing the potential burden on certain health care providers, the proposed legislation would permit HHS to exercise enforcement discretion for entities experiencing “extraordinary circumstances” in complying with these requirements.

Formalizes “Safe Harbor” Provision for Certain HIPAA-Regulated Entities

The bill would also implement a deadline for HHS — one year after legislation enactment – to promulgate regulations implementing the safe harbor for “recognized security practices”. Originally enacted in January 2021 as an amendment to the HITECH Act, the safe harbor provision requires HHS to consider whether a HIPAA-regulated entity implemented recognized security practices for at least the prior 12 months when determining fines, the length and disposition of audits, and other remedies for HIPAA violations. If the bill passes, HHS would be required to detail the following:

• Recognized security practices that qualify for the safe harbor.
• The extent to which such practices must be in place for consideration.
• Procedural requirements for entities seeking consideration for the safe harbor.

The bill would also require annual reporting by HHS to Congress on its consideration of recognized security practices in HIPAA enforcement. For organizations proactively implementing recognized security practices, the safe harbor could potentially mitigate penalties in the event of an HHS investigation or audit or a cybersecurity incident.

Intensifies Breach Reporting Requirements for Health Care Organizations

The proposed legislation calls for more transparency in reporting the specific number of individuals affected by a breach. While HIPAA-regulated entities already report this information to HHS as part of the breach notification process, the bill would require that notifications to individuals also include the number of affected individuals. If the bill passes, HIPAA-regulated entities will need to review and update their breach notification policies and procedures, incident response plans, and template breach notification letters. Organizations should also be aware of potential secondary effects of this requirement. For example, many organizations initially report an estimated number of affected individuals to regulators to meet reporting deadlines and later update their estimate as the investigation progresses.

Applying this approach to a significant number of individual notices can add administrative burdens, erode trust, and create other public relations challenges. In addition, this requirement could increase the likelihood that larger breaches will attract class action lawsuits.

Establishes Cybersecurity Grant Program for Underserved Health Care Providers

Recognizing challenges smaller health care providers face in implementing robust cybersecurity safeguards, the bill would:

• Establish a new federal grant program for certain health care providers, including federally qualified health centers, rural health clinics, Indian Health Service facilities, and nonprofit hospitals.
• Mandate that HHS issue guidance to rural entities on best practices to improve cybersecurity readiness.
• Require HHS to provide technical assistance to rural entities to implement cybersecurity best practices.

Other Requirements

The proposed legislation also contains other proposed requirements, such as calling for increased coordination between HHS and CISA on developing products tailored to health sector needs, and providing technical assistance to HIPAA-regulated entities.

Next Steps for HIPAA-Regulated Entities

The Health Care Cybersecurity and Resiliency Act of 2026 still needs to clear several hurdles before passage, but its advancement by the HELP Committee in an overwhelming 22-1 vote shows some promise. We are closely monitoring the bill’s progress. To discuss how the proposed legislation may impact your organization or to share your feedback with policymakers, please contact the professionals listed below or your regular Crowell & Moring contact.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.