Kiteworks

Enabling Zero Trust Data Exchange in One Platform

Free Trial EXPLORE KITEWORKS
Home > Security and Compliance Blog > HIPAA Compliance > Senate Advances Healthcare Cybersecurity Act 2026: Key Provisions
Healthcare Cybersecurity Act: Essential Provisions

Senate Advances Healthcare Cybersecurity Act 2026: Key Provisions

by Danielle Barbour updated May 19, 2026 HIPAA Compliance
Reading Time: 9 minutes

Key Takeaways

  1. Landmark Bipartisan Vote Advances Bill. The Senate HELP Committee voted 22-1 to advance the Health Care Cybersecurity and Resiliency Act, signaling strong legislative momentum for enforceable mandates.
  2. Mandatory Cybersecurity Controls Required. HIPAA-regulated entities must implement MFA, PHI encryption, penetration testing, and NIST framework alignment under the new legislation.
  3. Safe Harbor Incentivizes Proactive Compliance. Organizations demonstrating 12 continuous months of recognized security practices before an incident qualify for reduced enforcement penalties.
  4. Stricter Breach Rules and Rural Grants. Entities must report affected individual counts in patient notifications, raising litigation risks, while federal grants target under-resourced providers.

On February 26, 2026, the Senate Health, Education, Labor, and Pensions (HELP) Committee voted 22-1 to advance the Health Care Cybersecurity and Resiliency Act. The bill is sponsored by HELP Committee Chair Bill Cassidy (R-LA), Mark Warner (D-VA), John Cornyn (R-TX), and Maggie Hassan (D-NH). Only Sen. Rand Paul (R-KY) voted against it.

That vote margin is significant. In a Congress where bipartisan agreement on anything is rare, a 22-1 committee vote signals real legislative momentum. This isn’t a messaging exercise — it’s a bill with teeth, backed by members on both sides of the aisle who watched the Change Healthcare catastrophe unfold and decided the status quo was no longer acceptable.

If enacted, this would represent the most consequential healthcare cybersecurity reform since the HITECH Act of 2009. That’s 17 years of incremental guidance and voluntary frameworks about to give way to enforceable mandates.

A Complete Checklist of HIPAA Compliance Requirements

Read Now

5 Key Takeaways

1. The Senate HELP Committee voted 22-1 to advance landmark healthcare cybersecurity legislation.

The bipartisan Health Care Cybersecurity and Resiliency Act, sponsored by Senators Cassidy, Warner, Cornyn, and Hassan, would mandate MFA, encryption of protected health information, penetration testing, and NIST framework alignment for all HIPAA-regulated entities. Sen. Rand Paul cast the sole dissenting vote.

2. A formalized safe harbor creates a direct financial incentive to begin compliance work now.

The bill reduces enforcement penalties for entities demonstrating recognized cybersecurity practices for 12 or more continuous months before an incident. The safe harbor clock starts when compliance documentation starts—making immediate investment the strategically sound choice regardless of final passage timeline.

3. Intensified breach notification rules will meaningfully increase class action litigation exposure.

HIPAA-regulated entities must now include the number of affected individuals in notifications sent directly to patients—not just in HHS reports. Plaintiffs’ attorneys will use those numbers in class action filings. Organizations should update their incident response plans to include rapid scope determination now.

4. A federal grant program specifically targets rural and under-resourced providers.

The legislation establishes grants for rural hospitals, clinics, cancer centers, Indian Health Service facilities, and academic health centers—directly addressing the cost-burden criticism leveled at the parallel proposed HIPAA Security Rule update. Rural providers should engage industry associations and prepare grant applications now.

5. If enacted, this is the most consequential healthcare cybersecurity reform since the HITECH Act of 2009.

The 2024 Change Healthcare ransomware attack—exposing approximately 190 million individuals—was cited repeatedly as the legislative catalyst. After 17 years of incremental voluntary guidance, enforceable mandates are arriving. The direction is unmistakable regardless of which legislative path reaches the finish line first.

The Change Healthcare Wake-Up Call

This legislation didn’t emerge from a policy vacuum. The Change Healthcare ransomware attack in February 2024 was the single largest healthcare data breach in U.S. history, ultimately affecting approximately 190 million individuals. That’s more than half the country’s population.

The attack disrupted pharmacy operations, delayed insurance claims processing, and forced healthcare providers across the country into manual workflows for weeks. The financial damage extended into the billions. And the root cause was familiar: inadequate access controls, missing multifactor authentication, and insufficient network segmentation.

Senators cited Change Healthcare repeatedly during the committee process. The message was clear: the current HIPAA Security Rule—largely unchanged since 2003—was written for a different era. It predates ransomware as a business model, cloud-first healthcare infrastructure, telehealth at scale, and AI-powered clinical tools.

What the Bill Actually Requires

The Health Care Cybersecurity and Resiliency Act introduces several categories of new requirements for HIPAA-regulated entities.

Mandatory minimum cybersecurity practices. The bill requires HIPAA-covered entities and business associates to implement MFA for all systems accessing PHI, encryption of PHI at rest and in transit, regular penetration testing, and alignment with NIST frameworks. These are no longer addressable recommendations. They are mandates. For organizations that have already implemented these controls, this is validation. For the significant number that haven’t, it’s a compliance deadline demanding immediate attention.

Safe harbor for proactive security. One of the bill’s most strategically important provisions is a formalized safe harbor that reduces enforcement penalties for entities demonstrating recognized cybersecurity practices for at least 12 months before an incident. If your organization experiences a breach but can demonstrate continuous compliance, you face reduced penalties during HHS investigation. That’s a concrete financial incentive to start compliance work now.

Expanded breach notification requirements. The bill requires entities to include the number of affected individuals in breach notifications sent to individuals—not just in HHS reports. Telling 50,000 people they were part of a breach affecting 50,000 people is very different from telling them they were part of a breach without quantifying its scope. Plaintiffs’ attorneys will use these numbers in class action filings. Organizations should expect increased litigation exposure and update their incident response plans accordingly.

Federal grant program for under-resourced providers. The legislation establishes grants specifically targeting hospitals, cancer centers, rural health clinics, Indian Health Service facilities, and academic health centers. The bill also directs HHS to issue dedicated cybersecurity guidance for rural entities covering breach prevention, resilience planning, and federal agency coordination.

ASPR as Sector Risk Management Agency. The bill designates the Administration for Strategic Preparedness and Response as the Sector Risk Management Agency for healthcare, requiring HHS to develop a cybersecurity incident response plan in coordination with CISA. This establishes clearer federal accountability for healthcare cybersecurity.

The Regulatory Convergence: This Bill Doesn’t Exist in Isolation

The Health Care Cybersecurity and Resiliency Act moves in parallel with HHS’s pending HIPAA Security Rule overhaul, proposed in the final weeks of the Biden administration and expected to be decided upon by May 2026. The proposed Security Rule update would make MFA, encryption, 72-hour breach reporting to HHS, and annual penetration testing mandatory—requirements that substantially overlap with this legislation.

The legislative bill has attracted less industry opposition than the Security Rule update because it includes the grant program and doesn’t carry the same cost burden estimates. If the Security Rule update stalls politically, this legislation could become the primary vehicle for healthcare cybersecurity reform.

The strategic read for HIPAA compliance teams: whether requirements come through legislation, rulemaking, or both, MFA, encryption, penetration testing, and enhanced breach reporting are coming. The only variable is timeline. Organizations that begin gap assessments now will be positioned regardless of which path reaches the finish line first.

What HIPAA-Regulated Entities Should Do Now

The bill still needs to clear a full Senate vote and House passage before reaching the President’s desk. But the 22-1 committee vote, combined with the parallel Security Rule rulemaking, makes the direction unmistakable.

Start with MFA. If your organization hasn’t deployed multifactor authentication across all systems accessing PHI, that’s the highest-impact starting point. MFA is the control most frequently cited in enforcement actions and most directly linked to preventing credential-based attacks like Change Healthcare. Rolling out MFA organization-wide requires planning, testing, and change management—start now, not after final passage.

Document everything for the safe harbor. The safe harbor provision rewards organizations that can demonstrate 12 months of recognized security practices. That clock should be running now. If your organization is audited or experiences an incident 18 months from now, you’ll want 12-plus months of documented compliance already in place. Continuous compliance documentation transforms a breach from a regulatory catastrophe into a manageable incident.

Update breach notification processes. The requirement to include affected individual counts in victim notifications changes the legal exposure calculation. Update your incident response plan to include rapid scope determination, coordinate with legal counsel on class action risk, and ensure your forensic capabilities can produce accurate affected-individual counts quickly.

Rural providers: engage on the grant program. If you’re a rural hospital, clinic, or IHS facility, engage now with industry associations tracking the grant program. Federal grants require application readiness, and organizations that plan ahead will be positioned to move quickly when funding becomes available.

What Kiteworks Customers Should Know

Every core requirement in the Health Care Cybersecurity and Resiliency Act maps directly to capabilities the Kiteworks Private Data Network already delivers for healthcare organizations.

MFA and enterprise authentication. Kiteworks provides MFA through RADIUS, PIV/CAC, OTP, and third-party 2FA integration, with single sign-on across SAML, OAuth, LDAP, and Azure AD—directly satisfying the bill’s MFA mandate.

Encryption with FIPS-validated modules. PHI is protected with double AES-256 encryption at file and disk levels using FIPS 140-2 validated modules. Customer-controlled encryption keys ensure organizations maintain custody of their data—meeting the bill’s encryption requirements at the highest available standard.

NIST framework alignment and defense-in-depth. The hardened virtual appliance architecture—embedded WAF, network firewall, and intrusion detection—aligns with NIST framework requirements and delivers the zero trust data protection the legislation envisions.

Breach notification readiness. Kiteworks’ consolidated audit log captures every data interaction in real time with zero throttling, providing the forensic evidence needed to determine breach scope quickly and accurately report affected individual counts. Pre-built HIPAA compliance dashboards transform audit preparation from weeks into hours.

Safe harbor documentation. Kiteworks’ continuous compliance documentation creates the 12-month track record of recognized security practices the bill rewards. One policy engine across secure email, secure file sharing, SFTP, managed file transfer, and web forms means consistent, verifiable controls.

The Compliance Clock Is Already Running

The Health Care Cybersecurity and Resiliency Act is the clearest signal yet that healthcare cybersecurity regulation is shifting from voluntary guidelines to enforceable mandates. The 22-1 vote, the bipartisan sponsorship, and the Change Healthcare wake-up call all point in the same direction.

This isn’t a question of whether healthcare cybersecurity requirements are tightening. They are. The question is whether your organization will be ahead of the curve—documenting compliance, earning the safe harbor, and reducing risk—or scrambling to catch up after the rules take effect. The organizations that move now won’t just avoid penalties. They’ll have the security architecture that prevents the next Change Healthcare from happening to them.

To learn more about safeguarding your patients’ PHI in adherence to the Health Care Cybersecurity and Resiliency Act, schedule a custom demo today.

Frequently Asked Questions

The bill mandates MFA, encryption of PHI at rest and in transit, penetration testing, and NIST framework alignment for all HIPAA-regulated entities. These become mandatory minimums—not addressable recommendations. The bill also intensifies breach reporting and establishes grants for under-resourced providers.

The safe harbor reduces enforcement penalties for organizations demonstrating 12 continuous months of recognized cybersecurity practices before an incident. Document your security controls now—the 12-month clock should already be running. The safe harbor rewards proactive investment, not reactive HIPAA compliance.

The 2024 Change Healthcare ransomware attack exposed approximately 190 million individuals’ data and was cited repeatedly as the legislative catalyst. The key point: the breach proved the existing HIPAA Security Rule—largely unchanged since 2003—was inadequate against modern threats.

The new rules require HIPAA-regulated entities to include the number of affected individuals in notifications sent directly to patients. This gives plaintiffs’ attorneys concrete scale data for class action filings, meaningfully increasing post-breach litigation exposure. Update your incident response plan to prioritize rapid scope determination.

The bill establishes a federal grant program targeting rural hospitals, cancer centers, rural health clinics, Indian Health Service facilities, and academic health centers. Grants fund attack prevention, incident response, and staff training. Engage industry associations and prepare grant applications now.

Both the bill and the proposed HIPAA Security Rule update mandate MFA, encryption, and penetration testing. The legislative bill includes grants and has attracted less opposition. Begin compliance preparations now—the requirements converge regardless of which path finalizes first.

Conduct a gap assessment covering MFA across PHI-accessing systems, encryption at rest and in transit, penetration testing capability, and NIST framework alignment. Documenting security practices now starts the 12-month safe harbor clock and positions the organization for reduced penalties if an incident occurs.

Yes—the bill applies to both covered entities and business associates handling PHI. Verify that all partners meet the same MFA, encryption, and audit logging standards. The Kiteworks Private Data Network ensures consistent controls across all vendor data exchanges.

Additional Resources

Frequently Asked Questions

The bill mandates MFA for all systems accessing PHI, encryption of protected health information at rest and in transit, regular penetration testing, and alignment with NIST cybersecurity frameworks. These controls shift from voluntary recommendations to enforceable mandates for covered entities and business associates.

Entities that demonstrate recognized cybersecurity practices for at least 12 continuous months before an incident qualify for reduced enforcement penalties. Documentation of compliance should begin immediately to start the safe harbor clock and strengthen an organization’s position during any future HHS investigation.

The attack exposed data of approximately 190 million individuals, disrupted pharmacy and claims operations nationwide, and highlighted critical gaps in the existing HIPAA Security Rule. Lawmakers cited it repeatedly as evidence that voluntary frameworks are no longer sufficient against modern ransomware threats.

Organizations should conduct gap assessments for MFA, encryption, and penetration testing; begin documenting security practices to activate the 12-month safe harbor clock; update incident response plans for rapid breach scope determination; and explore federal grant opportunities if they are rural or under-resourced providers.

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who are confident in how they exchange private data between people, machines, and systems. Get started today.

Schedule a Demo

Table of Contents

Table of Content
Share
Tweet
Share
Explore Kiteworks