What does Preamble of S 3315 do?

This bill aims to improve cybersecurity within the health care and public health sectors. It mandates coordination between the Secretary of Health and Human Services and the Director of the Cybersecurity and Infrastructure Security Agency.

What does SHORT TITLE. of S 3315 do?

This bill is formally titled the Health Care Cybersecurity and Resiliency Act of 2025.

What does DEFINITIONS. of S 3315 do?

This section defines terms used throughout the Act. “Agency” is defined as the Cybersecurity and Infrastructure Security Agency. “Cybersecurity incident” is defined by reference to section 3552 of title 44, United States Code. “Cybersecurity State Coordinator” refers to a coordinator appointed under section 2217(a) of the Homeland Security Act of 2002. “Director” means the Director of the Agency. “Healthcare and Public Health Sector” is defined by reference to Presidential Policy Directive 21. “Information Sharing and Analysis Organization” is defined by reference to section 2200 of the Homeland Security Act of 2002. “Information system” is defined by reference to section 102 of the Cybersecurity Information Sharing Act of 2015. “Secretary” means the Secretary of Health and Human Services.

What does DEPARTMENT COORDINATION WITH THE AGENCY. of S 3315 do?

This section requires the Secretary and the Director to coordinate to improve cybersecurity in the Healthcare and Public Health Sector. The coordination may include entering into a cooperative agreement. The Secretary shall coordinate with the Director to make resources available to entities receiving information through programs managed by the Director or the Secretary. These entities include Information Sharing and Analysis Organizations, information sharing and analysis centers, and non-Federal entities. Coordination should include developing products specific to the needs of Healthcare and Public Health Sector entities. Coordination should also include sharing information relating to cyber threat indicators and appropriate defensive measures.

What does CLARIFYING CYBERSECURITY RESPONSIBILITIES AT THE DEPARTMENT OF of S 3315 do?

This section amends the Public Health Service Act to establish oversight of cybersecurity activities within the Department of Health and Human Services (HHS). The Secretary of HHS, through the Assistant Secretary for Preparedness and Response, will lead this oversight. This oversight will coordinate activities to support cybersecurity resiliency within the Healthcare and Public Health Sector. Coordination and communication with other public and private entities regarding cybersecurity incidents is required. The oversight must be consistent with applicable laws, including the Homeland Security Act of 2002 and Presidential Policy Directive 21.

What does CYBERSECURITY INCIDENT RESPONSE PLAN. of S 3315 do?

This section amends Section 405 of the Cybersecurity Act of 2015. It adds definitions for 'cybersecurity incident' and 'cybersecurity risk' to subsection (a). It requires the Secretary of Health and Human Services to develop and implement a cybersecurity incident response plan within one year of the Health Care Cybersecurity and Resiliency Act of 2025's enactment. The plan must address assessing risks, preventing incidents, detecting incidents, minimizing damage, protecting data, and expediting recovery. The Secretary must consult with CISA, OMB, NIST, and relevant experts in developing the plan. A report describing the plan must be submitted to specified Senate and House committees 60 days before implementation.

What does BREACH REPORTING PORTAL. of S 3315 do?

This section amends Section 13402 of the HITECH Act. The Secretary is required to update regulations related to the breach reporting portal within one year of the Health Care Cybersecurity and Resiliency Act of 2025's enactment. Updated regulations will require the breach reporting portal to include information on corrective actions taken against covered entities. The portal must also include information on whether recognized security practices were considered during breach investigations. The Secretary may require additional information about breaches to be publicly displayed.

What does CLARIFYING BREACH REPORTING OBLIGATIONS. of S 3315 do?

This section amends Section 13402(f) of the HITECH Act. The amendment adds a requirement to report the number of individuals affected by a breach.

What does ENHANCING RECOGNITION OF SECURITY PRACTICES. of S 3315 do?

This section amends Section 13412(b)(1) of the HITECH Act to include 'investments' when referencing other programs. The Secretary is required to issue guidance within one year of the Act's enactment regarding the implementation of Section 13412 of the HITECH Act. The guidance must include recognized security practices the Secretary may consider when determining fines. The guidance must also specify the extent to which recognized security practices should be in place for consideration. The guidance must outline procedural requirements or information that covered entities or business associates should submit to the Secretary. The Secretary must include annual information in the annual report required under Section 13424(a) of the HITECH Act regarding the implementation of Section 13412. This annual report must include an accounting of cases where recognized security practices were considered during audits and fine assessments.

What does REQUIRED CYBERSECURITY STANDARDS. of S 3315 do?

This section requires the Secretary to update privacy, security, and breach notification regulations under 45 CFR parts 160 and 164. Covered entities and business associates must adopt specific cybersecurity practices. These practices include multifactor authentication, encryption of protected health information, and regular audits including penetration testing. The Secretary will determine additional minimum cybersecurity standards based on vulnerability analysis and best practices, consulting with private sector entities. The Secretary will specify the effective dates for these new requirements, allowing reasonable time for compliance.

Back to bills

Health Care Cybersecurity and Resiliency Act of 2025 — S. 3315

Last updated: 2/26/2026 · Introduced: 12/2/2025

Author: Bill Cassidy (R-LA)

TL;DR (AI)

The bill mandates coordination between the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) to improve cybersecurity in the health care and public health sectors.
It establishes HHS oversight of cybersecurity activities, led by the Assistant Secretary for Preparedness and Response, to coordinate efforts and ensure consistency with existing laws.
The bill requires HHS to develop and implement a cybersecurity incident response plan within one year, addressing risk assessment, prevention, detection, and recovery.
It updates the breach reporting portal to include information on corrective actions and recognized security practices considered during investigations, and requires reporting the number of individuals affected by breaches.
The bill authorizes grants to health centers, hospitals, and other eligible entities to adopt cybersecurity best practices, including hiring personnel, updating systems, and participating in threat information sharing.

119th Congressin committeeOfficial page

Verified Votes

No verified votes yet.

Community Votes

No community votes yet. Be the first!

Voting as guest · Sign in for verified votes

Other Sections

Includes provisions on preamble, short title., and 11 more.

13 sections

Click "Show details" to explore individual sections. Use the community vote above or visit All Sections to vote per section.

Read official text

Want the full experience?

Create a free account to cast verified votes on each section, get a personalized summary, and track your voting history.

Create Free Account