S-3315-119
Placed on Senate Legislative Calendar under General Orders. Calendar No. 365.
Sponsored by Bill Cassidy (R-LA)
What it does
This bill would require the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) to coordinate on cybersecurity in the healthcare and public health sector. It would mandate minimum cybersecurity standards — including multifactor authentication, data encryption, and penetration testing — for covered healthcare entities and business associates, with a 36-month compliance window. The bill would also authorize grants to federally qualified health centers, nonprofit hospitals, rural health clinics, and Indian Health Service facilities; require HHS to develop a cybersecurity incident response plan; and establish a working group to reduce duplicative breach reporting requirements across federal and state agencies.
Who benefits
Patients whose protected health information is held by healthcare entities, who would benefit from stronger data security requirements. Rural hospitals and clinics, which would receive targeted guidance and may receive grant funding. Federally qualified health centers and Indian Health Service facilities, which are explicitly eligible for grants. Cybersecurity vendors and consultants who would see increased demand from healthcare entities required to upgrade systems. Healthcare workers who would receive cybersecurity training. State and local health departments, which would gain clearer federal coordination channels. Smaller nonprofit healthcare entities that currently lack resources to implement robust cybersecurity independently.
Who is hurt
Covered healthcare entities and business associates — including hospitals, clinics, and insurers — that would bear compliance costs for new mandatory standards such as multifactor authentication, encryption, and penetration testing. Larger for-profit hospital systems, which are excluded from the grant program, would face the same mandates without access to federal funding assistance. Healthcare organizations with legacy IT infrastructure may face significant upgrade costs within the 36-month window. Smaller private practices that are covered entities under HIPAA could face disproportionate compliance burdens relative to their size. Taxpayers would bear the cost of the grant program, which is authorized through fiscal year 2030 at unspecified amounts.
Supporters argue
Supporters argue that the healthcare sector is the most frequently targeted critical infrastructure for ransomware and data breaches — the 2024 Change Healthcare cyberattack disrupted claims processing for thousands of providers and exposed data for an estimated 100 million patients, illustrating the systemic risk of inadequate baseline standards. They contend that the current patchwork of voluntary guidelines has failed to produce consistent security practices, and that mandatory minimums like multifactor authentication and encryption are low-cost, high-impact measures already standard in other regulated industries. The bill's grant program and rural-specific guidance directly address the resource gap that leaves smaller and underserved facilities most vulnerable.
Opponents argue
Opponents argue that imposing uniform federal cybersecurity mandates on a highly diverse sector — ranging from large academic medical centers to small rural clinics — risks creating compliance burdens that are disproportionate for under-resourced providers, potentially diverting funds from patient care. They contend that the bill delegates broad rulemaking authority to HHS to define "minimum risk-based cybersecurity practices," a standard vague enough that post-Loper Bright courts may scrutinize whether the agency's implementing regulations exceed the statutory authorization. Critics also argue that the grant program's authorization of "such sums as may be necessary" without a specific appropriation provides no guaranteed funding, leaving smaller entities to bear mandated costs without assured federal support.
Constitutional context
Congress's authority to regulate healthcare entities rests on the Commerce Clause (Art. I, §8, cl. 3) and the Taxing and Spending Clause (Art. I, §8, cl. 1), both affirmed in NFIB v. Sebelius (2012) as valid bases for regulating commercial activity in healthcare markets. The bill's grant conditions could raise Spending Clause questions if compliance requirements are deemed coercive, though the voluntary grant structure makes that challenge unlikely. Post-Loper Bright (2024), HHS's broad delegation to define "minimum risk-based cybersecurity practices" will face independent judicial scrutiny rather than automatic deference, and under West Virginia v. EPA (2022), any rules of vast economic significance would require clear congressional authorization.
Checks and balances
The executive branch — specifically HHS and CISA — gains new rulemaking and enforcement authority over healthcare cybersecurity; Congress checks this through required annual reports, mandatory submission of the incident response plan before implementation, a working group with congressional reporting requirements, and the appropriations process for the grant program.
Historical precedent
The HITECH Act (2009) similarly imposed mandatory security and breach notification requirements on healthcare entities under HIPAA and authorized funding for health IT adoption, establishing the existing regulatory framework this bill would build upon.