On November 4, 2025, Senator Bill Cassidy (R-LA), chair of the Senate Health, Education, Labor, and Pensions (“HELP”) Committee, introduced the Health Information Privacy Reform Act (“HIPRA”). HIPRA seeks to extend protections similar to those provided under the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”) to certain health information collected by entities not currently regulated by HIPAA. HIPRA also proposes modifications and calls for guidance related to certain existing provisions of HIPAA as well as Part 2 (related to substance use disorder medical history).
Background
HIPAA applies only to covered entities and their business associates. HIPAA covered entities are health plans, health care clearinghouses, and health care providers that engage in certain electronic transactions (e.g., submitting claims to health insurance), and business associates are entities that perform certain functions on covered entities’ behalf. As a result, health information collected by consumer-facing companies and platforms, such as health and fitness applications, wearable devices, and wellness platforms often are not subject to HIPAA. Instead, identifiable health information collected by entities not regulated by HIPAA is subject to a patchwork of state privacy frameworks, unless an exception applies (e.g., for certain federally regulated research), and in some cases, the FTC’s Health Breach Notification Rule.
Federal health information privacy reform has historically been a priority of Senator Cassidy’s. Last year, Senator Cassidy published a white paper that discussed several items now proposed in HIPRA, including new notification requirements for wellness applications and wearable devices, alignment of HIPAA with requirements applicable to Part 2 records, and revisions to HIPAA’s directed disclosure requirements, among others. We discussed Senator Cassidy’s white paper further in posts here and here.
We discuss key provisions of HIPRA below.
Scope
HIPRA would impose obligations on “regulated entities” and “service providers.” “Regulated entities” are entities that are not covered entities or business associates under HIPAA, and that determine the purpose and means of processing “applicable health information.” “Service providers” are defined as entities that process such information on behalf of regulated entities. HIPRA defines “applicable health information” as information that identifies an individual and relates to the individual’s past, present, or future physical or mental health or condition, provision of health care, or payment for health care.
Key Provisions
Privacy, Security, and Breach Notification Regulations. HIPRA instructs the Department of Health and Human Services (“HHS”), in consultation with the Federal Trade Commission (“FTC”), to promulgate regulations that establish (i) privacy, (ii) security, and (iii) breach notification requirements for applicable health information used by regulated entities and service providers. Regulations promulgated under HIPRA would be required to provide protections “at least commensurate with” and “wherever feasible and appropriate” harmonized with, existing HIPAA regulations. HIPRA specifically provides that HHS must promulgate regulations that address:
- Privacy requirements, including, for example, permitted uses and disclosures of applicable health information and when individuals must give written authorization prior to use or disclosure, authorization standards, and individual rights with respect to applicable health information, including the right to receive a privacy notice from the regulated entity, access to and amendment of applicable health information, portability of applicable health information, and, unlike HIPAA, deletion of applicable health information.
- Security requirements, including physical, technical, and administrative safeguards for applicable health information in any form and, for electronic applicable health information, those safeguards should be based on national frameworks from the National Institute of Standards and Technology or HHS.
- Breach notification requirementsthat are substantially similar to those under HIPAA’s Breach Notification Rule.
Enforcement. HIPRA would empower HHS to enforce HIPRA, in consultation with the FTC, and would align civil penalties with HIPAA’s enforcement provisions for violations of privacy, security, and breach notification regulations under HIPRA. As under HIPAA, HHS would be required to consider the use of recognized security practices when enforcing potential HIPAA Security Rule violations.
De-identified Information. HIPRA would require HHS to issue regulations to “establish[] unified national standards for rendering applicable health information de-identified,” which has the potential to result in changes to existing de-identification standards under HIPAA. HIPRA provides that these standards should be (i) “equivalent to, or exceed,” the de-identification standard under HIPAA, (ii) specify standards for the use of privacy enhancing technologies as a method for creating de-identified information, and (iii) specify that information will not qualify as de-identified information when provided by a regulated entity, service provider, covered entity or business associate to a third party unless that third party agrees not to re-identify the information.
Amendments to Existing Law. HIPRA proposes amendments to existing provisions of HIPAA that provide individuals with the right to direct a covered entity or business associate to disclose an individual’s protected health information directly to a third party (often referred to as a “directed disclosure”). Specifically, HIPRA would amend these provisions to require that an individual’s request for a directed disclosure meet the requirements of a valid HIPAA authorization. HIPRA would also permit the covered entity or business associate that is providing access to the individual’s information to condition the third party’s access on the third party’s (i) payment of fees and (ii) acknowledgment and acceptance of the limitations contained in the individual’s directed disclosure request as legally binding on the third party receiving the data. These requirements would not apply to directed disclosures that are permitted by HIPAA for treatment, payment, or health care operations purposes.
Additionally, HIPRA would amend Part 2 to provide that Part 2 records may be disclosed as permitted in HIPAA. This furthers prior efforts under the 2020 Coronavirus Aid, Relief, and Economic Security Act to align Part 2 and HIPAA.
Patient Compensation. HIPRA would require HHS to work with the National Academies of Sciences, Engineering, and Medicine to conduct a study examining the potential risks and benefits of paying compensation to patients for sharing their identifiable data for research purposes. Such a study is required to examine certain topics, including, among others: (i) risks to patient privacy and ethical considerations associated with compensating patients for identifiable and de-identified data, (ii) privacy enhancing tools and methods for protection of patient health data, and (iii) feasibility of tracking patient data and consents.
Patient Notifications. HIPRA would require that entities that gain access to protected health information through a patient’s right of access under HIPAA inform individuals that their data is no longer protected by HIPAA, explain how the information may be redisclosed, and require a consumer’s consent before selling that data to third parties.
Additionally, HIPRA proposes that regulated entities and service providers who generate “wellness data” notify consumers that their data is not protected by HIPAA, and that they can opt-out of this data generation. HIPRA defines “wellness data” as data generated for the purpose of promoting health or preventing disease, which may include vital statistics, step counts, and medical regimen compliance.
Minimum Necessary Standard for AI. HIPRA would require HHS to publish guidance on the application of HIPAA’s minimum necessary standard to data used for artificial intelligence and other machine learning applications and relevant requirements, including health data interoperability requirements and the use of limited data sets.
Preemption. HIPRA would adopt HIPAA’s preemption standard for the requirements set forth under the bill. This means that HIPRA would set a national floor—contrary state laws would be preempted unless they are more protective of individual privacy.