Senator Proposes HIPAA-like Protections for all Consumer Health Data

A Republican Senator has proposed new legislation to ensure data privacy and security for all healthcare data, not just health data collected by HIPAA-regulated entities. If passed, there will be privacy and security requirements for all healthcare data, including data collected by health apps, smartwatches, and other wearable devices. The law will also apply to entities in the healthcare sphere that are not subject to HIPAA, such as therapists who do not conduct electronic transactions for which the HHS has standards.

The new legislation – The Health Information Privacy and Reform Act – was introduced by Sen. Bill Cassidy (R-LA), Chair of the Senate Health, Education, Labor, and Pensions (HELP) committee, on November 4, 2025, and seeks to expand HIPAA protections to cover health data that is not handled by HIPAA-regulated entities. “Smartwatches and health apps change the way people manage their health. They’re helpful tools but present new privacy concerns that didn’t exist when it was just a patient and a doctor in an exam room,” said Sen. Cassidy. “Let’s make sure that Americans’ data is secured and only collected and used with their consent.”

There have previously been attempts to expand HIPAA itself, but this bill seeks to establish a separate set of regulated entities that will have to comply with HIPAA-like laws. The bill will essentially keep HIPAA as it is – some minor changes to HIPAA and the Part 2 regulations are proposed in the bill – and simply apply similar requirements to other entities. The Health Information Privacy and Reform Act defines “regulated entities” as any “natural or legal person that […] determines the purpose and means of processing applicable health information.” The broad definition includes healthcare organizations that provide healthcare services but fall outside the definition of HIPAA-covered entity or business associate, including providers of telehealth, health and wellness apps, smartwatches, other wearable devices, as well as genetic testing companies.

The definition of “applicable health information” includes information linked to or linkable to an individual that relates to the past, present, or future health of that individual, or the provision of healthcare to the individual, or related to payments for healthcare providers to that individual, similar to HIPAA. As for the requirements, they too are similar to HIPAA, although they are not fleshed out in the bill. The bill requires the Secretary of the Department of Health and Human Services (HHS), in conjunction with the Federal Trade Commission (FTC), to promulgate privacy, security, and breach notification regulations for the processing of all applicable health information by regulated entities and their service providers. The standards must provide protections that are at least commensurate with, and where feasible and appropriate, harmonized with the privacy, security, and breach notification rules of HIPAA and the HITECH Act.

Other requirements of the bill include the development of national standards for the de-identification of applicable health information, and the National Academies of Sciences, Engineering, and Medicine are required to conduct a study of the potential risks and benefits associated with paying patients to share identifiable health data for research purposes. One notable change to HIPAA concerns access to PHI, one of the patient rights under HIPAA. New restrictions would apply. In order to exercise their right of access, an authorization would be required by a patient that includes the reason for the disclosure of their data to a third party before the data could be released by a HIPAA-regulated entity.  There are also transparency requirements, such as requiring an individual to be notified that any transfer of PHI to a third party, per their access request, would mean the PHI is no longer subject to the HIPAA Rules after its disclosure and that the information may be redisclosed.

There is a clear need for greater privacy protections for non-HIPAA-covered data. While some states have introduced their own regulations to cover non-HIPAA-protected health data, many states have no such privacy laws. The Health Information Privacy and Reform Act would set a baseline level of protection for all health information, although it would not resolve the patchwork of state laws, as the Health Information Privacy and Reform Act would allow states to introduce tougher regulations, if they wish. Similar to HIPAA, and unlike state regulations such as the California Consumer Privacy Act and Washington’s My Health My Data Act, there is no private right of action, although civil monetary penalties could be imposed by the HHS on entities found to have violated the provisions of the Act.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/