US Senator Bill Cassidy has introduced the Health Information Privacy Reform Act, a bill designed to extend privacy protections to health data collected by technologies such as smartwatches and mobile applications.
Introduced in the US Senate on 11 April 2025, the legislation seeks to bridge the gap between traditional healthcare providers covered by the Health Insurance Portability and Accountability Act (HIPAA) and modern digital health companies that currently fall outside those regulations.
Here’s an overview of the bill’s key provisions and its potential impact on the digital health sector.
Closing the regulatory gap
HIPAA currently governs how “covered entities”, such as doctors, hospitals, and insurers, handle protected health information or “PHI”.
But HIPAA generally does not apply to consumer technologies like fitness trackers or health apps, leaving a regulatory void regarding the data these devices collect.
The Health Information Privacy Reform Act aims to close this gap by creating a new class of certain organizations not currently covered by HIPAA: “Regulated entities”.
Who is a ‘regulated entity’?
Under the bill, which draws some language from the EU’s General Data Protection Regulation (GDPR) and the US state privacy laws it inspired, a “regulated entity” is defined as a natural or legal person that determines the purpose and means of processing “applicable health information”.
The definition explicitly excludes:
- Governmental entities.
- Entities processing data on behalf of the government.
- HIPAA-covered entities and business associates.
“Applicable health information” includes data that identifies an individual and relates to their physical or mental health, healthcare provision, or payment, including information that was not created or received by a traditional healthcare provider.
New privacy and security obligations
The bill directs the Secretary of Health and Human Services (HHS), in consultation with the Federal Trade Commission (FTC), to establish regulations for regulated entities. These standards must be “at least commensurate” with existing HIPAA privacy, security, and breach notification rules.
Regulated entities would face compliance obligations, including:
- Granting users the right to access, amend, and delete their data, as well as data portability.
- Implementing physical, technical, and administrative safeguards aligned with national frameworks, such as those from the National Institute of Standards and Technology (NIST).
- Reporting data breaches in a manner substantially similar to HIPAA requirements.
- Providing a privacy notice detailing permitted and prohibited uses of data.
Wellness data and opt-out rights
The legislation introduces specific transparency requirements for “wellness data”, defined as data generated to promote health or prevent disease, such as step counts or vital statistics.
Regulated entities offering technology that generates wellness data must provide a plain-language notification stating that the data is not subject to HIPAA protections. Furthermore, they must offer the individual an opportunity to opt out of wellness data generation.
Data transfers and consent
The bill addresses the movement of data from the HIPAA-regulated system to the non-regulated consumer sector.
When a regulated entity gains access to protected health information via a patient’s right of access (for example, when a user connects a third-party app to their medical records), the entity must notify the individual that the data is no longer protected by HIPAA.
The entity must also provide an explanation of how the data may be redisclosed and obtain the individual’s consent before selling that health information to third parties.
De-identification standards
The bill mandates the establishment of unified national standards for de-identifying health information. These standards will generally mirror HIPAA’s de-identification rules but must also specify standards for “privacy-enhancing technologies”.
To qualify as de-identified, information provided by a regulated entity to another party requires a contractual agreement. The recipient must agree in writing not to attempt re-identification and must impose the same requirement on any subsequent recipients.
Enforcement
The HHS Secretary and the FTC would share enforcement authority. The bill allows for civil penalties for violations, applied in the same manner as penalties under the HITECH Act.
If enacted, the HHS would be required to promulgate the necessary regulations regarding privacy, security, and de-identification standards within one year.
Towards better health privacy
Whether or not this bill passes, providers of health and fitness technology are becoming much more privacy-conscious due to
- State privacy laws like the California Consumer Privacy Act (CCPA)
- Health-specific laws like Washington’s My Health My Data Act (MHMDA)
- A recent flurry of regulatory activity from the Federal Trade Commission (FTC).
Consumers are increasingly aware of how their health data is used by tech and software providers, and have new legal rights to take control of their privacy.
Businesses operating in this tightly-regulated space should consider building privacy protections into their apps and devices to stay ahead of these evolving requirements.
