On November 4, 2025, Senator Bill Cassidy (R-LA), chair of the Senate Health, Education, Labor, and Pensions (“HELP”) Committee, introduced the Health Information Privacy Reform Act (“HIPRA”). HIPRA seeks to extend protections similar to those provided under the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”) to certain health information collected by entities not currently regulated by HIPAA. HIPRA also proposes modifications and calls for guidance related to certain existing provisions of HIPAA as well as Part 2 (related to substance use disorder medical history).

Background

HIPAA applies only to covered entities and their business associates. HIPAA covered entities are health plans, health care clearinghouses, and health care providers that engage in certain electronic transactions (e.g., submitting claims to health insurance), and business associates are entities that perform certain functions on covered entities’ behalf. As a result, health information collected by consumer-facing companies and platforms, such as health and fitness applications, wearable devices, and wellness platforms often are not subject to HIPAA. Instead, identifiable health information collected by entities not regulated by HIPAA is subject to a patchwork of state privacy frameworks, unless an exception applies (e.g., for certain federally regulated research), and in some cases, the FTC’s Health Breach Notification Rule.

Federal health information privacy reform has historically been a priority of Senator Cassidy’s. Last year, Senator Cassidy published a white paper that discussed several items now proposed in HIPRA, including new notification requirements for wellness applications and wearable devices, alignment of HIPAA with requirements applicable to Part 2 records, and revisions to HIPAA’s directed disclosure requirements, among others. We discussed Senator Cassidy’s white paper further in posts here and here.

We discuss key provisions of HIPRA below.

Scope

HIPRA would impose obligations on “regulated entities” and “service providers.” “Regulated entities” are entities that are not covered entities or business associates under HIPAA, and that determine the purpose and means of processing “applicable health information.” “Service providers” are defined as entities that process such information on behalf of regulated entities. HIPRA defines “applicable health information” as information that identifies an individual and relates to the individual’s past, present, or future physical or mental health or condition, provision of health care, or payment for health care.

Key Provisions

Privacy, Security, and Breach Notification Regulations. HIPRA instructs the Department of Health and Human Services (“HHS”), in consultation with the Federal Trade Commission (“FTC”), to promulgate regulations that establish (i) privacy, (ii) security, and (iii) breach notification requirements for applicable health information used by regulated entities and service providers. Regulations promulgated under HIPRA would be required to provide protections “at least commensurate with” and “wherever feasible and appropriate” harmonized with, existing HIPAA regulations. HIPRA specifically provides that HHS must promulgate regulations that address:

  • Privacy requirements, including, for example, permitted uses and disclosures of applicable health information and when individuals must give written authorization prior to use or disclosure, authorization standards, and individual rights with respect to applicable health information, including the right to receive a privacy notice from the regulated entity, access to and amendment of applicable health information, portability of applicable health information, and, unlike HIPAA, deletion of applicable health information.
  • Security requirements, including physical, technical, and administrative safeguards for applicable health information in any form and, for electronic applicable health information, those safeguards should be based on national frameworks from the National Institute of Standards and Technology or HHS.
  • Breach notification requirementsthat are substantially similar to those under HIPAA’s Breach Notification Rule.

Enforcement. HIPRA would empower HHS to enforce HIPRA, in consultation with the FTC, and would align civil penalties with HIPAA’s enforcement provisions for violations of privacy, security, and breach notification regulations under HIPRA. As under HIPAA, HHS would be required to consider the use of recognized security practices when enforcing potential HIPAA Security Rule violations.

De-identified Information. HIPRA would require HHS to issue regulations to “establish[] unified national standards for rendering applicable health information de-identified,” which has the potential to result in changes to existing de-identification standards under HIPAA. HIPRA provides that these standards should be (i) “equivalent to, or exceed,” the de-identification standard under HIPAA, (ii) specify standards for the use of privacy enhancing technologies as a method for creating de-identified information, and (iii) specify that information will not qualify as de-identified information when provided by a regulated entity, service provider, covered entity or business associate to a third party unless that third party agrees not to re-identify the information.

Amendments to Existing Law. HIPRA proposes amendments to existing provisions of HIPAA that provide individuals with the right to direct a covered entity or business associate to disclose an individual’s protected health information directly to a third party (often referred to as a “directed disclosure”). Specifically, HIPRA would amend these provisions to require that an individual’s request for a directed disclosure meet the requirements of a valid HIPAA authorization. HIPRA would also permit the covered entity or business associate that is providing access to the individual’s information to condition the third party’s access on the third party’s (i) payment of fees and (ii) acknowledgment and acceptance of the limitations contained in the individual’s directed disclosure request as legally binding on the third party receiving the data. These requirements would not apply to directed disclosures that are permitted by HIPAA for treatment, payment, or health care operations purposes.

Additionally, HIPRA would amend Part 2 to provide that Part 2 records may be disclosed as permitted in HIPAA. This furthers prior efforts under the 2020 Coronavirus Aid, Relief, and Economic Security Act to align Part 2 and HIPAA.

Patient Compensation. HIPRA would require HHS to work with the National Academies of Sciences, Engineering, and Medicine to conduct a study examining the potential risks and benefits of paying compensation to patients for sharing their identifiable data for research purposes. Such a study is required to examine certain topics, including, among others: (i) risks to patient privacy and ethical considerations associated with compensating patients for identifiable and de-identified data, (ii) privacy enhancing tools and methods for protection of patient health data, and (iii) feasibility of tracking patient data and consents.

Patient Notifications. HIPRA would require that entities that gain access to protected health information through a patient’s right of access under HIPAA inform individuals that their data is no longer protected by HIPAA, explain how the information may be redisclosed, and require a consumer’s consent before selling that data to third parties.

Additionally, HIPRA proposes that regulated entities and service providers who generate “wellness data” notify consumers that their data is not protected by HIPAA, and that they can opt-out of this data generation. HIPRA defines “wellness data” as data generated for the purpose of promoting health or preventing disease, which may include vital statistics, step counts, and medical regimen compliance.

Minimum Necessary Standard for AI. HIPRA would require HHS to publish guidance on the application of HIPAA’s minimum necessary standard to data used for artificial intelligence and other machine learning applications and relevant requirements, including health data interoperability requirements and the use of limited data sets.

Preemption. HIPRA would adopt HIPAA’s preemption standard for the requirements set forth under the bill. This means that HIPRA would set a national floor—contrary state laws would be preempted unless they are more protective of individual privacy.

Tags: Data Privacy, Health Privacy
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws.

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state laws, including the California Consumer Privacy Act, the Colorado AI Act, and other state laws. As part of her practice, she also regularly represents clients in strategic transactions involving personal data, cybersecurity, and artificial intelligence risk and represents clients in enforcement and litigation postures.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Chambers USA 2025 ranks Libbie in Band 3 Nationwide for both Privacy & Data Security: Privacy and Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Read more about Libbie CanterEmail
Show more Show less
Photo of Anna D. Kraus Anna D. Kraus

Anna Durand Kraus advises on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (“HHS”) gives her broad experience with, and valuable insight into…

Anna Durand Kraus advises on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (“HHS”) gives her broad experience with, and valuable insight into, the programs and issues within the purview of HHS, including Medicare, Medicaid, fraud and abuse, and HIPAA privacy and security. Anna is co-chair of the firm’s Health Care Industry practice group.

Anna regularly advises clients on Medicare reimbursement matters, particularly those arising under Part B and the Part D prescription drug benefit. She also has extensive experience with the Medicaid Drug Rebate program. She assists numerous pharmaceutical and device manufacturers, health care providers, pharmacy benefit managers, and other health care industry stakeholders to navigate the challenges and opportunities presented by the Affordable Care Act.

Anna is a trusted adviser on health information privacy, security and breach notification issues, including those arising under the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Her background in this area dates back to the issuance of the original HIPAA privacy regulations.

Anna’s clients depend on her to guide them through compliance with the Anti-Kickback statute, the Stark regulations, and other laws preventing fraud and abuse in the health care industry. Her deep knowledge of these laws has made her an important component of the firm’s representation of pharmaceutical companies and health care organizations under federal investigation or facing allegations under the False Claims Act. In addition, clients contemplating acquisitions in the health care sector rely on her to guide due diligence efforts.

Read more about Anna D. KrausEmail
Show more Show less
Photo of Elizabeth Brim Elizabeth Brim

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and…

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and health care.

Elizabeth’s practice includes counseling clients on compliance with the complex web of health information privacy laws and regulations, such as HIPAA, the FTC’s Health Breach Notification Rule, and state medical and consumer health privacy laws as well as state consumer privacy and genetic privacy laws. She also advises clients on health care compliance issues, such as fraud and abuse, market access, and pricing and reimbursement activities.

Elizabeth routinely advises on regulatory compliance as part of transactions, clinical trial programs, collaborations and other activities that involve genetic data, and the development and operation of digital health products. As part of her practice, Elizabeth routinely counsels clients on drafting and negotiating privacy and health care terms with vendors and third parties and developing privacy notices and consent forms. In addition, Elizabeth maintains an active pro bono practice.

Elizabeth is an author of the American Health Law Association treatise, Pricing, Market Access, and Reimbursement Principles: Drugs, Biologicals and Medical Devices and the U.S. chapter of the Global Legal Insights treatise, Pricing & Reimbursement Laws and Regulations.

Read more about Elizabeth BrimEmail
Show more Show less
Photo of Natalie Maas Natalie Maas

Natalie is an associate in the firm’s San Francisco office, where she is a member of the Food, Drug, and Device, and Data Privacy and Cybersecurity Practice Groups. She advises pharmaceutical, biotechnology, medical device, and food companies on a broad range of regulatory…

Natalie is an associate in the firm’s San Francisco office, where she is a member of the Food, Drug, and Device, and Data Privacy and Cybersecurity Practice Groups. She advises pharmaceutical, biotechnology, medical device, and food companies on a broad range of regulatory and compliance issues.

Natalie also maintains an active pro bono practice, with a particular focus on health care and reproductive rights.

Read more about Natalie MaasEmail
Show more Show less