S3097-119

Introduced

To provide additional protections with respect to health information, and for other purposes.

119th Congress Introduced Nov 4, 2025

Analysis under review: This bill has generated analysis that may be too generic or incomplete. Clause-level evidence remains available below.

Summary

What This Bill Does

The Health Information Privacy Reform Act extends HIPAA-like privacy protections to health data held by entities not currently covered by HIPAA, such as health apps, fitness trackers, and digital wellness platforms. It requires HHS to set new privacy, security, and breach notification standards, strengthens patient notification requirements, establishes de-identification standards, and provides AI-specific data guidance.

Who Benefits and How

Patients and consumers gain new privacy protections for health data collected by non-HIPAA entities like health apps and wearables. They receive plain-language notifications before health data leaves HIPAA protections and must consent before their data is sold. Privacy-enhancing technology companies benefit from new requirements for de-identification standards. The National Academies receives a contract to study patient data compensation models.

Who Bears the Burden and How

Digital health companies, health apps, and wellness technology providers face new HIPAA-equivalent privacy regulations and breach notification requirements. Companies accessing patient data through the right of access must provide notifications and obtain consent for resale. AI and machine learning companies using health data face new minimum-necessary-use guidance. HHS faces significant rulemaking obligations across multiple areas within 1-year deadlines.

Key Provisions

  • HIPAA-equivalent privacy/security standards extended to non-covered entities processing health information
  • Plain-language patient notification before health data leaves HIPAA protections, plus consent-to-sell requirement
  • Unified national de-identification standards with contractual no-re-identification requirements
  • Minimum necessary guidance for AI/ML applications using health data (1-year deadline)
  • NAS study on compensating patients for sharing identifiable data for research

Evidence Chain:

This summary is generated from the full bill text using AI analysis. Expand "Detailed Analysis" below for identified beneficiaries/burden bearers.

At a Glance

What This Bill Does

Extends HIPAA-like privacy protections to health data held by entities not currently covered by HIPAA, strengthens patient notification requirements, establishes de-identification standards, and provides AI-specific health data guidance.

Key Policy Areas

Healthcare Privacy, Data Protection, Artificial Intelligence, Consumer Protection

Primary Purpose

Extends HIPAA-like privacy protections to health data held by entities not currently covered by HIPAA, strengthens patient notification requirements, establishes de-identification standards, and provides AI-specific health data guidance.

Policy Domains

Healthcare Privacy Data Protection Artificial Intelligence Consumer Protection

Health Information Privacy Reform Act

Identified Gains
Contextual inference, no direct clause citation
  • Patients and health data subjects
  • Privacy-enhancing technology companies
  • National Academies
Model: N/A | Version: bill_summary_v2 | Source: is

Contextual inference, no direct clause citation

Identified Costs
Contextual inference, no direct clause citation
  • Digital health companies and health apps
  • AI/ML companies using health data
  • HHS (rulemaking burden)
Model: N/A | Version: bill_summary_v2 | Source: is

Contextual inference, no direct clause citation

Legislative Progress

Introduced
Introduced Committee Passed
Nov 4, 2025

Mr. Cassidy introduced the following bill; which was read twice …

Stakeholder Effects

cui bono?

How this legislation distributes effects. Mention counts reflect frequency, not effect magnitude.

Technology
6 mentions across 4 clauses
+1 positive -5 negative

AI/ML companies using health data, Digital health companies and health apps, Digital wellness and fitness technology companies

Positive-direction: Privacy-enhancing technology companies

Negative-direction: AI/ML companies using health data, Digital health companies and health apps, Digital wellness and fitness technology companies, Health IT interoperability companies, Health data research companies

Data Services
4 mentions across 4 clauses
-4 negative

Health data aggregators and patient data brokers, Health data companies using right-of-access, Health data de-identification service providers

Consumers
4 mentions across 4 clauses
+4 positive

Consumers using health and wellness apps, Patients, Patients and health data subjects

Healthcare
1 mention across 1 clause
-1 negative

Healthcare providers (covered entities)

Research & Science
1 mention across 1 clause
+1 positive

National Academies of Sciences, Engineering, and Medicine

State & Local Government
1 mention across 1 clause
+1 positive

States with strong health privacy laws

Government
1 mention across 1 clause
-1 negative

HHS Office for Civil Rights

7/9
sections analyzed
Full impact breakdown

Bill Structure & Actor Mappings

Who is "The Secretary" in each section?

Domains
Healthcare Privacy Data Protection Artificial Intelligence Consumer Protection
Actor Mappings
"the_secretary"
→ Secretary of Health and Human Services

Key Definitions

Terms defined in this bill

4 terms
"applicable health information" §2

Health information processed by regulated entities and their service providers (broader than HIPAA's protected health information).

"wellness data" §6

Data generated for promoting health or preventing disease, including vital statistics, step counts, and medical regimen compliance.

"privacy enhancing technologies" §8

Software, hardware, technical processes, or other technological means of mitigating privacy risks through enhanced predictability, manageability, disassociability, and confidentiality.

"regulated entity" §2b

Entities processing applicable health information that are not currently HIPAA-covered entities.

We use a combination of our own taxonomy and classification in addition to large language models to assess meaning and potential beneficiaries. High confidence means strong textual evidence. Always verify with the original bill text.

Learn more about our methodology