To provide additional protections with respect to health information, and for other purposes.
Analysis under review: This bill has generated analysis that may be too generic or incomplete. Clause-level evidence remains available below.
Summary
What This Bill Does
The Health Information Privacy Reform Act extends HIPAA-like privacy protections to health data held by entities not currently covered by HIPAA, such as health apps, fitness trackers, and digital wellness platforms. It requires HHS to set new privacy, security, and breach notification standards, strengthens patient notification requirements, establishes de-identification standards, and provides AI-specific data guidance.
Who Benefits and How
Patients and consumers gain new privacy protections for health data collected by non-HIPAA entities like health apps and wearables. They receive plain-language notifications before health data leaves HIPAA protections and must consent before their data is sold. Privacy-enhancing technology companies benefit from new requirements for de-identification standards. The National Academies receives a contract to study patient data compensation models.
Who Bears the Burden and How
Digital health companies, health apps, and wellness technology providers face new HIPAA-equivalent privacy regulations and breach notification requirements. Companies accessing patient data through the right of access must provide notifications and obtain consent for resale. AI and machine learning companies using health data face new minimum-necessary-use guidance. HHS faces significant rulemaking obligations across multiple areas within 1-year deadlines.
Key Provisions
- HIPAA-equivalent privacy/security standards extended to non-covered entities processing health information
- Plain-language patient notification before health data leaves HIPAA protections, plus consent-to-sell requirement
- Unified national de-identification standards with contractual no-re-identification requirements
- Minimum necessary guidance for AI/ML applications using health data (1-year deadline)
- NAS study on compensating patients for sharing identifiable data for research
Evidence Chain:
This summary is generated from the full bill text using AI analysis. Expand "Detailed Analysis" below for identified beneficiaries/burden bearers.
At a Glance
What This Bill Does
Extends HIPAA-like privacy protections to health data held by entities not currently covered by HIPAA, strengthens patient notification requirements, establishes de-identification standards, and provides AI-specific health data guidance.
Key Policy Areas
Healthcare Privacy, Data Protection, Artificial Intelligence, Consumer Protection
Primary Purpose
Extends HIPAA-like privacy protections to health data held by entities not currently covered by HIPAA, strengthens patient notification requirements, establishes de-identification standards, and provides AI-specific health data guidance.
Policy Domains
Health Information Privacy Reform Act
Identified Gains
Contextual inference, no direct clause citation- Patients and health data subjects
- Privacy-enhancing technology companies
- National Academies
Contextual inference, no direct clause citation
Identified Costs
Contextual inference, no direct clause citation- Digital health companies and health apps
- AI/ML companies using health data
- HHS (rulemaking burden)
Contextual inference, no direct clause citation
Sponsors
Legislative Progress
IntroducedMr. Cassidy introduced the following bill; which was read twice …
Stakeholder Effects
cui bono?How this legislation distributes effects. Mention counts reflect frequency, not effect magnitude.
AI/ML companies using health data, Digital health companies and health apps, Digital wellness and fitness technology companies
Positive-direction: Privacy-enhancing technology companies
Negative-direction: AI/ML companies using health data, Digital health companies and health apps, Digital wellness and fitness technology companies, Health IT interoperability companies, Health data research companies
Health data aggregators and patient data brokers, Health data companies using right-of-access, Health data de-identification service providers
Consumers using health and wellness apps, Patients, Patients and health data subjects
National Academies of Sciences, Engineering, and Medicine
States with strong health privacy laws
Bill Structure & Actor Mappings
Who is "The Secretary" in each section?
- "the_secretary"
- → Secretary of Health and Human Services
Key Definitions
Terms defined in this bill
Health information processed by regulated entities and their service providers (broader than HIPAA's protected health information).
Data generated for promoting health or preventing disease, including vital statistics, step counts, and medical regimen compliance.
Software, hardware, technical processes, or other technological means of mitigating privacy risks through enhanced predictability, manageability, disassociability, and confidentiality.
Entities processing applicable health information that are not currently HIPAA-covered entities.
We use a combination of our own taxonomy and classification in addition to large language models to assess meaning and potential beneficiaries. High confidence means strong textual evidence. Always verify with the original bill text.
Learn more about our methodology