The Privacy Protection Gap Is About to Close
For years, healthcare compliance officers have watched an unsettling trend unfold: while your organization carefully safeguards patient data under HIPAA regulations, a massive ecosystem of health apps, wearable devices, and wellness platforms has operated in a regulatory gray zone—collecting, using, and sharing sensitive health information with minimal oversight.
That’s about to change.
On November 4, 2025, Senator Bill Cassidy (R-LA), chair of the Senate Health, Education, Labor, and Pensions Committee, introduced the Health Information Privacy Reform Act (HIPRA). This sweeping legislation aims to close the decades-old gap in health privacy protections and fundamentally reshape the landscape for both traditional healthcare entities and digital health companies.
Understanding the Current Privacy Vacuum
Today’s healthcare data ecosystem exists in two very different worlds. In one world, HIPAA-covered entities—hospitals, health plans, and healthcare providers conducting electronic transactions—operate under strict federal privacy and security requirements. These organizations face substantial penalties for noncompliance and must implement comprehensive safeguards to protect patient information.
In the other world, consumer health apps tracking everything from menstrual cycles to blood pressure, along with smartwatches monitoring heart rhythms and sleep patterns, collect vast amounts of personal health information with far fewer restrictions. While some state laws and federal regulations like the FTC’s Health Breach Notification Rule apply, the protections are inconsistent and considerably weaker than HIPAA.
The consequences of this disparity have become increasingly apparent. Recent revelations about period-tracking apps selling user data to advertising platforms have highlighted the vulnerability of consumers who believe their health information receives uniform protection regardless of where it’s collected.
What HIPRA Changes: The Core Framework
HIPRA represents the most significant expansion of federal health privacy law since HIPAA itself. The legislation takes a two-pronged approach: extending HIPAA-like protections to previously unregulated entities while also modernizing certain aspects of existing HIPAA requirements.
New Regulated Entities and Service Providers
The Act introduces two new categories of regulated parties. “Regulated entities” are defined as organizations that determine the purpose and means of processing health information but aren’t currently covered by HIPAA. This includes health and fitness apps, wearable device manufacturers, wellness platforms, and even healthcare providers who only accept out-of-pocket payments.
“Service providers” are entities that process health information on behalf of these regulated entities—essentially the business associate equivalent for the non-HIPAA world.
Expansive Definition of Protected Information
HIPRA establishes the concept of “applicable health information,” which encompasses any information that identifies an individual and relates to their past, present, or future physical or mental health, the provision of healthcare, or payment for healthcare. This definition is notably broad and could potentially extend to seemingly innocuous data points like grocery purchases or fitness tracker metrics that can be linked to an individual.
Critical Compliance Requirements Healthcare Organizations Should Monitor
Privacy, Security, and Breach Notification Standards
HHS, working in consultation with the FTC, will be tasked with promulgating comprehensive regulations that establish privacy, security, and breach notification requirements for applicable health information. These regulations must provide protections that are “at least commensurate with” existing HIPAA standards and should harmonize with them wherever feasible.
For regulated entities, this means implementing:
Privacy controls that address permitted uses and disclosures, authorization requirements, and individual rights—including rights to receive privacy notices, access and amend their information, ensure data portability, and notably, a right to deletion (which doesn’t exist under current HIPAA).
Security safeguards covering physical, technical, and administrative protections for health information in any form. For electronic information, these safeguards should align with frameworks from the National Institute of Standards and Technology or HHS.
Breach notification procedures substantially similar to HIPAA’s current requirements, ensuring individuals and authorities are promptly informed when health information is compromised.
Transparency and Consumer Notification Requirements
HIPRA introduces several novel notification obligations that will impact how healthcare organizations and digital health companies interact with consumers.
When entities access protected health information through a patient’s HIPAA right of access, they must now inform individuals that their data is no longer protected by HIPAA once it leaves the covered entity’s control. This notification must explain how the information may be redisclosed and requires consumer consent before selling that data to third parties.
For wellness applications and wearable devices generating data like step counts, vital statistics, and medication compliance metrics, regulated entities must notify consumers that this “wellness data” isn’t protected by HIPAA and must provide an opt-out mechanism for data generation.
Changes to Directed Disclosure Rights
HIPRA modifies existing HIPAA provisions around directed disclosures—situations where patients request that their protected health information be sent directly to a third party. Under the new framework, these requests must meet the requirements of a valid HIPAA authorization.
Additionally, covered entities and business associates providing access can now condition that access on the third party’s payment of reasonable fees and their acknowledgment that the limitations in the directed disclosure request are legally binding. This change gives healthcare organizations more control and protection when patients direct their data to apps and other third-party services.
De-identification Standards: A Unified Approach
One of HIPRA’s most technically significant provisions requires HHS to establish unified national standards for de-identifying health information. These standards must be equivalent to or exceed current HIPAA de-identification requirements while also addressing modern privacy-enhancing technologies.
Critically, information won’t qualify as de-identified when provided to third parties unless those third parties contractually agree not to re-identify it. This closed-loop approach addresses a longstanding concern about the potential for re-identification using advanced data analytics and machine learning.
Artificial Intelligence and the Minimum Necessary Standard
Recognizing the growing role of AI in healthcare, HIPRA mandates that HHS publish guidance on applying HIPAA’s minimum necessary standard to data used for artificial intelligence and machine learning applications. This guidance will address critical questions about data interoperability requirements and the appropriate use of limited data sets in AI contexts.
For healthcare organizations investing heavily in AI-driven diagnostics, predictive analytics, and operational improvements, this guidance will be essential for ensuring compliant implementation.
Part 2 Alignment: Substance Use Disorder Records
HIPRA furthers efforts to harmonize 42 CFR Part 2 (which governs substance use disorder treatment records) with HIPAA by providing that Part 2 records may be disclosed as permitted under HIPAA. This alignment addresses longstanding interoperability challenges and reduces administrative complexity for providers treating patients with substance use disorders.
Enforcement and Penalties
HHS will have enforcement authority over HIPRA, consulting with the FTC, and can impose civil monetary penalties aligned with HIPAA’s existing penalty structure. This means potentially substantial financial consequences for violations—ranging from $100 to $50,000 per violation, with annual maximums reaching $1.5 million, depending on the level of culpability.
As with current HIPAA enforcement, HHS will be required to consider whether organizations have implemented recognized security practices when evaluating potential violations.
State Law Preemption: Setting a National Floor
HIPRA adopts HIPAA’s preemption framework, establishing a national floor for health privacy protections while allowing states to maintain or enact more stringent requirements. This approach balances the need for consistent baseline protections with states’ ability to provide enhanced privacy safeguards for their residents.
Healthcare organizations operating across multiple states should expect to continue navigating a complex landscape where federal requirements represent the minimum standard.
Looking Ahead: Patient Compensation Study
In an intriguing forward-looking provision, HIPRA requires HHS to work with the National Academies of Sciences, Engineering, and Medicine to study the risks and benefits of compensating patients for sharing their identifiable health data for research purposes. This study will examine privacy risks, ethical considerations, privacy-enhancing technologies, and the feasibility of tracking patient data and consents in compensation scenarios.
While this provision doesn’t immediately change any requirements, it signals potential future developments in how we conceptualize patient control over health data and could have significant implications for research organizations and biobanks.
What Healthcare Compliance Officers Should Do Now
While HIPRA’s passage isn’t guaranteed—similar comprehensive privacy legislation has stalled in the past—prudent compliance officers should begin preparing for a world where health data privacy requirements are significantly more uniform and stringent.
Assess your data ecosystem. Map all flows of health information into and out of your organization, paying particular attention to interactions with digital health tools, patient-facing apps, and wearable device platforms.
Review third-party agreements. Examine contracts with vendors, apps, and service providers that access patient information through directed disclosures or integration with your systems. Consider what additional protections or modifications may be needed under HIPRA’s framework.
Evaluate notification processes. Determine how you would implement HIPRA’s transparency requirements, including notifications when data leaves HIPAA protection and disclosures about how patient information may be redisclosed.
Monitor regulatory developments. Stay informed about HIPRA’s legislative progress and watch for proposed regulations from HHS and the FTC as implementation details emerge.
Engage with industry discussions. Participate in trade association working groups and comment periods to help shape practical implementation of HIPRA’s requirements.
The Bigger Picture
HIPRA represents recognition that health data privacy law has failed to keep pace with technological change. The legislation acknowledges what patients intuitively understand: their health information deserves consistent protection whether it’s collected during a doctor’s visit, recorded by a smartphone app, or tracked by a wearable device.
For healthcare organizations, HIPRA promises both challenges and opportunities. Compliance burdens will increase, particularly around interactions with digital health tools and patient-directed disclosures. But the legislation also creates a more level playing field where traditional healthcare providers aren’t disadvantaged by competitors operating under less stringent privacy requirements.
Most importantly, HIPRA positions the healthcare industry to build greater patient trust at a time when data breaches, unauthorized sharing, and privacy violations have eroded confidence in how health information is protected.
As Senator Cassidy noted in introducing the legislation, smartwatches and health apps have fundamentally changed how people manage their health. Now the law is finally catching up to ensure Americans’ data is secured and only collected and used with their informed consent.
The path forward requires vigilance, preparation, and a commitment to privacy as a cornerstone of quality healthcare. Whether HIPRA becomes law in its current form or is modified through the legislative process, the direction is clear: comprehensive, consistent health data privacy protection is no longer optional—it’s inevitable.
