HIPAA Privacy Technology Legislation

Recently, Republican Senator Bill Cassidy and Democratic Senator Tammy Baldwin introduced legislation known as the Health Data Use and Privacy Commission Act. The legislation’s main aim is to update what these Senators view as an “outdated” HIPAA law. When HIPAA was signed into law in 1996, most covered entities were in the telegraph age when it came to using electronic technology to use and disclose medical records. 

These days of 25 years ago were the days of paper charts and documentation, phone communications, and old-fashioned faxes. In the intervening 25 years, HIPAA has not changed, but the world around it has. Today, protected health information is used, disclosed, and accessed by health apps such as FitBit, CommonHealth, and Sleep Cycle. The legislation seeks to bring these entities into the HIPAA fold by designating them as covered entities, thus subjecting them to HIPAA’s regulatory scheme. Additional details of the new HIPAA privacy technology legislation are discussed below.

New HIPAA Privacy Technology Legislation: Deja Vu All Over Again

Congress has attempted to pass new HIPAA privacy technology legislation for at least a decade. Some of the legislation failed to garner bipartisan support. Events beyond the control of Congress have thwarted still other legislative proposals. In 2019, several proposals to “modernize” HIPAA were made. When COVID-19 reached our shores, the momentum needed to pass the new HIPAA privacy and security technology legislation fizzled. 

Do you have an effective HIPAA compliance program? Find out now by completing the HIPAA compliance checklist.

New HIPAA Privacy Technology Legislation: There is a Doctor in the Building

The Health Data Use and Privacy Commission Act (HDUPC) is notable for being introduced by an actual medical doctor. Senator Cassidy is also Bill Cassidy, M.D. As a doctor, he has expressed concern that if HIPAA is not updated to reflect reality, the security of patient data will be put at risk. Senator Baldwin sits on the Subcommittee on Labor, Health and Human Services, Education, and Related Agencies and has a particular interest in health information security. 

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

Easiest To Do Business With 2024

New HIPAA Privacy Technology Legislation: Nuts and Bolts of the Law

The legislation calls for the creation of a commission to focus on health information security. As the introduction to the legislation notes, this focus is sorely needed: An increasing number of people of the United States are using consumer health technologies, including wearable technology. Today, roughly 20 percent of people in the United States report using such technology, which generates and stores data about their personal health and well-being. 

This commission, to bring consumer health technologies into the state and federal regulatory sweep, would review existing security measures for protected health information (PHI) and electronic protected health information (ePHI) at the state and federal government levels while also evaluating the methods used by providers, consumer electronics companies, insurance companies, financial services companies, and other industry sectors, to collect such information.

After this evaluation, the committee would determine the potential threats to health privacy and when health information sharing is beneficial to consumers. From there, the commission would recommend new HIPAA privacy technology legislative measures to Congress and the President in the form of a report. 

Committees are frequent targets of jokes. The late American comedian Fred Allen once quipped, “A committee is a group of people who individually can do nothing, but who, as a group, can meet and decide that nothing can be done.”  HUDPC reins in the power and enhances the legitimacy of this particular commission, by requiring that the committee issue its report no later than 6 months after the appointment of all members of the Commission. The legislation is also designed to ensure that the commission does not outlive its usefulness: HUDPC requires that the Commission be terminated within 30 days after it submits its report.

New HIPAA Privacy Technology Legislation: What’s New This Time Around?

HUDPC requires the commission to recommend, in addition to legislative solutions, non-legislative solutions to individual health privacy concerns, including education, market-based measures, industry best practices, and new technologies. To ensure the soundness of these recommendations, the commission must review the effectiveness and utility of existing third-party statements of privacy principles and private sector self-regulatory efforts.


HUDPC also requires the commission to issue a report that sorts out the tangled mess of conflicting and overlapping data security and privacy laws and regulations. As the bill’s introductory language observes, “Due to a lack of Federal guidelines and a range of different State and local rules regarding privacy protection for individually identifiable health information, there is a growing concern about the confidentiality of personal health information collected outside the context of health care delivery, payment, and the practice of medicine generally.” The bill requires the commission to suggest measures to streamline, harmonize and unify these laws. Such measures can include reforming or adding to existing laws related to enforcement, consent, penalties for misuse, and transparency.

HIPAA and State Privacy Compliance

Satisfy state and federal HIPAA laws with streamlined software.

Global CTAs Image