The Health Information Privacy Reform Act establishes new privacy, security, and breach notification standards for applicable health information handled by regulated entities and service providers, while also addressing patient rights regarding data access and mandating studies on data compensation.
Bill Cassidy
Senator
LA
The Health Information Privacy Reform Act aims to strengthen privacy, security, and breach notification standards for health information beyond current HIPAA rules, primarily by establishing new regulations for entities not traditionally covered. It also mandates studies on patient compensation for research data and clarifies rules regarding patient access rights and the de-identification of health data. Ultimately, this bill seeks to modernize and expand federal protections for health information across a broader range of data handlers.
New Privacy Bill Extends HIPAA-Level Rules to Wellness Apps and Data Brokers, But Adds Fees for Patient Data Sharing
If you’ve ever felt like your health data—from your doctor’s office to your favorite fitness tracker—was floating around with zero protection, this new bill is a mixed bag for you. The Health Information Privacy Reform Act aims to close a major gap in health data privacy by extending the strict standards of HIPAA (Health Insurance Portability and Accountability Act) to a whole new category of companies: the data brokers, wellness apps, and tech companies that handle what the bill calls “Applicable Health Information.” Essentially, if you’re a company that collects data about someone’s health condition, care, or payment, and you’re not already a HIPAA-covered entity like a hospital or insurance company, you’re now a “Regulated Entity” and you’re about to get a crash course in serious privacy compliance.
The HIPAA Net Gets Wider
For years, traditional healthcare providers (Covered Entities) and their direct contractors (Business Associates) have had to follow HIPAA’s rules on privacy, security, and breach notification. This bill (Sec. 2) mandates that the Secretary of Health and Human Services create new regulations that apply these same robust standards—or stronger ones—to these new Regulated Entities and their Service Providers. This is a huge deal because it means companies like wellness apps tracking your steps and sleep, or data analytics firms compiling health profiles, will now have to designate privacy officers, implement technical and physical security safeguards based on national standards (like those from NIST), and notify you if they suffer a data breach. The goal is clear: your health data should be protected, regardless of whether it was collected by your doctor or your smartwatch.
Access Rights: A New Cost Barrier?
While the bill broadens privacy protections, it also introduces a potential snag when you try to get your own data. Currently, patients have a right to access their Protected Health Information (PHI) and direct it to a third party (like a new doctor or a health app). Section 3 of this bill changes the rules slightly when you ask a provider to send your PHI to a designated person (someone who isn't your provider or yourself). The bill explicitly allows the provider or business associate to require the designated person to pay fees in advance before sending the information. While this fee structure must follow state law, requiring advance payment could create a significant barrier for individuals trying to manage their health records, turning a fundamental right into a transaction with a potential cost.
The Catch-22 of Patient Access
Perhaps the most confusing and concerning part of the bill is tucked away in Section 6, which deals with patient notification. This section requires that any entity accessing an individual’s PHI using the patient’s right of access must give the individual a written notification before accessing the data. This notification must state that once the information is accessed, it will no longer be protected under the HIPAA privacy regulation. Think about that for a second: the act of exercising your right to access your own data might be the very thing that strips it of its federal privacy protections. The bill does require the entity to get your consent before selling that information to third parties, but the loss of HIPAA protection for other forms of redisclosure is a massive loophole that could undermine the entire purpose of the bill.
Opt-Out for Wellness Data and the Research Question
To address the explosion of consumer health tech, the bill also mandates that any regulated entity offering digital technology that creates “wellness data” (like step counts or sleep metrics) must notify the user in advance that this data will not be protected under HIPAA (Sec. 6). Crucially, the user must be given an explicit opt-out opportunity before the data generation starts. This is a win for transparency, forcing companies to be upfront about the lack of federal privacy protection for your fitness tracking data.
Finally, the bill acknowledges the elephant in the room: the value of your health data to researchers. Section 5 commissions the National Academies of Sciences, Engineering, and Medicine to study the risks and benefits of compensating patients for sharing their identifiable health data for research. This study will look at everything from privacy risks when combining data sets to the ethics of paying people for their information. This is a crucial step toward recognizing that patient data is valuable and that individuals should potentially benefit from its use.