A new bill seeks to modernize health privacy laws by extending federal protections to data from health apps, smartwatches, and other non-HIPAA technologies.
Senator Bill Cassidy (R-LA), chair of the Senate Health, Education, Labor, and Pensions (HELP) Committee, has introduced the Health Information Privacy Reform Act, a bill designed to close the gaps in health data privacy left by the Health Insurance Portability and Accountability Act (HIPAA). While HIPAA regulates how healthcare providers and related entities handle protected health information (PHI), it does not cover health data collected by consumer technologies such as wearable devices and mobile apps.
The proposed legislation tried to extend similar privacy, security, and breach notification standards to these emerging technologies, ensuring that sensitive health data cannot be collected or shared without consent.
When HIPAA (Health Insurance Portability and Accountability Act) was enacted in 1996, most personal health information existed only within clinical or insurance settings. Today, millions of Americans generate health data daily through non-HIPAA-regulated platforms, like smartwatches, fitness trackers, fertility apps, and digital health monitoring tools. These technologies often collect detailed personal and biometric data but are not bound by the same privacy safeguards as traditional healthcare entities.
Although some protections exist under laws like the FTC Act and the Health Breach Notification Rule, these are limited in scope and vary from state to state. Senator Cassidy’s bill seeks to create a unified national standard that would apply to health technologies and providers operating outside HIPAA and the HITECH Act of 2009.
The bill would require the Department of Health and Human Services (HHS), in coordination with the Federal Trade Commission (FTC), to develop comprehensive privacy and security standards. These rules must align with existing HIPAA protections wherever possible and include new provisions for transparency, consumer consent, and data portability.
“Smartwatches and health apps change the way people manage their health. They’re helpful tools, but present new privacy concerns that didn’t exist when it was just a patient and a doctor in an exam room,” said Senator Cassidy. “Let’s make sure that Americans’ data is secured and only collected and used with their consent.”
The bill also directs the HHS to establish national standards for the de-identification of health data and to study whether patients should be compensated for sharing personal health information for research purposes. Enforcement authority would be shared between HHS and the FTC, with penalties aligned to HIPAA’s existing civil fine structure.
According to analysis from Wilson Sonsini, the bill “represents a significant departure from HIPAA’s current access requirements,” particularly because HIPAA “does not permit covered entities to impose restrictions on how recipients of PHI use such data” and “does not require individuals to disclose the purposes for which they are requesting access to their PHI.”
These proposed changes signal a shift toward tighter control and greater accountability regarding how health data is accessed and used, especially as more information is generated from devices and apps operating outside traditional HIPAA boundaries.
HIPAA covers data held by healthcare providers, insurers, and related partners, while the new act extends similar protections to data from consumer health technologies like fitness trackers and health apps.
No. States may still strengthen their privacy laws. The bill’s preemption clause allows states to impose stricter standards where desired.
Companies that collect health data outside HIPAA will need to meet new national privacy, security, and breach notification requirements once established by HHS and the FTC.
The bill requires guidance on how the “minimum necessary” standard applies to data used in AI and machine learning applications, trying to limit unnecessary data collection.
If passed, HHS would have one year to develop and publish unified national standards for protecting, securing, and de-identifying health information.