Sen. Bill Cassidy introduced the Health Information Privacy Reform Act (S.B. 3097) on November 5, 2025, marking one of the most notable congressional efforts to modernize health privacy rules since HIPAA’s original enactment in 1996.
What happened
On November 5, 2025, Sen. Bill Cassidy introduced the Health Information Privacy Reform Act (S.B. 3097), a proposal that would finally require companies behind these devices to tell users exactly how their data is used, and give them a clear chance to opt out of data collection altogether.
Cassidy argues that wellness data like step counts, heart-rate trends, and medication-adherence reminders did not exist when HIPAA was written in 1996, leaving millions of Americans exposed to silent data harvesting. The bill directs HHS and the FTC to write new rules that apply specifically to wearables and wellness apps, marking the first major federal move to regulate health data outside the clinical environment.
Privacy advocates say the bill could reshape how tech companies handle sensitive behavioral and biometric information, while healthcare organizations see it as a sign that wellness data may soon fall under stricter national standards.n (FTC) to create regulations implementing these new consumer-focused privacy obligations.
What was said
In a press release Dr. Cassidy noted, “Smartwatches and health apps change the way people manage their health. They’re helpful tools, but present new privacy concerns that didn’t exist when it was just a patient and a doctor in an exam room. Let’s make sure that Americans’ data is secured and only collected and used with their consent.”
Why it matters
Cassidy’s bill lands in a fast-moving patchwork that already reaches beyond HIPAA, which is why it matters for both consumer apps and traditional providers that increasingly ingest app-generated data. Washington’s My Health My Data Act (effective 2024) treats broad consumer health data as protected, bans its sale without a separate authorization, and applies even to small firms, creating private-rights risk for any organization touching Washington residents, including hospitals running wellness campaigns and vendors powering patient apps.
At the federal level, the FTC finalized updates to the Health Breach Notification Rule in April 2024 to explicitly cover health apps and similar technologies and has already enforced against GoodRx for sharing health data for ads, signaling that non-HIPAA health data is squarely in regulators’ sights.
Congress has flirted with adjacent reforms before (e.g., Baldwin–Cassidy’s Health Data Use and Privacy Commission Act and prior Protecting Personal Health Data Act proposals), underscoring long-standing bipartisan concern that HIPAA leaves wearables and wellness apps uncovered.
What happens next
The bill will first go through the Senate HELP Committee, where members debate the scope of wellness data, consider amendments, and take testimony from HHS, the FTC, consumer advocates, and digital-health companies that would fall under the new rules. If the committee advances it, the bill heads to the full Senate for a vote, then to the House, where committees may push for even broader consumer-data protections. HHS and the FTC begin early groundwork at the same time, since the bill explicitly tasks both agencies with writing regulations once the law passes.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
Do wearables fall under HIPAA?
Most wearables are not covered by HIPAA because they are operated by consumer tech companies, not healthcare providers or health plans.
When does wearable data become HIPAA-protected?
Wearable data becomes protected under HIPAA only when a covered entity or business associate collects, stores, or integrates it into a medical record or clinical workflow.
Why are fitness apps and smartwatches usually outside HIPAA?
Because they collect data directly from consumers for personal use, not as part of a provider–patient relationship.
Kirsten Peremore
%20-%202024-10-24T153929.848.jpg)
