Senator Bill Cassidy's Health Information Privacy Reform Act would fundamentally transform how healthcare organizations approach digital health partnerships. The legislation, introduced November 4, 2024, extends HIPAA-like protections to the approximately 320 million global health app users whose data currently exists in a regulatory gray zone, according to Business of Apps market research.
For healthcare organizations already managing complex compliance requirements, the bill introduces new oversight obligations that would affect everything from employee wellness programs to patient-recommended fitness trackers.
Read more: New bill targets wearables as Congress moves to close health privacy gap
The proposed framework creates a new category called "applicable health information" (AHI), any identifiable data relating to past, present, or future health conditions, regardless of source. This definition would capture wellness app data, wearable device metrics, and consumer-generated health information under federal privacy protections for the first time. Business of Apps reports that the health and fitness app market generated $3.7 billion in revenue in 2024, with 388 million app downloads recorded globally. Nearly all of these applications currently operate outside HIPAA's jurisdiction.
According to the bill text, HHS would be required, in consultation with the Federal Trade Commission, to establish privacy, security, and breach notification standards for "regulated entities", essentially any non-healthcare company processing health-related data. The legislation specifically states these standards must provide protections "at least commensurate with" HIPAA's existing framework, while harmonizing requirements where feasible.
Go deeper: What are the compliance issues that health apps face?
Healthcare organizations face immediate challenges in determining which technology partnerships would fall under the new requirements. A hospital system using meditation apps in its employee wellness program, integrating consumer wearables into chronic disease management, or recommending fitness apps to patients would need to reassess each relationship through a compliance lens.
According to Wilson Sonsini's analysis by Jodi Daniel, Hale Melnick, and Laura Ahmed, the bill's definition of applicable health information is expansive, covering any information linked or linkable to an individual that relates to their health, regardless of whether it was created by a healthcare provider.
Under Section 2 of the proposed legislation, regulated entities must implement administrative safeguards, including privacy officer designation, workforce training, and incident response procedures. Technical requirements would encompass encryption, access controls, and audit logging based on NIST or HHS cybersecurity frameworks. These mirror HIPAA's Security Rule but apply to entities with no prior experience navigating healthcare compliance.
Section 6 of the bill also introduces transparency requirements that could complicate clinical workflows. Regulated entities generating "wellness data", defined in the legislation as information for health promotion, including "vital statistics, step counts, and medical regimen compliance", must notify users that this data lacks HIPAA protection and offer opt-out mechanisms. For providers recommending consumer health tools, this creates uncertainty about their oversight responsibilities when patients independently adopt these technologies.
The most significant operational change involves modifications to HIPAA's right of access provisions outlined in Section 3 of the bill. Currently, patients can direct providers to share their health information with third parties through relatively simple requests. The bill would require written authorizations meeting HIPAA's strict requirements under 45 C.F.R. ยง 164.508(b), including specific descriptions of information to be disclosed, identification of recipients, expiration dates, and statements about the right to revoke.
Section 3(a)(2) of the legislation would allow covered entities to condition data sharing on third-party recipients "acknowledging and accepting the terms, limitations, and conditions of use and disclosure contained in the request made by the individual as the legally binding obligation of the person receiving the information." Providers could also charge fees for transmitting data to third parties, though exceptions would apply for sharing with other healthcare providers or the patient's own health apps maintained by their provider.
According to Libbie Canter, Anna D. Kraus, Elizabeth Brim, and Natalie Maas, "This represents a significant departure from HIPAA's current access requirements, which do not permit covered entities to impose restrictions on how recipients of PHI use such data and do not require individuals to disclose the purposes for which they are requesting access to their PHI."
This provision appears to conflict with the 21st Century Cures Act's information blocking rules, which prohibit practices that interfere with access, exchange, or use of electronic health information. According to a 2023 mixed-methods study published in BMC Health Services Research, the Cures Act was specifically designed to eliminate barriers to patient data access, with healthcare organizations required to provide "rapid access to all clinical notes and medical test results" without impediments. The research, which surveyed 29 cancer patients and 29 clinicians at a National Cancer Institute-designated comprehensive cancer center, found that 51.7% of patients supported the Cures Act's immediate access provisions, viewing them as empowering and essential for informed decision making. Healthcare organizations would now need to balance these competing mandates, facilitating the interoperability and immediate access required under Cures while implementing the new authorization barriers proposed in Cassidy's privacy framework, potentially creating confusion for both providers and patients who have grown accustomed to streamlined data sharing.
Section 8 of the bill mandates unified national standards for de-identifying health information that "equal or exceed" current HIPAA requirements. These standards must address privacy-enhancing technologies and require contractual agreements preventing re-identification attempts. For healthcare organizations running analytics programs or participating in research networks, this could disrupt existing data-sharing arrangements.
Current HIPAA de-identification methods, the safe harbor's 18 identifiers or expert determination, have provided a workable framework for two decades. The bill's Section 8(b)(3) requirement for written agreements prohibiting re-identification adds a contractual layer to what has been primarily a technical standard. Organizations sharing de-identified data for quality improvement, population health, or research would need to execute new agreements with every recipient.
Section 7 of the legislation also directs HHS to publish guidance within one year on applying HIPAA's minimum necessary standard to artificial intelligence and machine learning applications. This acknowledges that current regulations haven't addressed how much data AI systems legitimately need to function effectively. Healthcare organizations developing or deploying AI tools would need to document why specific data elements are necessary for algorithm training and operation.
Healthcare organizations should begin preparing for potential compliance changes, even as the bill moves through the legislative process. Based on the bill's requirements, key preparatory steps include conducting an inventory of all consumer health technology partnerships and recommendations, mapping data flows between clinical systems and consumer applications, reviewing existing business associate agreements for gaps, and assessing employee wellness program compliance structures.
Section 2(b) establishes a dual enforcement mechanism, HHS authority with FTC consultation, that introduces jurisdictional complexity. Organizations could face investigations from either agency, potentially with different interpretations of requirements. Section 2(c) adopts HIPAA's penalty structure outlined in 45 C.F.R. Part 160 Subpart D, with civil monetary penalties reaching $2 million per violation category annually.
As Senator Cassidy stated in announcing the bill, "Smartwatches and health apps change the way people manage their health. They're helpful tools, but present new privacy concerns that didn't exist when it was just a patient and a doctor in an exam room."
For health systems already managing HIPAA compliance, the bill represents both an expansion of existing obligations and the introduction of entirely new oversight responsibilities. Success will require not just updating policies and procedures, but fundamentally reconsidering how healthcare organizations approach partnerships with digital health platforms.
Any natural or legal person that determines the purpose and means of processing health information, excluding government entities, HIPAA-covered entities, and business associates. This would include most consumer health apps, wearable device manufacturers, and wellness platforms.
Employer-sponsored wellness apps and wearable programs would likely become regulated entities requiring HIPAA-level protections. Organizations would need to ensure these programs implement required privacy, security, and breach notification standards.
Technical methods including differential privacy, homomorphic encryption, and secure multi-party computation that protect individual privacy while enabling data analysis. The bill would require HHS to establish standards for using these technologies in de-identification processes, potentially enabling new approaches to protecting health data while maintaining utility for research and analytics.
No. The bill adopts HIPAA's preemption standard, establishing a base. States could maintain more stringent requirements, meaning organizations would need to comply with both federal and state frameworks. Laws like Washington's My Health My Data Act would continue to apply where they provide greater protection.