On November 4, 2025, Sen. Bill Cassidy (R-LA) introduced the Health Information Privacy Reform Act (the Act), which would, among other things, expand the privacy protections of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to health-related data handled by non-HIPAA-covered entities (“regulated entities” under the Act). The Act includes several provisions similar to Washington’s My Health My Data Act (MHMD),1 which extends privacy protections to “consumer health data” collected by entities that are not covered under HIPAA. The Act would also make some changes to existing HIPAA and Part 2 rules.
Expanding Health Privacy Protections to Non-HIPAA-Covered Entities
The legislation seeks to impose privacy protections on a new set of “regulated entities” that handle “applicable health information.”
Scope. Under the Act, a “regulated entity” is defined as any “natural or legal person that [...] determines the purpose and means of processing applicable health information.” This broad definition would cover organizations that do not necessarily specialize in or provide traditional healthcare services. Also of note is that the Act also does not contain any exception for small businesses or nonprofit organizations, unlike many of the U.S. state comprehensive consumer privacy laws like the California Consumer Privacy Act.
While several of the various privacy obligations under the Act apply only to entities that handle “applicable health information,” that term is defined expansively to include any information that is linked or linkable to an individual that relates to: 1) the past, present, or future health of the individual, 2) the provision of healthcare to the individual, or 3) payments made for healthcare provided to the individual. This is arguably even more expansive than the MHMD’s broad definition of “consumer health data,” which could arguably extend even to relatively innocuous information such as the purchase of groceries or first aid supplies.2
Extension of HIPAA Protections. The Act calls for the Secretary of the U.S. Department of Health and Human Services (HHS) to issue regulations that would extend many of the protections provided by the HIPAA Privacy, Security, and Breach Notification Rules to applicable health information processed by regulated entities and their service providers. This is a significant step in extending federal health data privacy rules to cover the extensive amount of health data that is outside the traditional healthcare system, such as health information processed by direct-to-consumer applications and to impose restrictions on the use and disclosure of such information.
Transparency Requirements. In addition to expanding HIPAA protections to applicable health information, the Act also seeks to improve transparency about when current HIPAA protections do and do not apply to individuals’ health-related information. For example, under the Act, when a regulated entity or their service provider accesses an individual’s HIPAA-protected protected health information (PHI) through the patient’s right of access under 45 C.F.R. 164.524, the regulated entity or service provider would be required to notify the individual that their PHI will no longer be protected by HIPAA and that their PHI may then be redisclosed. Further, if the regulated entity or service provider generates “wellness data” on an individual, they must notify the individual in advance that such generated data will not be protected under HIPAA and offer the individual an opt-out. “Wellness data” refers to any data generated “for the purpose of promoting health or preventing disease” and includes information such as daily step counts.
Changes to Treatment of PHI and SUD Records Under HIPAA and Part 2
Access to PHI. The Act would also impose new restrictions on individuals’ right to access PHI. Current HIPAA regulations do not necessarily require individuals to complete a written authorization in order to direct a covered entity or business associate to share their PHI with a third party. Under the Act, however, in order to exercise the right of access, individuals would be required to submit an authorization explaining, among other things, the purpose of the disclosure, before the covered entity or business associate could disclose their PHI to the third party, including a regulated entity.3 Further, the covered entity or business associate transmitting the PHI could require the third party recipient to agree to be legally bound by any use and disclosure terms included in the individual’s written authorization. The covered entity or business associate would also be able to condition the transmission of such PHI on the recipient paying fees in accordance with applicable state law, subject to certain exceptions.4
These changes represent a significant departure from HIPAA’s current access requirements, which do not permit covered entities to impose restrictions on how recipients of PHI use such data and do not require individuals to disclose the purposes for which they are requesting access to their PHI.
Confidentiality of SUD Records. The Act would also amend the Public Health Services Act to align the confidentiality requirements applicable to substance abuse disorder (SUD) treatment records to the requirements afforded to PHI more generally. SUD treatment records are currently afforded heightened confidentiality protections; prior written consent of the patient is required before the records can be used or disclosed for treatment, payment, and healthcare operations, among other purposes.
Data Minimization and De-identification
One area of particular focus under the Act is the responsible use of identifiable and unidentifiable data, particularly as more health data is being used for artificial intelligence (AI) and machine learning. The Act calls upon the Secretary of HHS to publish guidance covering how to apply the “minimum necessary” standard under HIPAA to data used for AI and machine learning development, as well as guidance on when it would be appropriate to use “limited data sets” as defined under the HITECH Act. The Secretary would also be required to promulgate new regulations establishing national standards for how to de-identify applicable health information.
The Act also calls for the National Academies of Sciences, Engineering, and Medicine to conduct a study to examine the potential risks and benefits associated with paying patients to share identifiable data for research purposes.
Enforcement and Preemption
Unlike MHMD, there is no private right of action under the Act, but it does allow for the imposition of civil penalties. The Act would set a floor for health privacy obligations by preempting contradictory state laws but would not preempt any state law that imposes more stringent privacy obligations. As a result, regulated entities would need to consider state laws to make this determination.
[1] For more information on MHMD, please see our client alert here.
[2] Attempts to limit the broad definition of “consumer health data” during the MHMD legislative process and to clarify that the term is not intended to include information from everyday purchases such as footwear, groceries, cleaning products, and first aid supplies were rejected.
[3] This requirement does not apply if disclosure without authorization is already permitted under current HIPAA regulations, and the contemplated disclosure is for treatment, payment, or healthcare operations.
[4] These fees may not be imposed if the recipient of the PHI is the individual, the individual’s personal representative for healthcare purposes, certain individuals involved in the individual’s healthcare or payment related to healthcare, or the individual’s healthcare provider or business associates of such provider. A covered entity or business associate also may not impose a fee if the PHI is being transmitted at the patient’s request to the patient portal or a health app used and maintained by the individual’s healthcare provider or such provider’s business associate.
