Health Information Privacy Reform Act
- Bill Number
- S. 3097
- Origin Chamber
- Senate
- Congress
- 119th Congress, Session 1
- Policy Area
- Commerce
- Status
- Introduced
- Latest Action
- 2025-11-04: Read twice and referred to the Committee on Health, Education, Labor, and Pensions.
- Last Updated
- 2025-12-09T22:17:19Z
AI-Generated Summary
Purpose
The Health Information Privacy Reform Act aims to expand and strengthen privacy protections for health-related information beyond the current Health Insurance Portability and Accountability Act (HIPAA) framework. It targets data handled by non-healthcare entities, such as tech companies or apps, to prevent misuse, enhance individual rights, and address modern challenges like artificial intelligence (AI) and data de-identification (removing personal identifiers to anonymize data).
Key Provisions
- Expanded Protections for Health Data (Section 2): Requires the Secretary of Health and Human Services (HHS), in consultation with the Federal Trade Commission (FTC), to create regulations for "applicable health information" (broadly defined as any data identifying or linkable to an individual's health, care, or payment, even if not from traditional healthcare sources). These rules mirror HIPAA's privacy, security, and breach notification standards but apply to "regulated entities" (data controllers outside government or HIPAA-covered groups) and their "service providers" (data processors).
- Privacy rules cover permitted uses (e.g., public health needs), required authorizations, prohibitions, minimum necessary data use (only what's essential), individual rights (e.g., access, amendment, deletion), and safeguards like training and privacy officers.
- Security rules mandate physical, technical, and administrative protections, drawing from established frameworks like those from the National Institute of Standards and Technology (NIST).
- Breach notifications follow HIPAA models, with enforcement through civil penalties up to specified amounts per violation.
- Access Rights and Fees (Section 3): Updates HIPAA rules to allow covered entities (e.g., doctors, insurers) and their associates to charge fees and impose conditions (e.g., agreements on data use) when individuals direct their protected health information (PHI) to third parties, ensuring requests meet authorization standards.
- Confidentiality Amendments (Section 4): Modifies the Public Health Service Act to align substance use disorder records' confidentiality with HIPAA regulations, simplifying disclosures.
- Study on Data Compensation (Section 5): Directs HHS to contract with the National Academies of Sciences, Engineering, and Medicine (NAS) within 60 days to study risks and benefits of paying patients for sharing identifiable health data in research, covering privacy risks, ethical issues, consent tracking, and re-identification threats.
- Notification Requirements (Section 6):
- Entities accessing PHI via patient requests must notify individuals in plain language that the data loses HIPAA protections upon transfer and obtain consent for sales.
- Providers of digital wellness tools (e.g., fitness trackers generating step counts or health stats) must notify users upfront that data isn't HIPAA-protected and offer opt-out options. Effective one year after enactment.
- Minimum Necessary Guidance (Section 7): HHS must issue guidance within one year on applying the "minimum necessary" standard (limiting data use to essentials) to AI and machine learning, including interoperability (data sharing standards) and limited datasets.
- De-Identification Standards (Section 8): HHS must establish national rules within one year for anonymizing applicable health information, exceeding current HIPAA standards. Includes privacy-enhancing technologies (tools like encryption to protect data) and contractual bans on re-identification attempts.
- Preemption (Section 9): Federal rules preempt conflicting state laws, similar to HIPAA, to create uniform national standards.
Significant Changes to Existing Law
- Extends HIPAA-like protections to non-HIPAA entities (e.g., social media or consumer apps handling health data), closing gaps in current law that only covers healthcare providers, plans, and their partners.
- Introduces notifications and opt-outs for wellness data and third-party access, which weren't explicitly required before.
- Aligns substance use records more closely with HIPAA, reducing inconsistencies.
- Adds specific AI guidance and enhanced de-identification rules, updating HIPAA for emerging technologies.
- Allows conditional fees for third-party data sharing, potentially shifting from free access under prior rules.
Potential Impacts
- On Citizens: Improves privacy by limiting unauthorized uses, enhancing rights to control and access data, and requiring clear notices, potentially reducing identity theft or discrimination risks from health data breaches. However, it may increase costs for obtaining records from third parties.
- On Government Agencies: HHS and FTC gain enforcement authority and rulemaking duties, increasing workload but enabling better oversight of non-healthcare data handlers. Could lead to more coordinated federal privacy efforts.
- On Businesses: Regulated entities and service providers (e.g., tech firms, data brokers) face new compliance costs for regulations, notifications, and penalties, but harmonization with HIPAA may simplify processes for hybrid operations.
- International Relations: Minimal direct impact, though unified U.S. standards could influence global data privacy norms or affect cross-border health data flows in research collaborations.
Main Stakeholders Affected
- Individuals: Primary beneficiaries through stronger privacy rights and notifications, but may face fees or conditions when sharing data.
- Regulated Entities and Service Providers: Non-HIPAA companies (e.g., fitness apps, social media platforms) handling health data, now subject to new rules and penalties.
- Covered Entities and Business Associates: Healthcare providers, insurers, and their vendors, with adjusted access and confidentiality rules.
- Government Agencies: HHS (rulemaking, enforcement, guidance) and FTC (consultation), plus NAS for the research study.
- Researchers and Tech Developers: Impacted by de-identification standards, AI guidance, and the compensation study, affecting data use in studies or tools.
Notable Legal, Constitutional, or Political Implications
- Legal: Strengthens enforcement with HIPAA-style penalties, potentially leading to more lawsuits or audits for violations. Preemption clause may limit state innovations in privacy laws, creating uniformity but reducing flexibility.
- Constitutional: Bolsters privacy expectations under the Fourth Amendment (protection from unreasonable searches) by expanding safeguards for sensitive health data, though it doesn't create new constitutional rights.
- Political: Reflects growing bipartisan concern over data privacy in the digital age, especially post-major breaches, and could set a precedent for regulating non-healthcare sectors without broad new laws like a federal privacy act. The NAS study may inform future debates on incentivizing research participation.
This summary was generated by AI and may contain inaccuracies. Refer to the official source document for the authoritative text.
Sponsor
Recent Actions
- 2025-11-04: Read twice and referred to the Committee on Health, Education, Labor, and Pensions.
- 2025-11-04: Introduced in Senate
Bill Versions
- Health Information Privacy Reform Act — issued 2025-11-04 — PDF (18 pages)