Move over HIPAA…the health privacy landscape may be in for a shakeup. On November 4, 2025, Senator Bill Cassidy, M.D. (R-LA) introduced the Health Information Privacy Reform Act (HIPRA), a bill aimed at closing a gap in health data protections. HIPAA has long governed the privacy of traditional medical records held by health care providers and health plans, but what about the data collected by your smartwatch, fitness app, or wellness platform? Those technologies are currently governed by a patchwork of state laws and Federal Trade Commission (“FTC”) guidelines. HIPRA intends to change that.
According to the press release, HIPRA is intended to “expand health privacy protections to account for new technologies that are not currently required to have privacy protections, such as wearables and health apps.”
What Would HIPRA Cover?
The bill introduces a new category of health data called “Applicable Health Information” (AHI). AHI is any identifiable (or reasonably identifiable) data about an individual’s health or healthcare and “may include information…that was not created or received by a healthcare provider, health plan, employer, or health care clearinghouse” (emphasis added). If your fitness tracker logs your heart rate or your app tracks your sleep patterns, that data could fall under HIPRA.
HIPRA requirements would mimic the covered entity and business associate structure under HIPAA. HIPRA would apply to “regulated entities” and “service providers”. HIPRA defines “Regulated Entities” as organizations that determine the processing of AHI and “Service Providers” as organizations that process AHI on behalf of a “Regulated Entity.” Government agencies and HIPAA-covered entities and business associates are excluded, but tech companies and app developers that collect non-PHI are squarely (and intentionally) in scope.
What Would Change?
If HIPRA becomes law, the Department of Health and Human Services (“HHS”), in consultation with the FTC, would be tasked with developing HIPAA-like privacy, security, and breach standards for AHI, publishing guidance on applying the “minimum necessary” standard to Artificial Intelligence and machine learning technologies, and creating national de-identification standards.
Regulated Entities would be required to follow privacy and breach standards that HHS will develop in consultation with the FTC. HIPRA would also require Regulated Entities to notify users when HIPAA protections don’t apply to their data, and obtain permission before selling AHI.
When Would This Happen?
HIPRA would take effect one year after enactment, and enforcement would mirror HIPAA’s civil penalty framework. That means there could be real financial consequences for companies that fail to comply.
Preemption
HIPRA’s federal standards would override any conflicting state laws that offer weaker protections. In other words, similar to HIPAA, states can adopt stricter privacy rules for AHI, but ones that are less stringent would be preempted.
Why It Matters
HIPRA is still early in the legislative process, but its introduction signals a clear trend: lawmakers are closing the non-PHI privacy gap. Businesses that collect AHI can get ahead of the curve by mapping applicable data and reviewing privacy and security programs which may be in-scope.
