Closing the Gap: Analyzing Senator Cassidy's New Privacy Bill
Last week, Senator Bill Cassidy (R-LA) introduced the Health Information Privacy Reform Act (HIPRA), a bill designed to bring health data protections in line with how information is created and shared today. HIPAA was drafted in the mid-1990s, when most health information lived in doctors’ offices or insurer databases and was exchanged by fax or early electronic systems.
Today’s ecosystem looks very different. Health data now moves through mobile apps, wearables, AI platforms, and wellness devices that operate outside HIPAA and often lack clear privacy protections. Cassidy’s bill aims to bridge that gap by expanding rules, rights, and transparency across a much broader data landscape. It’s not a modernization of HIPAA, but it is intended to address long-standing, pervasive issues with our current patchwork of privacy laws and regulations.
Senator Bill Cassidy, MD, a physician by training, serves as Ranking Member of the Senate Health, Education, Labor & Pensions (HELP) Committee. In recent years he has been an active voice on digital-health and privacy issues. Notable efforts include:
In 2021 he raised concerns that data collected by smart devices like fitness trackers could be used to influence insurance coverage or reveal sensitive health conditions.
In February 2024 his office released a report recommending modernization of the HIPAA framework and stronger protections for health-related data not currently covered by the law.
He also introduced the DELETE Act, a bill aimed at giving individuals more control over data held by brokers, including the right to delete it.
This new bill builds on that record and positions Cassidy as one of the few lawmakers consistently focused on extending privacy protections beyond HIPAA’s original boundaries. And his background as a physician lends credibility to his focus on bridging clinical practice and digital privacy policy.
As I discussed in Part 3 of “The Digital Health Divide”, the existing HIPAA framework reflects the health care system at the time, not the system we have today. The lines between health and health-related data have blurred and information doesn’t just exist in EHRs or claims. Information about a person’s behavior, location, or device readings can be just as sensitive as their medical record, yet under current law, most of that information falls outside HIPAA’s reach. Cassidy’s bill acknowledges the gap and proposes extending a comparable set of privacy, security, and accountability standards to the rest of the health tech ecosystem.
The proposed bill would:
Expand who’s covered. It introduces a new category of regulated entities, e.g., health apps, wellness platforms, and data brokers, that handle identifiable health-related information but aren’t traditional HIPAA “covered entities.”
Add new individual rights. Beyond HIPAA’s existing access and amendment rights, the bill introduces the novel rights of data deletion and portability (the ability to easily move data between platforms), aligning with growing interest in interoperability and consumer empowerment.
Increase transparency. When data moves from a HIPAA-covered environment into a non-HIPAA one, receiving organizations would have to provide plain-language notice explaining that HIPAA protections no longer apply, similar to existing notice requirements under HIPAA.
Update technical standards. The Department of Health and Human Services (HHS), in consultation with the Federal Trade Commission (FTC), would issue new guidance on AI, machine-learning applications, and de-identification of health information.
Extend enforcement. The civil penalty structure would mirror HIPAA’s, but would apply to the broader set of entities under this bill, not just providers, payers and business associates.
HIPRA is not intended to replace HIPAA, nor is it a modernization of it; rather, they would run in parallel. HIPAA remains the governing law for health-care providers, health plans, and their business associates. HIPRA would apply to the consumer-tech and digital-health layer that now sits between patients and traditional care delivery. In practice, this could create a more unified baseline for privacy and security expectations, regardless of whether data originates in an electronic health record or on a smartwatch.
For organizations already implementing ONC’s TEFCA framework or FHIR-based APIs under the 21st Century Cures Act, HIPRA wouldn’t necessarily change the technical architecture, but it could redefine accountability for how those data connections are governed and communicated to consumers.
Significance and Potential Hurdles
For health care and digital health organizations, this bill signals three important shifts:
The perimeter of accountability is widening. Organizations that once operated outside HIPAA may soon need comparable compliance programs. While many have adopted HIPAA as a best practice, this ups the stakes for those organizations.
Data transparency will move upstream. Providers and payers offering patient-access tools will need to coordinate more closely with app developers to ensure individuals understand what happens once their data leaves a HIPAA environment.
Policy is catching up to interoperability. After years of focusing on technical exchange, this bill acknowledges the need for complementary privacy and governance standards, something that is long overdue.
While the intent is clear, organizations preparing for this change should note that several implementation issues are likely to arise if the bill moves forward:
Compliance Burden: Smaller digital health startups and data brokers that were previously unregulated will face a significant compliance lift, requiring them to implement HIPAA-like security and privacy programs.
Jurisdictional Conflicts: Defining the precise jurisdictional boundary between the Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) will be critical and complex, particularly where consumer apps are involved, potentially leading to regulatory confusion in the short term.
Definition creep: Determining what qualifies as a “regulated entity” could prove challenging. Without clear thresholds, even analytics vendors or cloud providers might fall within scope, risking over-extension of enforcement capacity.
HIPRA will also need to align with the FTC’s Health Breach Notification Rule and a growing landscape of state privacy laws (notably California and Washington). How effectively federal regulators harmonize these frameworks will determine whether HIPRA simplifies compliance or adds another layer to it.
And with much of Congress’s attention currently on ACA subsidies and the cost of care, it is unclear how much traction this bill will gain. But Cassidy’s continued push to update the nation’s privacy framework deserves attention.
The takeaway
HIPAA remains foundational, but it was never meant to govern the full spectrum of health data that exists today. HIPRA recognizes that health information no longer lives solely inside hospitals or claims systems; it follows people into their homes, their devices, and their daily routines.
Whether or not HIPRA advances, it signals where federal policy might be headed: toward a unified privacy baseline that extends beyond covered entities to the entire health-data supply chain. Organizations that anticipate that shift now will be better positioned when regulation catches up.
If enacted, the bill could help close the “HIPAA gap” by harmonizing privacy expectations across both regulated health care and the expanding digital health frontier. The real test, as always, will be in implementation: how agencies define regulated entities, align enforcement, and translate legislative intent into operational practice.
