HIPRA Is a Warning:  Consumer Health Companies and HIPAA-Covered Entities Need to Rethink Privacy Now

The Health Information Privacy Reform Act (HIPRA) proposed by Senator Bill Cassidy (R-LA) on November 4th, 2025, is best read as a preview of the future of health-data regulation, even if it does not become law. If passed, HIPRA would extend “medical-grade” privacy, security, and breach obligations to a wide swath of consumer-focused digital health companies, such as smartwatches, wearables, health and wellness apps, life science companies with patient apps, health plans and hospitals’ online tools, retail clinics, data/AI vendors, and employer wellness programs that sit outside traditional (HIPAA) coverage today. However, even without HIPRA, state-specific health privacy laws such as Washington’s My Health My Data Act, and comprehensive state privacy laws such as the Maryland Online Data Privacy Act, have moved the regulation of consumer health data from a permissive, “use it unless restricted” consumer-privacy model, to a more prescriptive, “prohibited unless authorized” health-data regime similar to Health Insurance Portability and Accountability Act (HIPAA). Simply look at New York’s Health Information Privacy Act, which passed both chambers earlier this year and has recently been delivered to Governor Hochul’s desk.    

As a result, it is paramount that digital health companies engage in a more unified, forward-looking privacy and security program now. A program that treats all health-related data as if HIPRA and HIPAA already applied, and that is designed to flex with evolving state and federal rules, is the most reliable way to minimize enforcement and litigation risk, keep hospital and payer partners comfortable, and earn durable consumer trust in the coming years.

What’s in scope and what entities are covered under HIPRA?

HIPRA covers “applicable health information,” which is defined broadly to include information that identifies an individual (or is reasonably linkable to an individual) and relates to health status, care, or payment, regardless of whether the data originated with a HIPAA covered entity.

HIPRA would apply to any entity that determines the purpose and means of processing applicable health information and its service providers who process applicable health information on its behalf, with very limited exceptions for governmental bodies and HIPAA covered entities and business associates.

Based on this broad scope, many direct-to-consumer digital health companies and their service providers would be subject to HIPRA. In fact, the U.S. Senate Committee on Health, Education, Labor, and Pensions issued a press release stating that HIPRA is intended to account for “new technologies that are not currently required to have privacy protections, such as smartwatches and health apps.”

What is the impact on HIPAA-covered entities?

Under HIPRA, providers and other HIPAA covered entities remain subject to the HIPAA framework, but may need more rigorous procedures for patient access. In practice, organizations may be required to handle patient requests as if they were formal authorizations and, when appropriate, require third party recipients to attest in writing on use and disclosure limitations before providing data as directed by patients. This will necessitate updates to access request forms, electronic health record (EHR) templates, and intake scripts so frontline staff can identify when information is headed to a non-HIPAA app, platform, or life sciences company and route the request through an authorization-grade workflow. Providers should also anticipate new HHS guidance on “minimum necessary” and de-identification, and begin documenting how they standardize data sets for analytics, AI, and external collaborations. Once the transfer occurs at the patient’s direction, the recipient—rather than the provider—is responsible for informing the patient that HIPAA no longer applies and for obtaining consent before any sale or remonetization of the data.

What is the impact on Digital Health Companies?

HIPRA would impose three main categories of requirements, similar to HIPAA: privacy, security, and breach.

First, privacy. Regulated entities would need to establish rules about when they can and cannot use or share health data. Key elements include implementing clear policies on permitted and prohibited uses of applicable health information, using the “minimum necessary” standard when processing applicable health information, obtaining written authorization for certain uses, and providing individuals with rights to access, correct, delete, and transfer their applicable health information, some of which do not currently exist under HIPAA. 

Second, security. Regulated entities would need administrative, physical, and technical safeguards to protect applicable health information. For electronic data, these safeguards would need to align with recognized cybersecurity frameworks such as the National Institute of Standards and Technology (NIST).

Third, breach. If a regulated entity experiences a breach involving applicable health information, it would need to notify individuals and regulators, subject to HIPAA-like standards and timelines.  Currently, these entities are subject to varying state breach notification requirements and the Federal Trade Commission’s (FTC) breach notification rule, though enforcement may be limited under the current administration.

What would enforcement look like and would preemption play a role?

HHS would enforce HIPRA in consultation with the FTC and civil penalties would follow HIPAA’s tiered structures. Following HIPAA’s approach, HIPRA raises the federal floor without displacing more protective state laws.

What should companies do now?

Although HIPRA was just recently introduced, it is a clear signal at the federal level of where health privacy regulation may be headed. If you are a direct-to-consumer digital health company, life science company, wellness app, wearable provider, or a vendor processing health-related data for those companies, you are squarely in the crosshairs of this proposed legislation. HIPRA, in some ways, simply expands the current regulatory web surrounding health data by including some of Washington’s My Health My Data Act (MHMDA) requirements, as well as the spirit of state comprehensive privacy laws such as those in Colorado and Maryland, by increasing transparency through notice and disclosure requirements, but also creating a floor at the federal level while still allowing states to enforce additional restrictions.

Pragmatically, there are several programmatic moves health-focused organizations can make now—whether they are HIPAA-covered entities, business associates, or digital health companies—to future-proof against HIPRA-style obligations and converging state and federal rules:

1.  Unify your health-data map across HIPAA and non-HIPAA data flows

  • Build (or refresh) a single inventory of “health-related data” that covers PHI, consumer health data, wellness and behavioral data, device and wearable streams, and AI training/analytics sets—regardless of whether the data originated in a HIPAA setting; and
  • Categorize which data flows are subject to HIPAA, which are subject to consumer-focused health laws, and where data might traverse this boundary (e.g., hospital portals into consumer apps, DTC tools feeding back into clinical systems).

2.  Make HIPAA-style risk analysis your default for all health data

  • Run a documented, recurring risk analysis/assessment that uses HIPAA/NIST concepts (threats, vulnerabilities, likelihood, impact) for all health-related data, not just ePHI, and use the process to drive a real risk-management plan—not just a gap checklist.

3.  Adopt “medical-grade” rules of the road for uses, sharing, and AI

  • Write and enforce a cross-regime policy that:
    • defines permitted vs. prohibited uses of health data;
    • applies a HIPAA-like “minimum necessary” and purpose-limitation lens to analytics, advertising/retargeting, and AI/ML; and
    • requires enhanced disclosures and opt-in consent before selling, enriching, or monetizing health data outside core treatment, payment, operations, or clearly stated wellness services.

4.  Strengthen de-identification and “no-reidentification” guardrails

  • Align your de-identification and aggregation standards at a minimum consistent with HIPAA’s methodology; and
  • Require anti-reidentification covenants and security requirements through vendor contracts

5.  Rebuild vendor, BA, and processor contracts around health-data risk

  • Treat any vendor touching health-related data as if they were handling PHI: require security programs aligned with NIST SP 800-66, HIPAA-style incident and breach notice, detailed downstream subcontractor controls, and clear limits on secondary use and training rights;
  • For HIPAA BAs, ensure BAAs are complete; and for non-HIPAA vendors, bake equivalent terms into DPAs and service agreements so you do not have to renegotiate when HIPRA-like obligations or new state rules land.

6.  Operationalize individual rights and transparency once, use them everywhere

  • Build a common “rights and requests” process that can handle HIPAA access/amendment, state privacy rights (access, delete, opt-out/opt-in), Washington-style consumer-health rights, and any future HIPRA portability/authorization rules from a single playbook; and
  • Pair that with plain-language notices that accurately describe your actual data practices across clinical, wellness, and AI features to reduce deception risk and make it easy for consumers to understand how their data moves.

7.  Embed ethics, equity, and governance into the privacy and security program

  • Stand up a cross-functional health data governance council (legal, security, product, clinical, data science) charged with reviewing high-risk use cases—particularly AI, sensitive populations, and cross-context data re-use—for fairness, explainability, and potential harm; and
  • Use structured checklists and a health-data risk assessment framework to document decisions, mitigations, and when you say “no,” so the program can demonstrate not just compliance, but ethical design when regulators, partners, or investors come looking.

Taken together, these steps give HIPAA-covered entities, business associates, and digital health companies the same answer to two hard questions:

  1. Are we putting HIPAA-related controls around all health-related data today?
  2. Are we doing it in a way that will still make sense—and still earn trust—years from now, no matter how the regulatory landscape changes?

The attorneys at KMK Law are available to assist with these and other issues. For assistance, please contact Eric Cook.

Eric Cook
Of Counsel | CIPP/US
513.562.1453
ecook@kmklaw.com 

KMK Law articles and blog posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. The laws/regulations and interpretations thereof are evolving and subject to change. Although we will attempt to update articles/blog posts for material changes, the article/post may not reflect changes in laws/regulations or guidance issued after the date the article/post was published. Please consult with counsel of your choice regarding any specific questions you may have.

ADVERTISING MATERIAL.

© 2025 Keating Muething & Klekamp PLL. All Rights Reserved

Jump to Page
Close

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Functional cookies collect information about your choices and preferences, and collect information about your use of the Sites and Services which enable us to improve functionality.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.