Angela Burnette, Jennifer Pike, and Sara Pullen of Alston & Bird write:
Move over HIPAA…the health privacy landscape may be in for a shakeup. On November 4, 2025, Senator Bill Cassidy, M.D. (R-LA) introduced the Health Information Privacy Reform Act (HIPRA), a bill aimed at closing a gap in health data protections. HIPAA has long governed the privacy of traditional medical records held by health care providers and health plans, but what about the data collected by your smartwatch, fitness app, or wellness platform? Those technologies are currently governed by a patchwork of state laws and Federal Trade Commission (“FTC”) guidelines. HIPRA intends to change that.
According to the press release, HIPRA is intended to “expand health privacy protections to account for new technologies that are not currently required to have privacy protections, such as wearables and health apps.”
What Would HIPRA Cover?
The bill introduces a new category of health data called “Applicable Health Information” (AHI). AHI is any identifiable (or reasonably identifiable) data about an individual’s health or healthcare and “may include information…that was not created or received by a healthcare provider, health plan, employer, or health care clearinghouse” (emphasis added). If your fitness tracker logs your heart rate or your app tracks your sleep patterns, that data could fall under HIPRA.
HIPRA requirements would mimic the covered entity and business associate structure under HIPAA. HIPRA would apply to “regulated entities” and “service providers”.
Read more at JDSupra.