Data Privacy,
Data Security,
Healthcare
Senate HELP Committee Chair Advocates for Data Protection in Wearable Tech and Health Applications
U.S. Senator Bill Cassidy, R-La., who serves as the head of the Senate health committee and has a background in medicine, has introduced legislation meant to establish HIPAA-like privacy standards for a broader array of health data. This includes information gathered from consumer wearable devices and health applications that currently fall outside the scope of HIPAA and the HITECH Act.
The Health Information Privacy Reform Act, which Cassidy brought to the forefront this week, mandates that health technologies not currently covered by HIPAA disclose their data collection and sharing practices, among other provisions. “Smartwatches and health apps transform the way people manage their health. While beneficial, they introduce privacy issues that previous doctor-patient interactions did not face,” Cassidy explained in a recent statement.
Presently, HIPAA legislation, enacted over two decades ago, governs a limited group of “covered entities,” including healthcare providers and insurers, as well as their third-party partners handling protected health information. However, significant portions of health data may remain unregulated, especially with ongoing technological advancements in consumer products since the original HIPAA framework and the HITECH Act of 2009.
This new bill would empower the Secretary of the U.S. Department of Health and Human Services, in collaboration with the Federal Trade Commission, to formulate regulations establishing privacy, security, and breach notification standards tailored specifically for organizations falling under this new legislation and their service providers. The objective is to ensure that new protections meet or exceed existing HIPAA standards.
According to privacy attorney Kirk Nahra from WilmerHale, the proposed legislation is designed to fill regulatory gaps by allowing the FTC and HHS to jointly establish a rule that would set federal standards for health information management. He noted that while the HIPAA framework is clearly defined for specific healthcare entities, extending that model to a broader range of businesses that handle health data poses challenges.
The legislation would introduce a comprehensive regulatory framework over consumer health data and various healthcare providers, including telehealth services and unregulated genetic testing companies. Currently, consumer health data is primarily overseen by Section 5 of the FTC Act, which carries limited penalties. In contrast, the bill would place more robust oversight in the hands of HHS, ensuring it has authority over both controllers and processors of individually identifiable health information that fall outside HIPAA’s reach.
Furthermore, the bill contains provisions that would adopt HIPAA’s preemption standards, allowing states to maintain stricter laws on consumer health data privacy. While federal regulations may reduce state-level legislative activity, they leave a complex legal landscape for compliance and enforcement. Industry stakeholders are likely to lobby for clarity and simplicity in the regulatory requirements to ensure effective management of consumer health data across different jurisdictions.
Despite growing bipartisan support for enhanced consumer health data protections, the path to passing this legislation remains uncertain, particularly given the current political climate and the history of slow progress on comprehensive privacy laws. While skepticism surrounds its advancement, some experts hold a more optimistic view, citing the bill’s narrower focus as a potential advantage in garnering support.
