Sponsors
Introduced November 4, 2025 by Bill Cassidy · Last progress November 4, 2025
The bill gives Americans stronger, HIPAA-aligned privacy rights and clearer national standards (improving patient control, security, and de-identification), but it imposes substantial compliance costs and restrictions that could slow innovation, complicate data portability, and create new enforcement risks.
Patients (especially those with chronic conditions, people with disabilities, uninsured and Medicaid beneficiaries) gain explicit new privacy and control rights: notice when health data falls outside HIPAA, access, amendment, deletion, data portability, and required consent before sale of PHI.
Hospitals, health systems, and patients benefit from stronger, HIPAA-aligned privacy, security, and breach-notification rules (including alignment with NIST frameworks), increasing data security and transparency when breaches occur.
Researchers, hospitals, and patients benefit from clearer national de-identification standards, contractual bans on re-identification, and encouragement of privacy-enhancing technologies that enable safer data sharing for research and innovation.
Hospitals, health systems, small businesses, tech firms, and service providers will face substantial new compliance, administrative, and technical costs to implement HIPAA-like protections, notices, consent tracking, de-identification standards, and contractual controls.
Researchers, app developers, and innovators may see restricted data uses and added barriers (contractual re-identification bans, narrower de-identification exemptions, prescriptive AI guidance), potentially slowing research, product features, and AI-driven health innovations.
Patients could still have their data disclosed without consent under enumerated exceptions (public health, oversight, law enforcement, judicial uses), which may feel intrusive and limit practical privacy protections for some individuals.
Based on analysis of 9 sections of legislative text.
Creates unified federal privacy, security, de-identification, access/notice, AI guidance, and enforcement rules for health-related data, expanding individual rights and penalties for violations.
Creates a unified federal framework to protect health-related data across medical providers, apps, researchers, and service firms. It directs HHS (with the FTC) to write and enforce rules that build on HIPAA and HITECH: setting privacy, security, breach-notification, permitted-use, and de-identification standards; expanding individual rights (access, amendment, deletion, portability); requiring plain-language notices when data leaves HIPAA protection; and setting rules for AI use and contracts that bar re-identification. The bill also requires HHS to commission a study on paying patients for identifiable health data and to issue guidance and regulations within months to one year on minimum-necessary use, AI datasets, de-identification, and other technical safeguards. Covered entities and their service providers face civil penalties for violations, and new notice and consent rules apply when patient data is transferred outside HIPAA protections or sold.