Sponsors
This is not an official government website.
Copyright © 2026 PLEJ LC. All rights reserved.
Establishes a new federal framework to expand and modernize privacy, security, and breach-notification rules for health-related data and the entities that process it. It directs HHS (with FTC consultation) to issue regulations that align with HIPAA/HITECH where feasible, extends HIPAA/HITECH enforcement authorities to more categories of entities, creates unified rules for de-identification, requires patient notice and consent protections for certain digital wellness data and data sales, and orders studies and guidance on AI use and patient compensation for research data. The law sets multiple regulatory deadlines (60–365 days) for HHS to act, requires contractual promises to prevent re-identification of de-identified data, and applies federal preemption principles to conflicts with state law. It increases compliance duties for health care providers, business associates, digital health and wellness apps, data recipients, and researchers while aiming to strengthen patient controls over health data flows.
The bill extends strong, HIPAA‑like privacy rights and unified security standards to health data held outside traditional HIPAA entities—improving individual control and data safety—while imposing significant compliance costs and restrictions that may slow innovation, limit interoperability, reduce research utility, and, in some places, lower protections that state laws currently provide.
Millions of patients (including people with chronic conditions, people with disabilities, and uninsured individuals) gain explicit privacy rights and stronger control over health-related data held by apps and other non‑HIPAA entities (notice, access, amendment, deletion, portability, consent before sale, and clearer mental‑health protections).
Hospitals, providers, and patients benefit from stronger security and enforcement: HIPAA‑alignment, use of NIST/HHS cybersecurity frameworks, mandatory breach notifications, extension of HITECH responsibilities, and a uniform federal privacy/security baseline that reduces legal uncertainty across states.
Researchers, public‑health officials, and the public gain clearer, national standards for de‑identification and use of privacy‑enhancing technologies (PETs), plus contractual prohibitions on re‑identification, which reduce re‑identification risk and simplify lawful data sharing for research and public health.
Hospitals, providers, regulated entities, service providers, and especially small developers face substantial new compliance costs (HIPAA‑like controls, de‑identification, PETs, contractual requirements and enforcement) that may be passed to patients through higher prices, reduced free services, or could drive small developers out of the market.
Stricter authorization, contracting, fee, and acceptance requirements could delay or restrict patients' ability to send their PHI to third‑party apps, caregivers, or researchers and discourage third‑party integrations, reducing interoperability and patient‑facing innovation.
A federal baseline may preempt stronger state privacy laws, meaning patients in some states could lose protections they currently have and state governments will cede certain enforcement authorities.
Introduced November 4, 2025 by Bill Cassidy · Last progress November 4, 2025