Sponsors
The bill strongly expands patients' privacy rights, security standards, and uniform de‑identification rules—improving transparency and protections—but does so at the cost of significant compliance burdens, potential limits on data access for research and innovation, implementation complexity, and the risk of weakening stronger state protections in some cases.
Patients (including those with chronic conditions, Medicaid and Medicare beneficiaries) gain stronger individual privacy rights and control over health data—expanded access, amendment, deletion, portability, HIPAA-level authorization for third-party transfers, and required notices when HIPI loses HIPAA protection.
Consumers and healthcare organizations benefit from stronger security and breach-transparency—HIPAA-like breach-notification rules, adoption of national security standards (e.g., NIST), and extension of HITECH-style enforcement that increase deterrence and accountability for data breaches.
Researchers, data users, and the public gain a national de‑identification standard and contractual prohibitions on re-identification, enabling privacy-preserving secondary uses of health data while reducing re-identification risk.
Hospitals, health systems, technology companies, service providers, and other data holders face substantial new compliance costs and potential fines to implement the Act's expanded privacy, notice, contractual, and enforcement requirements.
Stricter de‑identification, contractual limits, authorization requirements, and AI guidance may reduce the availability of data for research, public‑health uses, and AI development or slow beneficial innovation by narrowing access or adding transaction costs.
Narrower authorization, 'directly relevant' disclosure limits, stricter deletion/portability rules, and added consent steps could delay or block patient-directed sharing (including to consumer apps) and complicate care coordination when broader records are needed.
Based on analysis of 9 sections of legislative text.
Sets new national privacy, security, and breach standards for more health data, expands patient rights and consent, and tightens de‑identification and AI data rules.
Introduced November 4, 2025 by Bill Cassidy · Last progress November 4, 2025
Creates a new, unified federal privacy and security framework for a broad set of health-related data by directing HHS (with FTC consultation) to issue rules that extend HIPAA-like protections to more entities and types of information. It strengthens individual rights (notice, access, amendment, deletion, portability), sets minimum-necessary and breach-notification requirements, requires plain-language notices and consent for certain downstream uses (including sales), sets national de-identification standards and contractual limits on re-identification, and directs studies and guidance on AI, data compensation, and privacy-enhancing technologies.