Read twice and referred to the Committee on Health, Education, Labor, and Pensions.
This bill directs the Secretary of Health and Human Services (in consultation with the Federal Trade Commission) to create privacy, security, and breach-notification regulations for "applicable health information" processed by non-HIPAA regulated entities (termed "regulated entities") and their service providers. It largely aims to harmonize those rules with existing HIPAA/HITECH protections (privacy, minimum-necessary, individual rights including access, amendment, deletion, portability), sets security standards (referencing NIST), and makes HHS the enforcement authority with civil penalties pursuant to existing HIPAA enforcement rules.
Scope and federal reach: liberals/centrists see value in extending HIPAA-like protections to non-covered actors; conservatives view that as federal overreach and a regulatory burden.
Relative to its intended legislative type, this bill is a substantive policy change that is well-integrated with existing HIPAA/HITECH/PHSA frameworks, provides detailed definitional and substantive guidance on required regulatory content, and anticipates several common edge cases.
This bill directs the Secretary of Health and Human Services (in consultation with the Federal Trade Commission) to create privacy, security, and breach-notification regulations for "applicable health information" processed by non-HIPAA regulated entities (termed "regulated entities") and their service providers.
It largely aims to harmonize those rules with existing HIPAA/HITECH protections (privacy, minimum-necessary, individual rights including access, amendment, deletion, portability), sets security standards (referencing NIST), and makes HHS the enforcement authority with civil penalties pursuant to existing HIPAA enforcement rules.
The bill requires patient notifications when PHI accessed under a patient right of access will no longer be protected by HIPAA, bars selling such information without consent, and requires advance notice and an opt-out for generation of "wellness data" by digital technologies.
On content alone, the bill addresses a salient public concern (health data privacy) and contains policy features that could attract support, but its broad sweep, significant regulatory and compliance impacts, and complex cross-cutting rulemaking reduce its near-term enactability. Passage would likely require narrowing scope, adding industry/state carve-outs, or extensive bipartisan negotiation. Because it delegates substantial detail to agencies, enactment might also take the form of a more limited statutory framework or be absorbed into a larger, negotiated privacy package rather than passing in this form.
Relative to its intended legislative type, this bill is a substantive policy change that is well-integrated with existing HIPAA/HITECH/PHSA frameworks, provides detailed definitional and substantive guidance on required regulatory content, and anticipates several common edge cases. It relies on agency rulemaking for substantial operational detail and uses existing HIPAA enforcement mechanisms to provide accountability.
Scope and federal reach: liberals/centrists see value in extending HIPAA-like protections to non-covered actors; conservatives view that as federal overreach and a regulatory burden.
These are examples from the analysis, not a ranked list of the most-affected groups.
Scope and federal reach: liberals/centrists see value in extending HIPAA-like protections to non-covered actors; conservatives view that as federal overreach and a regulatory burden.
A mainstream liberal would likely view the bill as a substantive step toward closing gaps in U.S. health-data privacy by extending HIPAA-like protections to technology firms and other non-covered actors that handle health-related information.
They would welcome new individual rights (deletion, portability, access notices), stronger de-identification rules, limits on sale without consent, and attention to privacy-enhancing technologies and AI minimum-necessary guidance.
They would still have concerns about enforcement capacity, exceptions for research or public policy uses, and any provisions that allow fee-based barriers to access.
A pragmatic centrist would view the bill as a reasonable attempt to unify and modernize privacy rules for health-related data outside traditional HIPAA-covered actors, reduce regulatory fragmentation, and provide clearer standards for AI, de-identification, and patient notice.
They would appreciate harmonization with existing HIPAA/HITECH frameworks to limit duplication and confusion, but would be attentive to compliance costs, implementation timelines, and interaction with state laws.
They would likely favor the bill if it contains clear, balanced guidance, reasonable phase-ins, and measures to avoid undue burdens on small providers or innovators.
A mainstream conservative would be skeptical of expanding federal regulatory reach into private-sector data practices and likely view this bill as a new, broad federal compliance regime that covers many firms that previously were not subject to HIPAA.
They would be concerned about increased costs, regulatory uncertainty, and potential restrictions on legitimate commercial uses of data (including sale and monetization).
They might appreciate consumer notice and cybersecurity alignment with NIST but would generally prefer narrower federal rules, stronger deference to states, or explicit small-business exceptions.
Reached or meaningfully advanced
Reached or meaningfully advanced
Still ahead
Still ahead
Still ahead
On content alone, the bill addresses a salient public concern (health data privacy) and contains policy features that could attract support, but its broad sweep, significant regulatory and compliance impacts, and complex cross-cutting rulemaking reduce its near-term enactability. Passage would likely require narrowing scope, adding industry/state carve-outs, or extensive bipartisan negotiation. Because it delegates substantial detail to agencies, enactment might also take the form of a more limited statutory framework or be absorbed into a larger, negotiated privacy package rather than passing in this form.
The bill has not accumulated any surfaced votes yet.
Scope and federal reach: liberals/centrists see value in extending HIPAA-like protections to non-covered actors; conservatives view that as…
On content alone, the bill addresses a salient public concern (health data privacy) and contains policy features that could attract support…
Relative to its intended legislative type, this bill is a substantive policy change that is well-integrated with existing HIPAA/HITECH/PHSA frameworks, provides detailed definitional and substantive guidance on required…
Go beyond the headline summary with full stakeholder mapping, legislative design analysis, passage barriers, and lens-by-lens tradeoff breakdowns.