ELEVATE YOUR HIPAA COMPLIANCE: Explore Our Enhanced Toolkit Today
Access Toolkit
Purchase Toolkit
Back to Blog

Health Information Under HIPRA: How the New Privacy Act Will Reshape Apps and Consumer Data

smartphone is leaning against a pair of running shoes.

FAQs About the Health Information Privacy Reform Act (HIPRA)

  • HIPRA can be viewed as the “HIPAA for apps and wearables.” 
  • It is expected to expand health privacy protections for technologies that currently are not required to have any. 
  • Example of entities that will be regulated under the new privacy act include health and fitness apps and wellness platforms.
  • It introduces a new category of health information tied to an individual called Applicable Health Information (AHI). 
  • It calls for modifications to certain existing HIPAA provisions. 
  • It would go into effect one year after enactment. 
  • HIPRA would create a unified federal framework for health-related data, with the HHS and the FTC mutually defining the regulation and enforcement. 
  • The bill is sponsored by Senator Bill Cassidy (R-LA), chair of the Senate Health, Education, Labor, and Pensions (HELP) Committee.

In This Post

 

What Is the Health Information Privacy Reform Act (HIPRA)? 

Health-related information privacy is entering a whole new era with the introduction of the Health Information Privacy Reform Act (HIPRA). A bill aimed at tightening the seams in consumer health privacy protections.  

HIPRA was introduced on November 4, 2025, by Senator Bill Cassidy (R-LA) to address privacy concerns about wearable devices, officially part of the Internet of Things (IoT), and health apps that track individual identifiable health information.  

Smartwatches and health apps have transformed how people monitor and manage their well-being, providing real-time insights. But with that convenience comes concern about how people’s individual health data is being tracked by the digital tools and companies that make them. HIPRA aims to ensure that the data people provide about themselves is handled responsibly and collected with clear consent.   

Who Must Comply With HIPRA? 

HIPRA will act as an extension of the Health Insurance Portability and Accountability Act (HIPAA), providing privacy protections, de-identification, and directed disclosure rules for individuals. Under HIPAA, a covered entity is an organization that creates, receives, maintains, or transmits protected health information (PHI) while providing healthcare to individuals. This includes healthcare providers, insurers, and business associates who perform job functions on behalf of a covered entity.  

While HIPAA focuses on the privacy and security of health information handled by covered entities and their business associates, HIPRA will focus on technology companies that collect, use, or share health related data. Under this framework, digital health platforms and data-driven services that handle health information will be held to the same baseline privacy and security expectations as HIPAA-regulated covered entities. This addresses the privacy gaps of digital tools that gather sensitive health information outside traditional healthcare settings. 

Examples of entities that will be regulated under the new privacy act include health and fitness apps, wellness platforms, and possibly specific out-of-pocket-only providers.

What is Applicable Health Information (AHI)? 

As regulators caught up with the realities of how people share their personal information, they reached a pivot point on how to strengthen HIPAA’s Privacy Rule to address current data privacy challenges of information that exists beyond medical documentation. They created a new category of health data called Applicable Health Information (AHI).  

This means personal privacy is being applied to the technologies that HIPAA never covered. AHI captures the growing pool of digital health metrics left behind in apps, wearables, online tools, and behavioral data that can be tied back to an individual and are not considered traditional patient medical records, closing the privacy gap for non-patient health information.  

AHI is described as identifiable or reasonably identifiable information linked to a person and will relate to the following privacy requirements: 

  • use and disclosure 
  • authorization standards 
  • privacy notices 
  • access to amend health information 
  • deletion of applicable health information 

How PHI and AHI are Similar 

At the center of this proposed bill is the key concept of health information and how it can be linked to an individual. This thinking is the cornerstone of HIPAA’s definition of PHI. AHI, in essence, constitutes individually identifiable health information the same way PHI does.  

As covered entities and business associates know, understanding how individually identifiable health information is defined shapes how to protect it when it is created, received, maintained, and transmitted. 

The HIPAA Privacy Rule established that individually identifiable health information includes: 

  • Information that relates to a person’s physical or mental health, past, present, or future 
  • Information about the provision of healthcare to an individual
  • Information about the payment of healthcare to an individual
  • Data that identifies the individual or could reasonably be used to identify them
  • Includes common identifiers such as name, date of birth, address, medical record numbers, etc.

 

Both AHI and PHI revolve around identifiability. If the data can be linked to an individual person, then it needs to be protected.  

The difference between PHI and AHI is that health information becomes PHI when it is handled by a covered entity or a business associate performing a job task on behalf of the covered entity.  

Bringing AHI into the mix makes companies accountable for how they collect, use, and disclose the huge amounts of health-related data that is generated outside the exam room. It also gives people clearer rights over their own information that has not been meaningfully protected in the United States. 

Patient Consent, Access, and New Transparency Duties 

What is outlined in HIPRA mirrors HIPAA’s rights to access, amend, and receive notices. These aspects of the proposed regulated framework mean that consumers gain consistent, legally backed rights over their digital health data. The same protections for the data their apps collect as they receive for the information their doctor keeps.  

Protections they’ve long held for their traditional medical records include: 

  • Permitted Uses and Disclosures of PHI: HIPAA allows healthcare providers, health plans, and their business associates to use or share PHI without a patient’s written authorization when it’s necessary for the treatment, payment, or other essential healthcare operations. An example is when a hospital sends a patient’s procedure codes and supporting medical details to the patient’s health insurance company to request reimbursement.
  • Authorization Requirements: the formal permissions a patient must give before their PHI can be used or disclosed for purposes outside of their routine healthcare. An example of this is when a patient asks their primary care physician to send their medical records to an attorney involved in a disability case.
  • Individual Rights: Gives patients control over their health information by allowing them access to their records, the ability to request corrections, and the right to receive privacy notices. For example, a patient notices that an allergy is listed in their medical record that they don’t have. They have the right to request that the provider review and remove the information from their record.

 

The HIPAA framework for these types of requests will extend to AHI, requiring regulated entities under HIPRA to implement privacy programs to address individual protections.

New Additions HIPRA Will Introduce 

  • Transparency and Consumer Notification Requirements: The goal is to provide transparency for when current HIPAA protections do not apply to an individual’s health-related information. For data produced by wellness tools and wearable devices such as fertility trackers, vital signs, or medication metrics, regulated entities must clearly notify consumers when that information is not protected by HIPAA, how it will be redisclosed, and provide a way to opt out of sharing. 
  • Consumer Consent Before Selling to Third Parties: HIPRA will require consumer consent before any sale of health-related data.
  • Improved Security Safeguards: Security requirements under HIPRA will be similar to those of the HIPAA Security Rule, with an emphasis on physical, technical, and administrative safeguards for AHI. Additionally, the safeguards must align with recognized frameworks, such as the National Institute of Standards and Technology (NIST).
  • Breach Notification Standards: Introduce and standardize breach-notification requirements modeled on HIPAA, requiring timely notice of when AHI is accessed, used, or disclosed without authorization. Currently, digital health and wellness companies are subject to less stringent federal rules regarding data breaches. Existing federal protections, including Section 5 of the FTC Act and the FTC’s Health Breach Notification Rule, do not offer the same level of enforcement that HIPAA does. This will provide clearer expectations for organizations and more consistent protections for individuals when their health-related data is compromised.
  • De-Identification of PHI & AHI Standards: Under HIPRA, the HHS will create a unified federal standard for de-identifying health-related data that is comparable to the HIPAA obligations covered entities must take to make PHI unrecognizable. This requires that data not be considered de-identified by third parties unless those parties contractually agree not to re-identify it. This is beneficial to consumers, as data can often be re-identified through forensic analysis or Artificial Intelligence (AI). 

 

Learn more about how data breaches doubled in 2024, with 91% of affected records tied to hacking, in our other article.

Minimum Necessary and AI Data Use 

HIPAA’s minimum necessary standard requires: covered entities and their business associates to limit the use, access, and disclosure of protected health information to only what is needed to accomplish a specific purpose, in order to reduce unnecessary exposure of PHI while still allowing healthcare operations to function.  

An example of the minimum necessary principle in action is when a hospital bills an insurance company. The hospital shares procedure codes and relevant clinical details needed to receive payment. It does not send the patient’s full medical history or electronic health record; only the information necessary to process the claim is disclosed. 

With the increase in generative AI and AI Ambient Scribes being used in healthcare settings, the HIPAA Act is asking the HHS to issue guidance on how the minimum necessary rule, including limited data sets, can be applied to AI systems to ensure privacy.  

By applying the minimum necessary rule to an AI system, the amount of health-related data fed into the system will be limited to only what is needed for specific purposes, rather than allowing a broad data set, such as a patient’s complete medical record. This will reduce privacy and security risks by limiting the amount of identifiable data exposed and lowering the impact of potential breaches.  

As AI tools are developed and trained, entities will need to justify data scope, apply stronger controls, and avoid using identifiable health information when less sensitive or de-identified data will suffice. 

Learn more about creating a HIPAA-compliant AI system in our previous article. 

How Covered Entities Can Prepare for HIPRA  

The proposed HIPRA Act builds on HIPAA’s framework established over the last 30 years, meaning that covered entities and their business associates are likely prepared for the changes it may introduce. Organizations can proactively be ready for the shift by keeping these practical steps in focus: 

  • Map Your Data Flows: A thorough data assessment will help identify where health data is created, shared, stored, and transmitted within your day-to-day business operations, especially when it moves to or from non-HIPAA entities.
  • Review Your Third-Party Relationships: Complete an inventory of business associates, vendors, and service providers you rely on to operate your business. This will help you understand which ones may fall under HIPRA’s expanded scope and where new contractual protections may be needed.
  • Revisit Your Patient Privacy Notices and Authorizations: Ensure disclosures, consent language, and patient-facing notices clearly explain how data may be shared, redisclosed, or sold.
  • Strengthen Your Breach Response Plans: Confirm that your current breach-notification processes are ready to meet HIPAA-like timelines and expectations.
  • Review Your Minimum Necessary Policies: Evaluate how you allow data to be used in a generative AI or AI Ambient Scribe system and limit data access to only what’s needed for defined purposes.
  • Improve Your Data Governance: Strengthen policies and procedures for collecting, accessing, sharing, and retaining health-related data. Ensuring your data governance plan extends to analytics platforms, AI-driven tools, and all third-party environments.

 

Turning Readiness into Opportunity

HIPRA may well be the next chapter in HHS regulation, but its story builds on decades of lessons around patient health information privacy and healthcare security. Whether or not HIPRA becomes a federal regulation, organizations that embrace comprehensive privacy and security compliance stand out as leaders, signaling to patients that protecting their health information is an organizational priority even as digital health protections continue to evolve.  

If HIPRA has you asking what comes next, PrivaPlan is here to help. Thirty years of HIPAA compliance experience means we offer practical guidance you can trust, plus the option to have us serve as your compliance officer. Contact us today to get started!  

Generative AI Meets HIPAA Peace of Mind

If you’re working to build AI systems that are secure, scalable, and worthy of patient trust, you don’t have to do it alone. Our reference guide is designed for healthcare IT teams, offering clear, practical guidance on building AI through the lens of the HIPAA Security Rule. 

Get Started Today!

Related Posts

Recent Posts

Categories
Tags

Access PrivaPlan Toolkit

Click here to access

Access CMA-PrivaPlan Toolkit

Click here to access

Stay Ahead of Privacy & Security Compliance

Sign Up for Our Newsletter!

Don’t miss the latest updates, tips, and best practices in privacy and security compliance! Join our email newsletter for:

  • Exclusive Insights: Gain access to vital news and expert insights from PrivaPlan experts.
  • Practical Tips: Learn actionable strategies to protect data privacy & enforce data security.

Sign up now and elevate your compliance game!

A Compliance First Guide focused on AI & the HIPAA Security Rule

Ensuring HIPAA Compliance in Generative AI Systems

Our new practical guide offers actionable strategies for establishing an AI system while focusing on the HIPAA Security Rule framework. It's built to help you:

  • Advise leadership
  • Evaluate risk
  • Establish AI teams
  • Develop internal policies
  • Configure AI Ambient Scribe settings
Download Your Compliance Guide Today!
  • Be Proactive In Compliance

Learn about Compliance!

Subscribe now for up-to-date information about privacy & security compliance! You’ll receive emails regarding news about compliance & alerts for new blog posts.