Resources

Client Alerts, News Articles, Blog Posts, & Multimedia

Everything you need to know about BMD and the industry.

Proposed Health Information Privacy Reform Act Expands Protections Beyond HIPAA

Client Alert
January 26, 2026

Do you process health data? If so, the proposed Health Information Privacy Reform Act (“HIPRA”) may impact you. Most people recognize the standards under the Health Insurance Portability and Accountability Act (“HIPAA”) as providing adequate protections to individuals’ personal health information. However, HIPAA does not cover every instance where health data exists. Health data that exists outside of typical patient-provider interactions and healthcare facilities, such as in a healthcare app or smartwatch, are not necessarily covered by HIPAA. The Health Information Privacy Reform Act (“HIPRA”) was introduced last November to account for the technology that has changed how individuals access their health data. As a result of the privacy concerns surrounding this technology, HIPRA seeks to extend protections to health data that is currently not protected under HIPAA. 

The key provisions under HIPRA are as follows:

Increased Privacy Protection

HIPRA seeks to increase privacy protection, in part by introducing new definitions regarding applicable health information (“AHI”), regulated entities, and service providers.

“AHI” is defined under HIPRA as all information that “identifies an individual or with respect to which there is a reasonable basis to believe that the information could be used to identify an individual, and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and may include information […] that was not created or received by a health care provider, health plan, employer, or health care clearinghouse.” This definition indicates that protections under HIPRA would apply to information beyond what is considered patient health information (“PHI”) under HIPAA.

HIPAA applies to covered entities (i.e. health plans, healthcare providers, and healthcare clearinghouses) and business associates. HIPRA broadens the scope of HIPAA by establishing privacy standards for regulated entities and their service providers. A “regulated entity” is defined as “a natural or legal person that, alone or jointly with others, determines the purpose and means of processing [AHI]”, and a “service provider” is “a natural or legal entity that processes [AHI] on behalf of a regulated entity and that is not a covered entity or business associate.”

Privacy, Security, and Breach Notification

HIPRA requires the Secretary of Health and Human Services (“HHS”) to promulgate regulations setting forth privacy, security, and breach notification standards for the processing of AHI by regulated entities and their service providers. These standards must “provide protections that are at least commensurate with, and wherever feasible and appropriate harmonize with” the protections under HIPAA and section 13402 of the HITECH Act. For example, regulated entities and service providers would be required to disclose how a user’s health data will be used and disclosed. HIPRA affords users the right to receive a privacy notice from the regulated entity, access to their AHI, amend or delete their AHI, and requires that AHI be portable.

Access Requirements

HIPRA also establishes rights and requirements regarding access to certain PHI. For example, when an individual requests that a covered entity or business associate transmit, produce, or provide access to a copy of the individual’s PHI to a person or entity, the request must meet the requirements of a valid authorization under HIPAA.

HIPRA authorizes covered entities and business associates to require the receiving party to pay or to accept terms, limitations, and conditions of use and disclosure when transmitting, producing, or providing access to PHI. 

Patient Notifications

For regulated entities and service providers who gain access to an individual’s PHI through the patient right of access under 45 CFR § 164.524, such entities or service providers must issue a written notification informing the patient that the PHI will no longer be subject to protection under HIPAA and how and to which entities such PHI may be redisclosed. Further, any regulated entity or service provider must obtain an individual’s consent before selling their PHI to a third-party.

When a regulated entity or service provider offers digital technology that generates wellness data, the entity must provide notification that the data will not be subject to HIPAA and offer an opportunity for the user to opt-out of the wellness data generation.

De-Identified Information

HIPRA also requires the Secretary of HHS to promulgate regulations establishing unified national standards for rendering AHI as de-identified information within one year of HIPRA’s enactment.

The de-identification standards must be equal to or more stringent than the standards under HIPAA. Specifically, these standards must address the use of privacy-enhancing technologies and specify that the information provided by a regulated entity, service provider, covered entity, or business associate to another person or entity is not considered de-identified unless the recipient agrees, in writing, to not re-identify the information. 

National Academies of Sciences

HIPRA requires the Secretary of HHS to engage the National Academies of Sciences, Engineering, and Medicine within 60 days of its enactment to conduct a study on the potential risks and benefits of paying compensation to patients for sharing their identifiable data for research purposes.

Enforcement

The protections outlined in HIPRA are enforceable by the Secretary of HHS and the Federal Trade Commission (“FTC”). Those in violation of HIPRA may be subject to civil penalties and sanctions.

Companies who run healthcare apps, sell wearables and process health data should closely monitor this expansion of patient privacy protection. If adopted, those impacted should take the appropriate steps to ensure compliance with HIPRA, such as updating any operations manuals or compliance documents. 

To learn more about the Health Information Privacy Reform Act, and how its adoption could impact you, please contact BMD Member Jeana Singleton at jmsingleton@bmdllc.com or Attorney Kate Crawford at khcrawford@bmdllc.com.

HealthcareHealth LawHealthcare PolicyJeana SingletonKatherine Crawford
Client Alert

OAAPN | Year In Review: 2026 Ohio Board of Nursing and Ohio Law Rules

February 9, 2026Find out key changes to Ohio law and the Ohio Board of Nursing rules that have directly impacted APRN practice over the past year, including Psychiatric Inpatient Documents, Intimate Examinations, Signature Authority, Duties Related to Fetal Death, Retail IV Therapy Clinics, Release from Permanent Restrictions, Disciplinary Action, Course on Drugs and Prescriptive Authority, Overdose Reversal Drugs, Office Based Opioid Treatment, Withdrawal Management for Substance Use Disorder, Safe Haven Program, and more.Client Alert

Ohio House Bill 537: Proposed Regulations for Midwives and Birthing Centers

January 28, 2026House Bill 537, introduced in the Ohio House of Representatives, proposes a comprehensive regulatory framework for certified nurse-midwives, certified midwives, licensed midwives, and traditional midwives. The legislation would clarify scope of practice, establish licensure standards, and impose new requirements for freestanding birthing centers and home births. Healthcare providers and facilities should be aware of the proposed changes and their potential operational impact.Client Alert

Medicare Updates on Skin Substitutes: LCDs Withdrawn, Payment Changes Take Effect

January 23, 2026Medicare’s planned Final Local Coverage Determinations (LCDs) for skin substitutes were withdrawn in late December 2025, meaning previous coverage rules remain in effect. The 2026 Medicare Physician Fee Schedule introduces a single payment rate of approximately $127.14 for these products. Providers should review implications for diabetic foot and venous leg ulcer treatments.Client Alert

Understanding the Seven Core Elements of an Effective Healthcare Compliance Program

January 22, 2026The Affordable Care Act requires healthcare providers participating in Medicare, Medicaid, and CHIP to maintain an effective compliance program. Guidance from the Department of Health and Human Services and the Office of Inspector General outlines seven core elements that form the foundation of these programs, from written policies and compliance oversight to auditing, training, and corrective action. This alert highlights each element and explains how practices can tailor compliance programs to their size and risk profile while meeting federal expectations.Client Alert

Preventing a Board Investigation

January 21, 2026Healthcare professionals in Ohio are subject to licensing board investigations that can lead to disciplinary action. Staying compliant with regulations, documenting carefully, and operating within your professional scope can help prevent issues. If contacted by a board, working with an attorney is critical to protect your license and rights.
Older posts