Resources

Client Alerts, News Articles, Blog Posts, & Multimedia

Everything you need to know about BMD and the industry.

Proposed Health Information Privacy Reform Act Expands Protections Beyond HIPAA

Client Alert

Do you process health data? If so, the proposed Health Information Privacy Reform Act (“HIPRA”) may impact you. Most people recognize the standards under the Health Insurance Portability and Accountability Act (“HIPAA”) as providing adequate protections to individuals’ personal health information. However, HIPAA does not cover every instance where health data exists. Health data that exists outside of typical patient-provider interactions and healthcare facilities, such as in a healthcare app or smartwatch, are not necessarily covered by HIPAA. The Health Information Privacy Reform Act (“HIPRA”) was introduced last November to account for the technology that has changed how individuals access their health data. As a result of the privacy concerns surrounding this technology, HIPRA seeks to extend protections to health data that is currently not protected under HIPAA. 

The key provisions under HIPRA are as follows:

Increased Privacy Protection

HIPRA seeks to increase privacy protection, in part by introducing new definitions regarding applicable health information (“AHI”), regulated entities, and service providers.

“AHI” is defined under HIPRA as all information that “identifies an individual or with respect to which there is a reasonable basis to believe that the information could be used to identify an individual, and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and may include information […] that was not created or received by a health care provider, health plan, employer, or health care clearinghouse.” This definition indicates that protections under HIPRA would apply to information beyond what is considered patient health information (“PHI”) under HIPAA.

HIPAA applies to covered entities (i.e. health plans, healthcare providers, and healthcare clearinghouses) and business associates. HIPRA broadens the scope of HIPAA by establishing privacy standards for regulated entities and their service providers. A “regulated entity” is defined as “a natural or legal person that, alone or jointly with others, determines the purpose and means of processing [AHI]”, and a “service provider” is “a natural or legal entity that processes [AHI] on behalf of a regulated entity and that is not a covered entity or business associate.”

Privacy, Security, and Breach Notification

HIPRA requires the Secretary of Health and Human Services (“HHS”) to promulgate regulations setting forth privacy, security, and breach notification standards for the processing of AHI by regulated entities and their service providers. These standards must “provide protections that are at least commensurate with, and wherever feasible and appropriate harmonize with” the protections under HIPAA and section 13402 of the HITECH Act. For example, regulated entities and service providers would be required to disclose how a user’s health data will be used and disclosed. HIPRA affords users the right to receive a privacy notice from the regulated entity, access to their AHI, amend or delete their AHI, and requires that AHI be portable.

Access Requirements

HIPRA also establishes rights and requirements regarding access to certain PHI. For example, when an individual requests that a covered entity or business associate transmit, produce, or provide access to a copy of the individual’s PHI to a person or entity, the request must meet the requirements of a valid authorization under HIPAA.

HIPRA authorizes covered entities and business associates to require the receiving party to pay or to accept terms, limitations, and conditions of use and disclosure when transmitting, producing, or providing access to PHI. 

Patient Notifications

For regulated entities and service providers who gain access to an individual’s PHI through the patient right of access under 45 CFR § 164.524, such entities or service providers must issue a written notification informing the patient that the PHI will no longer be subject to protection under HIPAA and how and to which entities such PHI may be redisclosed. Further, any regulated entity or service provider must obtain an individual’s consent before selling their PHI to a third-party.

When a regulated entity or service provider offers digital technology that generates wellness data, the entity must provide notification that the data will not be subject to HIPAA and offer an opportunity for the user to opt-out of the wellness data generation.

De-Identified Information

HIPRA also requires the Secretary of HHS to promulgate regulations establishing unified national standards for rendering AHI as de-identified information within one year of HIPRA’s enactment.

The de-identification standards must be equal to or more stringent than the standards under HIPAA. Specifically, these standards must address the use of privacy-enhancing technologies and specify that the information provided by a regulated entity, service provider, covered entity, or business associate to another person or entity is not considered de-identified unless the recipient agrees, in writing, to not re-identify the information. 

National Academies of Sciences

HIPRA requires the Secretary of HHS to engage the National Academies of Sciences, Engineering, and Medicine within 60 days of its enactment to conduct a study on the potential risks and benefits of paying compensation to patients for sharing their identifiable data for research purposes.

Enforcement

The protections outlined in HIPRA are enforceable by the Secretary of HHS and the Federal Trade Commission (“FTC”). Those in violation of HIPRA may be subject to civil penalties and sanctions.

Companies who run healthcare apps, sell wearables and process health data should closely monitor this expansion of patient privacy protection. If adopted, those impacted should take the appropriate steps to ensure compliance with HIPRA, such as updating any operations manuals or compliance documents. 

To learn more about the Health Information Privacy Reform Act, and how its adoption could impact you, please contact BMD Member Jeana Singleton at jmsingleton@bmdllc.com or Attorney Kate Crawford at khcrawford@bmdllc.com.


Introducing HB 281: Enforcement of Federal Immigration Laws in Ohio Hospitals

House Bill 281, introduced on May 20, 2025, would require Ohio hospitals to allow law enforcement, including federal immigration agents, to enter facilities and enforce immigration laws. The bill mandates that hospitals comply with information requests and adopt formal policies, raising significant concerns about patient privacy and access to care for immigrant communities.

Parental Consent May Soon Be Required for Minor Mental Health Services in Ohio

HB 172 proposes repealing a provision in Ohio law that allows minors age 14 and older to consent to limited outpatient mental health services without parental involvement. The bill would require parental consent for all such care and remove related language from other sections of the Ohio Revised Code.

Community Behavioral Health Providers - Supervisor Pricing Changes Begin July 1 [Corrected Date]

Effective June 16, community behavioral health providers wishing to receive reimbursement at the supervisor rate must add the HP or HT Modifier to fee-for-service (FFS) claims. Find out about the new guidelines.

CMS Rescinds EMTALA Guidance for Emergency Abortions

On June 3, 2025, CMS withdrew its 2022 guidance on emergency abortion care under EMTALA, eliminating federal protection for providers in states with abortion restrictions. This policy change could significantly impact how hospitals handle emergency care involving pregnancy complications.

Supreme Court Eliminates Higher Burden for Majority-Group Plaintiffs in Title VII Claims

In Ames v. Ohio Department of Youth Services, the U.S. Supreme Court unanimously ruled that all Title VII plaintiffs, whether from majority or minority groups, must meet the same evidentiary standard. The decision eliminates the “background circumstances rule” and reinforces equal treatment in workplace discrimination claims.