Resources

Client Alerts, News Articles, Blog Posts, & Multimedia

Everything you need to know about BMD and the industry.

Proposed Health Information Privacy Reform Act Expands Protections Beyond HIPAA

Client Alert

Do you process health data? If so, the proposed Health Information Privacy Reform Act (“HIPRA”) may impact you. Most people recognize the standards under the Health Insurance Portability and Accountability Act (“HIPAA”) as providing adequate protections to individuals’ personal health information. However, HIPAA does not cover every instance where health data exists. Health data that exists outside of typical patient-provider interactions and healthcare facilities, such as in a healthcare app or smartwatch, are not necessarily covered by HIPAA. The Health Information Privacy Reform Act (“HIPRA”) was introduced last November to account for the technology that has changed how individuals access their health data. As a result of the privacy concerns surrounding this technology, HIPRA seeks to extend protections to health data that is currently not protected under HIPAA. 

The key provisions under HIPRA are as follows:

Increased Privacy Protection

HIPRA seeks to increase privacy protection, in part by introducing new definitions regarding applicable health information (“AHI”), regulated entities, and service providers.

“AHI” is defined under HIPRA as all information that “identifies an individual or with respect to which there is a reasonable basis to believe that the information could be used to identify an individual, and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and may include information […] that was not created or received by a health care provider, health plan, employer, or health care clearinghouse.” This definition indicates that protections under HIPRA would apply to information beyond what is considered patient health information (“PHI”) under HIPAA.

HIPAA applies to covered entities (i.e. health plans, healthcare providers, and healthcare clearinghouses) and business associates. HIPRA broadens the scope of HIPAA by establishing privacy standards for regulated entities and their service providers. A “regulated entity” is defined as “a natural or legal person that, alone or jointly with others, determines the purpose and means of processing [AHI]”, and a “service provider” is “a natural or legal entity that processes [AHI] on behalf of a regulated entity and that is not a covered entity or business associate.”

Privacy, Security, and Breach Notification

HIPRA requires the Secretary of Health and Human Services (“HHS”) to promulgate regulations setting forth privacy, security, and breach notification standards for the processing of AHI by regulated entities and their service providers. These standards must “provide protections that are at least commensurate with, and wherever feasible and appropriate harmonize with” the protections under HIPAA and section 13402 of the HITECH Act. For example, regulated entities and service providers would be required to disclose how a user’s health data will be used and disclosed. HIPRA affords users the right to receive a privacy notice from the regulated entity, access to their AHI, amend or delete their AHI, and requires that AHI be portable.

Access Requirements

HIPRA also establishes rights and requirements regarding access to certain PHI. For example, when an individual requests that a covered entity or business associate transmit, produce, or provide access to a copy of the individual’s PHI to a person or entity, the request must meet the requirements of a valid authorization under HIPAA.

HIPRA authorizes covered entities and business associates to require the receiving party to pay or to accept terms, limitations, and conditions of use and disclosure when transmitting, producing, or providing access to PHI. 

Patient Notifications

For regulated entities and service providers who gain access to an individual’s PHI through the patient right of access under 45 CFR § 164.524, such entities or service providers must issue a written notification informing the patient that the PHI will no longer be subject to protection under HIPAA and how and to which entities such PHI may be redisclosed. Further, any regulated entity or service provider must obtain an individual’s consent before selling their PHI to a third-party.

When a regulated entity or service provider offers digital technology that generates wellness data, the entity must provide notification that the data will not be subject to HIPAA and offer an opportunity for the user to opt-out of the wellness data generation.

De-Identified Information

HIPRA also requires the Secretary of HHS to promulgate regulations establishing unified national standards for rendering AHI as de-identified information within one year of HIPRA’s enactment.

The de-identification standards must be equal to or more stringent than the standards under HIPAA. Specifically, these standards must address the use of privacy-enhancing technologies and specify that the information provided by a regulated entity, service provider, covered entity, or business associate to another person or entity is not considered de-identified unless the recipient agrees, in writing, to not re-identify the information. 

National Academies of Sciences

HIPRA requires the Secretary of HHS to engage the National Academies of Sciences, Engineering, and Medicine within 60 days of its enactment to conduct a study on the potential risks and benefits of paying compensation to patients for sharing their identifiable data for research purposes.

Enforcement

The protections outlined in HIPRA are enforceable by the Secretary of HHS and the Federal Trade Commission (“FTC”). Those in violation of HIPRA may be subject to civil penalties and sanctions.

Companies who run healthcare apps, sell wearables and process health data should closely monitor this expansion of patient privacy protection. If adopted, those impacted should take the appropriate steps to ensure compliance with HIPRA, such as updating any operations manuals or compliance documents. 

To learn more about the Health Information Privacy Reform Act, and how its adoption could impact you, please contact BMD Member Jeana Singleton at jmsingleton@bmdllc.com or Attorney Kate Crawford at khcrawford@bmdllc.com.


ODM to Implement Medicaid Work Requirements: What Providers and Medicaid Expansion Recipients Need to Know

The Ohio Department of Medicaid (ODM) has submitted a waiver to impose work requirements for Medicaid expansion recipients. If approved, the new eligibility criteria will take effect on January 1, 2026. A federal public comment period is open until April 7, 2025.

Ohio Appellate Court Rules in Favor of Gender-Affirming Care

On March 18, 2025, the 10th District Court of Appeals in Franklin County ruled that Ohio’s House Bill (HB) 68, which restricts puberty blockers and hormone therapy for minors seeking gender-affirming care, violates the Health Care Freedom Amendment and is therefore unenforceable. The court found that the law unlawfully interferes with parental rights and medical decision-making. The case, Moe v. Yost, has been remanded, and Ohio Attorney General Dave Yost intends to appeal.

HHS Revokes Public Comment Requirement on Certain Policy Changes

The U.S. Department of Health and Human Services (HHS) has revoked the Richardson Waiver, eliminating the requirement for public notice and comment on certain policy changes. This decision allows HHS to implement new policies more quickly, potentially affecting healthcare funding rules like Medicaid work requirements. While it speeds up policymaking, it also reduces opportunities for stakeholder input, raising concerns over transparency and unintended consequences for healthcare providers, states, and patients.

Don't Get Caught Dazed and Confused: Another Florida Court Weighs in on Employer Obligations to Accommodate Medical Marijuana Use

A Florida trial court ruled in Giambrone v. Hillsborough County that employers may need to accommodate off-duty medical marijuana use under the Florida Civil Rights Act (FCRA). This contrasts with prior rulings and raises new compliance challenges for employers. With the case on appeal, now is the time to review workplace drug policies.

Corporate Transparency Act to be Re-evaluated

Recent federal rulings have impacted the enforceability of the Corporate Transparency Act (CTA), which took effect on January 1, 2024. While reporting requirements were briefly reinstated, FinCEN has now paused enforcement and is reevaluating the CTA. Businesses are no longer required to submit reports until further guidance is issued. For updates and legal counsel, contact BMD Member Blake Gerney.