Resources

Client Alerts, News Articles, Blog Posts, & Multimedia

Everything you need to know about BMD and the industry.

Proposed Health Information Privacy Reform Act Expands Protections Beyond HIPAA

Client Alert
January 26, 2026

Do you process health data? If so, the proposed Health Information Privacy Reform Act (“HIPRA”) may impact you. Most people recognize the standards under the Health Insurance Portability and Accountability Act (“HIPAA”) as providing adequate protections to individuals’ personal health information. However, HIPAA does not cover every instance where health data exists. Health data that exists outside of typical patient-provider interactions and healthcare facilities, such as in a healthcare app or smartwatch, are not necessarily covered by HIPAA. The Health Information Privacy Reform Act (“HIPRA”) was introduced last November to account for the technology that has changed how individuals access their health data. As a result of the privacy concerns surrounding this technology, HIPRA seeks to extend protections to health data that is currently not protected under HIPAA. 

The key provisions under HIPRA are as follows:

Increased Privacy Protection

HIPRA seeks to increase privacy protection, in part by introducing new definitions regarding applicable health information (“AHI”), regulated entities, and service providers.

“AHI” is defined under HIPRA as all information that “identifies an individual or with respect to which there is a reasonable basis to believe that the information could be used to identify an individual, and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and may include information […] that was not created or received by a health care provider, health plan, employer, or health care clearinghouse.” This definition indicates that protections under HIPRA would apply to information beyond what is considered patient health information (“PHI”) under HIPAA.

HIPAA applies to covered entities (i.e. health plans, healthcare providers, and healthcare clearinghouses) and business associates. HIPRA broadens the scope of HIPAA by establishing privacy standards for regulated entities and their service providers. A “regulated entity” is defined as “a natural or legal person that, alone or jointly with others, determines the purpose and means of processing [AHI]”, and a “service provider” is “a natural or legal entity that processes [AHI] on behalf of a regulated entity and that is not a covered entity or business associate.”

Privacy, Security, and Breach Notification

HIPRA requires the Secretary of Health and Human Services (“HHS”) to promulgate regulations setting forth privacy, security, and breach notification standards for the processing of AHI by regulated entities and their service providers. These standards must “provide protections that are at least commensurate with, and wherever feasible and appropriate harmonize with” the protections under HIPAA and section 13402 of the HITECH Act. For example, regulated entities and service providers would be required to disclose how a user’s health data will be used and disclosed. HIPRA affords users the right to receive a privacy notice from the regulated entity, access to their AHI, amend or delete their AHI, and requires that AHI be portable.

Access Requirements

HIPRA also establishes rights and requirements regarding access to certain PHI. For example, when an individual requests that a covered entity or business associate transmit, produce, or provide access to a copy of the individual’s PHI to a person or entity, the request must meet the requirements of a valid authorization under HIPAA.

HIPRA authorizes covered entities and business associates to require the receiving party to pay or to accept terms, limitations, and conditions of use and disclosure when transmitting, producing, or providing access to PHI. 

Patient Notifications

For regulated entities and service providers who gain access to an individual’s PHI through the patient right of access under 45 CFR § 164.524, such entities or service providers must issue a written notification informing the patient that the PHI will no longer be subject to protection under HIPAA and how and to which entities such PHI may be redisclosed. Further, any regulated entity or service provider must obtain an individual’s consent before selling their PHI to a third-party.

When a regulated entity or service provider offers digital technology that generates wellness data, the entity must provide notification that the data will not be subject to HIPAA and offer an opportunity for the user to opt-out of the wellness data generation.

De-Identified Information

HIPRA also requires the Secretary of HHS to promulgate regulations establishing unified national standards for rendering AHI as de-identified information within one year of HIPRA’s enactment.

The de-identification standards must be equal to or more stringent than the standards under HIPAA. Specifically, these standards must address the use of privacy-enhancing technologies and specify that the information provided by a regulated entity, service provider, covered entity, or business associate to another person or entity is not considered de-identified unless the recipient agrees, in writing, to not re-identify the information. 

National Academies of Sciences

HIPRA requires the Secretary of HHS to engage the National Academies of Sciences, Engineering, and Medicine within 60 days of its enactment to conduct a study on the potential risks and benefits of paying compensation to patients for sharing their identifiable data for research purposes.

Enforcement

The protections outlined in HIPRA are enforceable by the Secretary of HHS and the Federal Trade Commission (“FTC”). Those in violation of HIPRA may be subject to civil penalties and sanctions.

Companies who run healthcare apps, sell wearables and process health data should closely monitor this expansion of patient privacy protection. If adopted, those impacted should take the appropriate steps to ensure compliance with HIPRA, such as updating any operations manuals or compliance documents. 

To learn more about the Health Information Privacy Reform Act, and how its adoption could impact you, please contact BMD Member Jeana Singleton at jmsingleton@bmdllc.com or Attorney Kate Crawford at khcrawford@bmdllc.com.

HealthcareHealth LawHealthcare PolicyJeana SingletonKatherine Crawford
Client Alert

New Florida Law: Patient Overpayments Must Be Refunded Within 30 Days

December 22, 2025Effective January 1, 2026, Florida Senate Bill 1808 requires health care facilities and practitioners to refund patient overpayments within 30 days after an overpayment is identified. The law applies to overpayments tied to claims submitted to government programs or private insurers and introduces fines and disciplinary consequences for noncompliance. Providers should review billing and payment practices now to prepare for the new requirements.Client Alert

USCIS Policy Change Impacting Work Authorization: Advisory for Employers and Human Resources

December 8, 2025USCIS has issued a policy memorandum pausing immigration benefit processing for individuals from 19 high-risk countries and requiring a re-review of certain previously approved cases. This change may affect work authorization, employment verification, and workforce stability. Employers and HR teams should review impacted employees and update compliance procedures.Client Alert

CMS Releases CY 2026 Medicare Physician Fee Schedule Final Rule with Key Payment and Telehealth Updates

December 4, 2025CMS issued the CY 2026 Medicare Physician Fee Schedule Final Rule on October 31, 2025, with changes effective January 1, 2026. The Final Rule includes increases to the conversion factor, a new efficiency adjustment, updates to practice expense methodology, permanent telehealth policy changes, revised payment for skin substitutes, expanded rules for Part B drugs and biologicals, enhanced policies for Rural Health Clinics and Federally Qualified Health Centers, and new care management and behavioral health services.Client Alert

Ohio Department of Medicaid Updates: Key Changes to Physician Reimbursement Rates in Early Parenthood

December 3, 2025The Ohio Department of Medicaid has proposed amending Ohio Administrative Code Rule related to covered Medicaid reimbursements for physicians. Beginning on January 1, 2026, they are proposing an increase to rates for prenatal care, childbirth, and infant care and provider visits.Client Alert

Name, Image, and Likeness Agreements in Healthcare

November 14, 2025For example, some healthcare providers have begun to utilize "Name, Image, and Likeness" agreements to promote the brand they have created through their healthcare practice.  We have seen the most healthcare NIL activity with longevity and wellness providers, as well as orthopedics.
Older posts
Newer posts