119-s3097

S
✓ Complete Data

Health Information Privacy Reform Act

0 0
Login to track bills
Introduced:
Nov 4, 2025

Bill Statistics

2
Actions
0
Cosponsors
0
Summaries
0
Subjects
1
Text Versions
Yes
Full Text

AI Summary

No AI Summary Available

Click the button above to generate an AI-powered summary of this bill using Claude.

The summary will analyze the bill's key provisions, impact, and implementation details.

Latest Action

Nov 4, 2025
Read twice and referred to the Committee on Health, Education, Labor, and Pensions.

Actions (2)

Read twice and referred to the Committee on Health, Education, Labor, and Pensions.
Type: IntroReferral | Source: Senate
Nov 4, 2025
Introduced in Senate
Type: IntroReferral | Source: Library of Congress | Code: 10000
Nov 4, 2025

Text Versions (1)

Introduced in Senate

Nov 4, 2025
PDF ↗ XML ↗

Full Bill Text

Length: 20,469 characters Version: Introduced in Senate Version Date: Nov 4, 2025 Last Updated: Nov 14, 2025 2:28 AM
[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[S. 3097 Introduced in Senate

(IS) ]

<DOC>

119th CONGRESS
1st Session
S. 3097

To provide additional protections with respect to health information,
and for other purposes.

_______________________________________________________________________

IN THE SENATE OF THE UNITED STATES

November 4, 2025

Mr. Cassidy introduced the following bill; which was read twice and
referred to the Committee on Health, Education, Labor, and Pensions

_______________________________________________________________________

A BILL

To provide additional protections with respect to health information,
and for other purposes.

Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1.

This Act may be cited as the ``Health Information Privacy Reform
Act''.
SEC. 2.

(a) In General.--The Secretary of Health and Human Services, in
consultation with the Federal Trade Commission, shall promulgate
regulations setting privacy, security, and breach notifications
standards for the processing of applicable health information by
regulated entities and their service providers. Such standards shall
provide protections that are at least commensurate with, and wherever
feasible and appropriate harmonize with, the protections provided
through the privacy, security, and breach notification rules
promulgated under
section 264 (c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.
(c) of the Health Insurance Portability
and Accountability Act of 1996 (42 U.S.C. 1320d-2 note) and
section 13402 of the HITECH Act (42 U.
entities and business associates with respect to protected health
information under such rules. Such regulations promulgated under this
section shall include the following:

(1) Privacy requirements, including the following:
(A) Permitted uses and disclosures of applicable
health information without an individual's written
authorization that are consistent with the individual's
reasonable expectations.
(B) Other permitted uses and disclosures of
applicable health information without an individual's
written authorization for certain public policy
purposes, such as public health, health oversight, law
enforcement, judicial and administrative proceedings,
and any conditions for such uses and disclosures.
(C) Uses and disclosures of applicable health
information that require the individual's written
authorization and the requirements related to such
written authorizations.
(D) Prohibited uses and disclosures of applicable
health information.
(E) Minimum necessary requirements for the request,
use, and disclosure of applicable health information
and any exceptions.
(F) Standards and requirements related to legal
representatives of the individual.
(G) Standards and requirements related to service
providers.
(H) Individual rights with respect to applicable
health information, including the right of the
individual to receive a privacy notice from the
regulated entity, access to applicable health
information, amendment of applicable health
information, deletion of applicable health information,
and portability of applicable health information, and
any exceptions to such rights (such as with respect to
applicable health information collected for research
purposes), any conditions on such rights, and any other
requirements related to such rights, including
timeframes for responding to requests.
(I) Administrative safeguards, including
designation of a privacy officer, policies and
procedures, training of workforce members, non-
retaliation, documentation, and mitigation.

(2) Security requirements, including the following:
(A) Physical, technical, and administrative
safeguards for applicable health information in any
form.
(B) For electronic applicable health information,
such safeguards shall be based on well-established
national frameworks, such as cybersecurity performance
goals of the National Institute of Standards and
Technology or the Department of Health and Human
Services.

(3) Breach notification requirements in the event of a
breach of applicable health information that are substantially
similar to the breach notification requirements under subpart D
of part 164 of title 45, Code of Federal Regulations (or any
successor regulations).

(b) Enforcement Authority.--The Secretary, in consultation with the
Federal Trade Commission, is authorized to enforce all provisions of
this Act as described in subsection
(c) .
(c) Civil Penalties.--In addition to any other sanctions or
remedies that may be available under any provision of Federal law, in
the case of a regulated entity or service provider that violates this
section, subpart D of part 160 of title 45, Code of Federal Regulations
(or any successor regulations), shall apply to the regulated entity or
service provider with respect to such violation of this section in the
same manner that such subpart applies to a person with respect to a
violation of part 160 of title 45, Code of Federal Regulations (or any
successor regulations).
(d) Extension of HITECH Act Amendment to Regulated Entities and
Service Providers.--The privacy and security practices under
section 13412 of the Health Information Technology for Economic and Clinical Health Act (42 U.
Health Act (42 U.S.C. 17941) shall apply to regulated entities and
service providers with respect to applicable health information in the
same manner that such section applies to covered entities and business
associates.

(e)
=== Definitions. === -In this section: (1) Applicable health information.--The term ``applicable health information''-- (A) means information (including demographic information) that-- (i) identifies an individual or with respect to which there is a reasonable basis to believe that the information could be used to identify an individual; and (ii) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and (B) may include information described in subparagraph (A) that was not created or received by a health care provider, health plan, employer, or health care clearinghouse. (2) Covered entities; business associates.--The terms ``covered entities'' and ``business associates'' have the meanings given such terms in
section 160.
of Federal Regulations (or any successor regulations).

(3) Regulated entity.--The term ``regulated entity''--
(A) means a natural or legal person that, alone or
jointly with others, determines the purpose and means
of processing applicable health information; and
(B) does not include--
(i) a governmental entity such as a body,
authority, board, bureau, commission, district,
agency, or political subdivision of the
Federal, State, or local government;
(ii) a person or an entity that is
collecting, processing, or transferring covered
data on behalf of or a Federal, State, Tribal,
territorial, or local government entity; and
(iii) a covered entity or business
associate, as such terms are defined in
section 160.
Regulations (or any successor regulations).

(4) Service provider.--The term ``service provider'' means
a natural or legal entity that processes applicable health
information on a behalf of a regulated entity and that is not a
covered entity or business associate, as such terms are defined
in
section 160.
any successor regulations).
SEC. 3.
HEALTH INFORMATION.

(a) Time and Manner of Access.--In applying
section 13405 (e) of the Health Information Technology for Economic and Clinical Health Act (42 U.

(e) of the
Health Information Technology for Economic and Clinical Health Act (42
U.S.C. 17935

(e) ) or
section 164.
(c) (3)
(ii) of title 45, Code of
Federal Regulations (or any successor regulations), in the case that an
individual requests that a covered entity or any business associate of
a covered entity transmit, produce, or provide access to a copy of the
individual's protected health information to a person, including an
entity, designated by the individual, and except where permitted
without authorization under
section 164.
(c) of title 45, Code of
Federal Regulations (or any successor regulations)--

(1) the individual's request shall meet all requirements of
a valid authorization under
section 164.

(b) of title 45,
Code of Federal Regulations (or any successor regulations); and

(2) the covered entity or business associate may condition
the transmittal, production, or provision of access upon the
person to whom the information is to be transmitted or produced
or to whom access is to be provided--
(A) paying fees, in accordance with applicable
State law and consistent with subsection

(b) , in
advance of such transmittal, production, or access; and
(B) acknowledging and accepting the terms,
limitations, and conditions of use and disclosure
contained in the request made by the individual as the
legally binding obligation of the person receiving the
information.

(b) Fees.--

(1) In general.--In applying
section 13405 (e) (3) of the Health Information Technology for Economic and Clinical Health Act (42 U.

(e)

(3) of the
Health Information Technology for Economic and Clinical Health
Act (42 U.S.C. 17935

(e)

(3) ) or
section 164.
(c) (4) of title
45, Code of Federal Regulations (or any successor regulations),
each such section shall apply only--
(A) to the provision of access to, or the
production, copying, or transmittal of, protected
health information directly to--
(i) the individual, or the individual's
personal representative for health care
purposes as described in
section 164.

(g) of
title 45, Code of Federal Regulations (or any
successor regulations);
(ii) subject to paragraph

(2) and
section 164.

(b) of title 45, Code of Federal
Regulations (or any successor regulation), any
other person identified in, and subject to the
limitations of, such section; or
(iii) the individual's health care provider
or the business associates of such provider;
and
(B) as directed by the individual, to the
electronic transmittal of the individual's electronic
health record to the patient portal or mobile medical
application used and maintained by the individual's
health care provider or for the health care provider by
its business associate.

(2) Additional limitations.--In the case of the provision
of access to, or the production, copying, or transmittal of,
protected health information under paragraph

(1)
(A) directly to
a person described in clause
(ii) of such paragraph, such
protected health information shall, in accordance with
section 164.

(b) of title 45, Code of Federal Regulations (or any
successor regulations), be limited to only such information
that is--
(A) directly relevant to the person's involvement
with the care of the individual or with the payment
relevant to the care of the individual; or
(B) needed for notification purposes described in
such section.
(c) === Definitions. ===
-In this section, the terms ``business
associate'', ``covered entity'', ``health care provider'',
``individual'', ``person'', and ``protected health information'' have
the meanings given such terms in
section 160.
Federal Regulations (or any successor regulations).
(d) Guidance.--Not later than 180 days after the date of enactment
of this Act, the Secretary of Health and Human Services shall amend
existing guidance as necessary to implement subsections

(a) and

(b) .
SEC. 4.
Section 543 of the Public Health Service Act (42 U.
amended--

(1) in subsection

(a) , by striking ``subsection

(b) '' and
inserting ``the HIPAA regulations'';

(2) in subsection

(b) --
(A) in paragraph

(2) , by redesignating
subparagraphs
(A) through
(D) as paragraphs

(1) through

(4) , respectively, and adjusting the margins
accordingly; and
(B) by striking ``

(b) Permitted Disclosure'' and
all that follows through ``

(2) Method for disclosure--
Whether'' and inserting the following:
``

(b) Permitted Disclosure.--Whether'';

(3) in subsection
(c) , in the matter preceding paragraph

(1) , by striking ``subsection

(b)

(2)
(C) '' and inserting
``subsection

(b)

(3) ''; and

(4) in subsection

(g) , by striking ``subsection

(b)

(2)
(C) ''
and inserting ``subsection

(b)

(3) ''.
SEC. 5.
DATA FOR RESEARCH PURPOSES.

(a) In General.--Not later than 60 days after the date of enactment
of this Act, the Secretary of Health and Human Services shall seek to
enter into a contract with the National Academies of Sciences,
Engineering, and Medicine to conduct a study examining potential risks
and benefits of paying compensation to patients for sharing their
identifiable data for research purposes.

(b) Inclusions.--The study conducted pursuant to the contract under
subsection

(a) shall include an examination of--

(1) the risks to patient privacy posed by the integration
of identifiable, de-identified, and aggregated health
information into datasets used for research;

(2) privacy enhancing tools and methods for the protection
of patient health data;

(3) the feasibility of tracking patient data and consent
for the integration of patient health data into datasets used
for research;

(4) ethical considerations for compensating patients for
use of their identifiable and de-identified health data;

(5) whether the existing exemptions permitting de-
identified data to be used for research should consider whether
a patient was given an opportunity to opt-in or opt-out of
participation; and

(6) risk of re-identification of de-identified data.
SEC. 6.
REGULATIONS.

(a) Patient Notification Upon Removal.--Any regulated entity or
service provider who gains access to the protected health information
of an individual through the patient right of access under
section 164.
regulations) shall--

(1) provide a written plain language notification to such
individual prior to accessing such information--
(A) that such protected health information will no
longer be subject to the protections under the HIPAA
privacy regulation; and
(B) that includes an explanation of how and to
which entities such protected health information may be
redisclosed; and

(2) require the consent of the individual before selling
such protected health information to third parties.

(b) Patient Notification Regarding Wellness Data.--

(1) In general.--Any regulated entity or service provider
who offers digital technology that generates wellness data
about individuals shall, with respect to each individual who
uses such technology--
(A) provide a written plain language notification
to the individual in advance of initiating the
generation of such data that such data will not be
subject to the protections of the HIPAA privacy
regulation; and
(B) offer the individual an opportunity to opt out
of such wellness data generation.

(2) Wellness data.--In this subsection, the term ``wellness
data'' means data generated for the purpose of promoting health
or preventing disease, which may include vital statistics, step
counts, and medical regimen compliance.
(c) === Definitions. ===
-In this section--

(1) the terms ``business associate'', ``covered entity'',
and ``protected health information'' have the meanings given
such terms in
section 160.
Regulations (or any successor regulations);

(2) the term ``HIPAA privacy regulation'' has the meaning
given such term in
section 1180 (b) (3) of the Social Security Act (42 U.

(b)

(3) of the Social Security
Act (42 U.S.C. 1320d-9

(b)

(3) ); and

(3) the terms ``regulated entity'' and ``service provider''
have the meanings given such terms in
section 2.
(d) Effective Date.--This section shall take effect beginning one
year after the date of enactment of this Act.
SEC. 7.

Not later than 1 year after the date of enactment of this Act, the
Secretary of Health and Human Services shall publish guidance on the
application of the minimum necessary standard to data used for
artificial intelligence and other machine learning applications and
relevant requirements, including health data interoperability
requirements under
section 3001 (c) (9) of the Public Health Service Act (42 U.
(c) (9) of the Public Health Service Act
(42 U.S.C. 300jj-11
(c) (9) ) and the use of limited data sets pursuant to
section 13405 (b) of the HITECH Act (42 U.

(b) of the HITECH Act (42 U.S.C. 17935

(b) ).
SEC. 8.

(a) Establishment of Standards.--Not later than 1 year after the
date of enactment of this Act, the Secretary of Health and Human
Services shall promulgate regulations establishing unified national
standards for rendering applicable health information as de-identified
information, in a manner similar to the manner in which individually
identifiable health information may be rendered de-identified
information pursuant to part 164 of title 45, Code of Federal
Regulations (or any successor regulations).

(b) Composition of Standards.--Such standards shall--

(1) be at least equivalent to or exceed the de-
identification standard specified in
section 164.

(b) of
title 45, Code of Federal Regulations (or any successor
regulations);

(2) specify standards for the use of privacy-enhancing
technologies as a method for creating de-identified
information; and

(3) specify that information shall not qualify as de-
identified information when provided by a regulated entity,
service provider, covered entity, or business associate to
another person or entity unless such person or entity
contractually agrees in writing not to re-identify or attempt
to re-identify the information, and to require the same of any
person or entity to whom such person or entity provides the
information.
(c) === Definitions. ===
-In this section--

(1) the term ``applicable health information'' has the
meaning given such term in
section 2; (2) the terms ``business associate'', ``covered entity'', and ``individually identifiable health information'' have the meanings given such terms in

(2) the terms ``business associate'', ``covered entity'',
and ``individually identifiable health information'' have the
meanings given such terms in
section 160.
of Federal Regulations (or any successor regulations); and

(3) the term ``privacy enhancing technologies'' means any
software or hardware solution, technical process, or other
technological means of mitigating individuals' privacy risks
arising from data processing by enhancing predictability,
manageability, disassociability, and confidentiality.
SEC. 9.
Section 160.
successor regulations) shall apply to the requirements set forth under
this Act in the same manner and to the same extent as such section
applies to the standards, requirements, and implementation
specifications under subchapter C of chapter I of subtitle A of title
45, Code of Federal Regulations (or any successor regulations).
<all>
View original source ↗
Back to Bills View on Congress.gov