Senators Push for Bipartisan Bill to Close HIPAA-Related Loopholes
The Senate should revisit legislation to protect consumers’ health data privacy outside the scope of the Health Insurance Portability and Accountability Act (HIPAA), Sens. Bill Cassidy, R-La., and Jacky Rosen, D-Nev., told us in recent interviews (see 2507090048).
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Cassidy and Rosen are co-authors of the Stop Marketing and Revealing the Wearables and Trackers Consumer Health (Smartwatch) Data Act. Through an amendment to HIPAA, the bill would ban companies from sharing health data stored on wearable devices like smartwatches with third parties if they lack consumer consent.
Cassidy, chairman of the Senate Health Committee, spoke about addressing questions concerning genetic data practices at companies like 23andMe and setting limits on law enforcement access to sensitive data. Another bipartisan duo, Sens. Amy Klobuchar, D-Minn., and Lisa Murkowski, R-Alaska, have also explored health-data privacy.
Washington state has a privacy law covering smartwatch data called the My Health My Data Act, while a similar New York state bill awaits its governor’s signature (see 2505130049). Connecticut and Nevada passed health-data privacy protections in 2023.
Cassidy said consumers often aren’t aware of the privacy implications associated with wearable devices and the inferences companies can draw from the data: “People need to know if this information is being transmitted in a way which may not be for their benefit.” A medical doctor, Cassidy said data from simple, everyday routines can be used to predict medical conditions and risks. Accordingly, any update to HIPAA should account for recent concerns about 23andMe and how law enforcement uses medical device data in criminal investigations, he added. “Privacy is at stake, and we don’t want that to be sacrificed” without a consumer knowing it can be used against them. “My gosh, your genetic code is the most intimate thing.”
The Senate needs to consider HIPAA and cybersecurity issues related to wearables, said Rosen. She said she will work with Cassidy to ensure consumers “get the care they need and the privacy they deserve.”
The Smartwatch Data Act specifically targets the selling and sharing of health data with for-profit entities. Under the bill, law enforcement could access such data if it's requested through proper channels.
Washington’s My Health My Data Act, which went into staggered effect in 2023 and 2024, was written with the same purpose: to stop companies from sharing consumer health data without consent. It covers information derived from non-health data when regulated entities use that information to associate or identify a person with consumer health information. This includes consumer purchases of products that have been used to make predictions about pregnancy.
The New York Health Information Privacy Act covers “information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual.” Regulated entities under the New York bill include those processing consumer health data for secondary purposes like marketing and targeted advertising.