E&C Comprehensive Data Privacy Bill Includes HIPAA Carveout

A wave of federal privacy proposals has surged in Congress, aiming to replace the patchwork of state statutes with a single, preemptive framework. Proponents argue that a uniform rule would simplify compliance for businesses operating across state lines and strengthen consumer protections. However, health‑care stakeholders have warned that a blanket approach could clash with the Health Insurance Portability and Accountability Act (HIPAA), which already imposes stringent safeguards on patient information. The draft bill from the Energy & Commerce Committee attempts to reconcile these tensions by carving out HIPAA‑covered entities, thereby preserving the existing federal‑state balance in health data regulation.

The HIPAA carveout is a direct response to coordinated lobbying by hospitals, insurers, and professional associations that submitted detailed recommendations to the committee last year. By exempting covered entities from the new preemptive regime, the bill ensures that state health‑privacy laws—often more protective than federal standards—remain enforceable. This dual‑track approach reduces the risk of regulatory gaps, allowing health organizations to continue adhering to both HIPAA and any applicable state statutes without the need for a costly overhaul of compliance programs. It also mitigates concerns that a federal framework could dilute patient consent requirements or data‑sharing restrictions unique to the health sector.

Politically, the carveout illustrates the GOP’s willingness to incorporate industry feedback into broader privacy legislation, a move that could smooth the path for the bill’s passage in a divided Congress. For health‑care firms, the exemption offers a degree of certainty but also signals that non‑health data handlers will still face the full weight of the national framework, potentially creating a bifurcated compliance landscape. Stakeholders should monitor upcoming committee hearings, the final language of the bill, and any complementary state actions, as these will shape the practical impact on data‑privacy strategies across the health ecosystem.