Citizen Portal
Sign In

Committee hearing spotlights gaps in privacy and calls to expand HIPAA, bolster TEFCA and accountability for third parties

5074432 · June 26, 2025

Loading...

AI-Generated Content: All content on this page was generated by AI to highlight key points from the meeting. For complete details and context, we recommend watching the full video. so we can fix them.

Summary

EHR vendors, academics and members of Congress warned that current privacy rules do not cover many apps and third parties that handle health‑related data, and urged lawmakers to extend protections or require higher standards for exchange networks.

Witnesses and members at a House health subcommittee hearing said existing privacy rules leave gaps when patient data flows outside traditional health‑care actors — and they urged Congress to close those gaps or require higher standards for exchange networks.

Jackie Gerhardt, a practicing family physician and chief medical officer at Epic, told the committee that "HIPAA only covers actors like health systems, insurers, and their contracted business associates such as Epic," and that patients can be confused about which apps and third parties are covered. She said that is one reason Epic supports TEFCA, the federally endorsed trust framework, because it requires participants to adhere to higher privacy standards.

Why it matters: Several members and witnesses pointed to instances where data collected outside covered entities could be used in ways patients did not expect — including marketing, sale to third parties or legal solicitation — and noted particular risks in the post‑Dobbs era where reproductive‑health data could be used for prosecution.

Specific concerns and examples - Class‑action solicitation and law‑firm access: During questioning, witnesses and members said law firms have used health‑app data to recruit clients; Jackie Gerhardt described class‑action litigation where firms portrayed themselves as health providers for data access. The committee heard that law firms are not HIPAA‑covered entities and thus are not subject to HIPAA's constraints in the same way health systems are. - Consumer apps and period trackers: Members referenced reporting that some period‑tracking apps obscure privacy practices and may share data with third parties; witnesses said users can be misled into believing HIPAA protections apply when they do not. - Government contracting and large platforms: A member asked about Palantir's work with federal public‑health data; witnesses said HIPAA covers only certain entities and that outsourced arrangements must be examined case‑by‑case.

Panel recommendations and policy options Witnesses and members offered a range of policy responses: (1) expand HIPAA or craft new legislation to cover entities that exchange or hold patient data outside traditional health‑care actors; (2) require stronger privacy commitments for networks that participate in TEFCA or federal data platforms; (3) ensure data‑use transparency so consumers understand where their data flows and for what purpose.

Caveats Experts on the panel also warned against unintentionally stifling innovation. Dr. Kristen Holmes and others argued that policies should preserve "innovation zones" such as provisions in the 21st Century Cures Act and appropriate FDA guidances that have allowed consumer wellness technologies to develop.

Ending Members pressed witnesses for specific fixes and said they would seek follow‑up materials. The session closed with members reserving two weeks to submit written questions for the record.