A new federal privacy bill was introduced this week. Here is why your HIPAA obligations do not change.
On April 22, 2026, House Energy and Commerce Republicans introduced the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act, known as the SECURE Data Act. It is the latest attempt at a comprehensive federal privacy law in the United States.
For most small business owners, the headline is confusing. Another privacy bill. More uncertainty. More noise.
For small healthcare practices specifically, the signal is clear. Your obligations do not change.
The SECURE Data Act would establish a uniform federal privacy standard and preempt state-level comprehensive privacy laws. That means laws like the California Consumer Privacy Act, the Colorado Privacy Act, and the Delaware Personal Data Privacy Act could be preempted by the federal rule if the bill becomes law.
The draft includes common consumer rights found in state laws, along with novel provisions including a data broker registry managed by the Federal Trade Commission, a safe harbor for companies that follow a Department of Commerce-approved code of conduct, and stronger protections for data belonging to children under 13.
Notably, the current draft does not include a private right of action, data protection impact assessment requirements, or universal opt-out signal recognition.
The SECURE Data Act does not preempt sector-specific federal laws. HIPAA is a sector-specific federal law. It governs how healthcare providers, health plans, and their business associates handle protected health information. That framework sits entirely outside the scope of general consumer privacy legislation.
This is not an oversight. It is structural. HIPAA is enforced by the Office for Civil Rights at the Department of Health and Human Services. It covers protected health information, which is defined and regulated through Parts 160 and 164 of Title 45 of the Code of Federal Regulations. Consumer privacy bills like SECURE do not touch that framework.
For every dental office, MedSpa, chiropractic clinic, therapy practice, and specialty medical group, the compliance picture stays exactly the same.
Even though the obligations do not change, the conversation around privacy is about to get louder. When a federal privacy law moves through Congress, small business owners hear about it. They get confused. They ask their accountants, their web designers, and their friends whether they are covered.
Healthcare practices will be asked. Patients will ask. Staff will ask. Business partners who share data will ask.
Having a clear answer matters. The answer is straightforward: HIPAA applies to your practice because of what your practice does, not because of how big it is or how much revenue it earns. There is no threshold, no employee count, and no revenue floor. If you transmit health information electronically in connection with a covered transaction, HIPAA applies.
That framework has been in place for decades and is well-established. The SECURE Data Act, if it passes, does not change it. If it fails, which most observers expect it will, nothing changes either.
Review your Notice of Privacy Practices. Confirm it is posted, current, and distributed to new patients. Check your website privacy policy and cookie consent for accuracy regarding what your site collects and how it is used. If you use Google Analytics, marketing pixels, or patient intake forms on your site, you likely have data collection that falls outside HIPAA and may be covered by state privacy laws regardless of the federal debate.
The uncertainty around federal privacy law is a good reason to audit what you already have. Federal legislation is noise. HIPAA is the signal. State privacy laws apply to the non-PHI data your website collects, regardless of what Congress does this year.
If you want a clear picture of where your practice stands, a Data Privacy Exposure Review identifies your top three risks and tells you what to fix first. Flat fee, one-page report, no retainer.
RELATED RESOURCES
Dental, medical, mental health, and specialty practices: see how we close the HIPAA gaps your software does not cover.
Estimate the OCR fine range for a HIPAA violation. Verified against the 2026 Federal Register adjustment.
Written, OCR-defensible Risk Analysis required by 45 CFR 164.308(a)(1)(ii)(A). Starting at $3,500.
Get a flat-fee Data Privacy Exposure Review for $750.
Book Your Review