The American Privacy Rights Act of 2024 (APRA), a bipartisan and “historic” comprehensive data privacy bill unveiled April 8, 2024, would preempt state data privacy laws and be enforced by the Federal Trade Commission, states, and affected individuals. As per the Press Release:

“This comprehensive draft legislation sets clear, national data privacy rights and protections for Americans, eliminates the existing patchwork of state comprehensive data privacy laws, and establishes robust enforcement mechanisms to hold violators accountable, including a private right of action for individuals.”

Although it includes a carve-out for covered entities and business associates subject to HIPAA, the carve-out comes with a caveat — the covered entities and business associates must be “in compliance with” the data privacy and security requirements of HIPAA.

While state data privacy laws commonly include either entity-level carve-outs for covered entities and business associates subject to HIPAA or data-level carve outs for their PHI (or some combination of the two), APRA’s carve-out leaves open the possibility that non-compliant covered entities and business associates would be subject to APRA’s requirements and “robust” enforcement mechanisms, including the right for an individual to sue for an alleged HIPAA violation.

HIPAA covered entities and business associates may be acutely aware of the fact that “HIPAA compliance” is a temporal and elusive status, one that may be lost when a hacker gains system access or a rogue (or careless) employee causes a breach. In fact, a HIPAA-regulated entity could be deemed to have violated HIPAA simply by failing to abide by a HIPAA Privacy or Security Rule requirement, such as maintaining required documentation for a period of six years. Given the complexity of HIPAA and ever-evolving HIPAA compliance requirements (see for, example, recent regulatory amendments and guidance documents adopted and/or issued by the U.S. Department of Health and Human Services), it is easy to see how tenous APRA’s HIPAA carve-outs may actually be.