Stop Mass Health Surveillance Before it Starts

I’m writing to urge immediate action to close the “HIPAA gap” and safeguard Americans’ private health information. Today, data from consumer health devices and apps—Fitbits, Apple Watches, smart scales, period and symptom trackers—often falls outside HIPAA because the companies that make them aren’t “covered entities.” HHS’s own guidance confirms that HIPAA generally applies only when data flows through providers, plans, or their business associates—not when the same sensitive metrics are held by consumer apps and wearables. This gap matters urgently in light of a new federal push to assemble a nationwide autism database by pooling Medicare/Medicaid claims, EHRs, and potentially wearable-device streams. While framed as research, such a repository risks normalizing mass health surveillance and mission creep—especially without explicit informed consent, narrow purpose limits, and robust governance. Reported plans to build a comprehensive autism dataset have already sparked backlash from privacy advocates, clinicians, and autistic self-advocates who warn about stigma, misuse, and a slippery slope toward state monitoring. States are beginning to push back. Illinois, for example, moved to block sharing of personal autism data with the federal government absent consent—an early sign of the profound public trust issues at stake. We should not require a patchwork of state protections for something so fundamental. Congress should act now on two fronts: 1. Extend HIPAA-level protections (or an equivalent federal standard) to consumer-generated health data and the companies that collect it—closing the loophole that leaves heart rate, sleep, menstrual, location-linked biometrics, and mental-health signals exposed. The FTC has expanded breach notification duties for health apps and connected devices, but that’s not a substitute for comprehensive privacy, use, and sale limits. 2. Impose strict statutory guardrails on any federal health database: explicit, opt-in consent; data minimization; independent ethics oversight; prohibition on secondary uses (law-enforcement, immigration, eligibility screening); strong de-identification standards; and a clear deletion/appeal process. Leading policy voices in Congress have already called for updating HIPAA and enacting a modern framework for consumer health and wellness data—please build on that momentum. Additional proposals—like the past SMARTWATCH Data Act—recognize the problem but must be strengthened so protections travel with the data and bind the entities that collect and monetize it, not only limit sales. We need comprehensive federal guardrails, not piecemeal fixes. Americans should not have to choose between innovation and privacy. Please support legislation that (a) extends HIPAA-grade protections to consumer health data and (b) halts any national autism database until rigorous, consent-based privacy safeguards are enacted. Thank you for your leadership on civil liberties and health privacy.