Vendors for healthcare providers may be getting less information about patients with medical debt should the Senate pass a proposed expansion of the Health Information Technology Act (HITECH).

The proposed law also includes requirements that vendors, such as collection agencies, also encrypt all patient-related data originating from healthcare providers.

Sen. Al Franken (D-Minn.) last month submitted the self-titled “Protect Our Health Privacy Act” which expands HITECH’s requirements of the encryption of patient information to healthcare provider business associates. Any device containing patient data — from mainframe to thumbdrive — must be encrypted.

The bill also would limit what patient information third-party vendors would receive from a healthcare provider “to only such information as necessary for the performance of the service or function that the covered entity has contracted with the business associate to perform on behalf of the covered entity” and “to only those uses that are necessary for the performance of the service or function.”

Additionally, the new law would require healthcare providers to make explicit in the business associates agreement the specifics of how it will fulfill these new restrictions.

[To read how Sen. Franken’s bill would change HITECH, download this pdf]

Sen. Franken’s bill also spells out the reporting that Congress expects from the U.S. Attorney General’s office and the Secretary of Health and Human Services of patient data breaches.

The bill, Senate 3351, is one of two  submitted by Sen. Franken. Senate 3350 proposes changes to the Fair Debt Collection Practices Act that puts additional restrictions on collecting medical debt. Both bills are the result of an investigation by Sen. Franken’s office into Minneapolis-based Fairview Health Services, a not-for-profit chain of seven hospitals and more than 40 clinics, and revenue cycle vendor Accretive Health. (You can read more here: Sen. Franken Hearing on Accretive: Five Takeaways Every Health Care Collection Professional Needs to Know) What sparked the investigation was a theft last summer of a laptop under the care of an Accretive employee that allegedly contained medical information and other sensitive data of more than 40,000 patients.