A vote for the bill
Ok, early days yet, but insofar as my thought processes have developed on this, I'm supportive.
You can see why the bill is proposed - to deter insurance companies from trying to reverse engineer the data, and to be able to penalise them and shut them down if they do. It's data. It's hugely valuable for them. You HAVE to legislate against it, because if you don't, they can invest more than any university (indeed, can sponsor THEM) to deanonymise it.
Also, deidentification is not crypto. Once someone has made a viable attack on your crypto cipher, you can phase it out for all future use. With de-identification, you can't recall all the anonymised data and anonymise it differently. It's already out there. Then you'll need to legislate against it, sharpish! Assuming no-one else has already cracked it and is happily, legally, already dropping funeral home ads into the feeds of relatives of a person who doesn't even know his chance of dying in the next 90 days is statistically probable from medical analytics.
So, yeah, legislation against deanonymisation is reasonable. By all means provide an exception and licensing scheme for researchers to try and crack it, under NDA and strict terms. But set the default to illegal, to provide the stick where necessary.