HIPAAcracy: The Real Constraint on Innovation in Healthcare Technology

On July 30, the White House and the Centers for Medicare and Medicaid Services (CMS) held a “Make Health Tech Great Again” event to build “a smarter, more secure, and more personalized healthcare experience in partnership with innovative private sector companies.”¹ The idea that “health tech” has ever been great is a curious one, despite the seemingly unending number of venture capital firms funding start-ups by entrepreneurs convinced they can solve healthcare’s myriad issues based upon a single encounter with the healthcare system. Many of those entrepreneurs – particularly those from California – recall Elvis Presley’s “Fools Rush In” in their zeal to solve problems that do not exist. My favorite recurring example are “tech bros” who think they can improve HCA’s revenue cycle management.  

Even so, the opportunity to improve healthcare with technology is seemingly endless. When, in 1996, I first began to deploy a technology now called telehealth, technology was the problem, or at least the limiting factor. Trying to deliver board-certified radiology services 24/7 to patients in Pahrump, NV, DeFuniak Springs, FL and Houlton, ME using frame-relay and POTS (plain old telephone system) was exceptionally difficult.

In 2025, technology is no longer the issue. Regulation is. 

There are dozens, if not hundreds, of very clever technology solutions that could potentially improve healthcare, particularly the perennially increasing administrative tasks that cost more than patient care. 

But for those technologies that could materially improve administrative efficiency or clinical quality or revenue cycle management, there is a massive elephant in the room: the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Like many acts of Congress, HIPAA was well-intentioned, if naïve. In 1996, when Netscape and Microsoft were fighting for browser dominance and patient records were kept almost exclusively in paper charts and transferred via courier or fax, the only electronic media in use in healthcare settings were digital images for radiology studies. Post-HITECH, the Federal government has effectively forced almost 20% of the U.S. economy to adopt electronic medical records. What began as an attempt to stop people from leaving patient records lying around medical facilities has now mushroomed into a punitive system that treats the law as a hammer and every piece of patient data as a nail.

Keeping medical information private seems like a noble ideal, even if apparently every other part of a person’s information is fair game, whether for Google or Facebook or the NSA or some 17-year-old in North Korea. However, the practical result of HIPAA is that every healthcare provider wants to shift an undefinable business risk enforced by the Federal government to their technology vendors. 

There is an easy solution used frequently by the Federal government: a “safe harbor” for HIPAA. HHS has longstanding “safe harbor” regulations for various business practices and relationships that could be viewed as a violation of Medicare and Medicaid regulations but, within the safe harbor, are not. 

Occasionally, people who work for healthcare systems are curious about a particular case or a famous patient, and they inappropriately access that patient’s record. That behavior is obviously wrong and should be punished. But the vast majority of data breaches are inadvertent or stupid, not nefarious. 

The lack of a safe harbor for HIPAA creates enormous friction costs, in terms of legal fees, security reviews and extended time to deployment, if at all. While healthcare providers act somewhat rationally when they ask for unlimited liability from their vendors, non-monopolistic technology vendors are ill-equipped to provide that financial reassurance. Even so, the “unlimited liability” approach is short-sighted, as a vendor subject to unlimited liability for one customer could theoretically face bankruptcy for a breach incident, rendering the vendor incapable of providing services for other customers that were unaffected by that incident.

Although the Federal government has repeatedly demonstrated its inability to prevent bad actors from accessing data that is much more valuable than PHI, the Federal government never punishes itself. Although most data breaches are focused on using PHI for other purposes, such as financial fraud, the Federal government is more lenient with other sectors, such as the financial services industry, when customer data is stolen for the same purpose as the theft of PHI.

In contrast, the Department of Health and Human Services has consistently levied massive fines for PHI breaches. In some instances, the actual breach was the fact that data was on a laptop that was stolen. Is it dumb to leave your laptop in plain view in your car? Sure. Is it likely that the people who steal laptops out of cars are looking for PHI? No. If a thief finds PHI on a stolen laptop, is it likely that they will rejoice over having a copy of someone’s medication history? Doubtful. 

The adoption of technology, particularly for healthcare interoperability, would rapidly accelerate if healthcare providers and their vendors knew that there was a safe harbor for breaches that were not grossly negligent or for some nefarious purpose. The Federal government’s failure to create a safe harbor in 1996 when Internet adoption was nascent was completely understandable; failing to have done that in 2025 suggests that the Federal government still doesn’t understand the practical barriers to a digital health economy. 

Hal Andrews, President & CEO, Trilliant Health

By the Numbers

Among a selected list of best hospitals, within the same hospital, the rates paid by Aetna and UHC differed by an absolute average of $31,941 for the same procedure. As an example, at Tufts Medical Center the Aetna negotiated rate was $95,989 for a coronary bypass procedure (MS-DRG 235) while UHC negotiated rate was $144,204, an absolute difference of $48,215.  

Connecting Dots

💰Limited by issues related to data accessibility, historical analyses on healthcare prices have reported state- or market-level averages or lazy heuristics like “percent of Medicare” that have limited practical applications for employers or policymakers and are meaningless for consumers. Unlike the historical literature, our latest report analyzes the health plan price transparency files to reveal unexplainable differences in the actual negotiated rates for hospital and non-hospital procedures. Read the full report.

📋 CMS’s renewed proposal to eliminate the Medicare Inpatient Only (IPO) list represents not only a regulatory policy shift, but a broader inflection point in the delivery of surgical care. If finalized, the policy is expected to accelerate the shift of surgical care from inpatient to HOPDs and ASCs. If past is prologue, health systems can expect to lose more than 50% of their inpatient volume to ambulatory settings in the three years following the removal of a code from the IPO list. More in our latest Playbook. 

⚖️ Now that negotiated rates are public, employers face both heightened risk and opportunity. Under ERISA, employers are obligated to provide cost-effective benefits, and health plan price transparency shifts responsibility onto them to choose high-value plans and use their market leverage to curb excessive costs. Ignoring this exposes employers to legal and financial risk, while embracing it creates opportunities for meaningful savings and better value — making health plan selection a strategic business imperative. Our Chief Research Officer discusses our new report with Fierce Healthcare. 

Points to Ponder

→ North Carolina’s House Bill 67, which introduces an “internationally-trained physician employee license” to address rural physician shortages, is a superficial and risky fix that sidesteps the deeper issues of the crisis. While intended to expand access, the bill lowers licensing standards, risks fraud and provides no guarantee of long-term rural service. Most importantly, it fails to address the root causes of physician shortages: excessive regulations, reimbursement cuts and administrative burdens have driven independent practices out of rural areas and funneled doctors into urban hospital systems. By relying on foreign-trained physicians as a stopgap, HB 67 perpetuates a broken system instead of dismantling barriers, expanding residency programs or incentivizing U.S.-trained doctors to serve rural communities. (Dr. Anish Koka’s Newsletter) 

STRATEGIC

INSIGHTS

RESEARCH

CONTACT US