Counterpoint

On July 30, the White House and the Centers for Medicare and Medicaid Services (CMS) held a “Make Health Tech Great Again” event to build “a smarter, more secure, and more personalized healthcare experience in partnership with innovative private sector companies.”¹ The idea that “health tech” has ever been great is a curious one, despite the seemingly unending number of venture capital firms funding start-ups by entrepreneurs convinced they can solve healthcare’s myriad issues based upon a single encounter with the healthcare system. Many of those entrepreneurs – particularly those from California – recall Elvis Presley’s “Fools Rush In” in their zeal to solve problems that do not exist. My favorite recurring example are “tech bros” who think they can improve HCA’s revenue cycle management.  

Even so, the opportunity to improve healthcare with technology is seemingly endless. When, in 1996, I first began to deploy a technology now called telehealth, technology was the problem, or at least the limiting factor. Trying to deliver board-certified radiology services 24/7 to patients in Pahrump, NV, DeFuniak Springs, FL and Houlton, ME using frame-relay and POTS (plain old telephone system) was exceptionally difficult.

In 2025, technology is no longer the issue. Regulation is. 

There are dozens, if not hundreds, of very clever technology solutions that could potentially improve healthcare, particularly the perennially increasing administrative tasks that cost more than patient care.

But for those technologies that could materially improve administrative efficiency or clinical quality or revenue cycle management, there is a massive elephant in the room: the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Like many acts of Congress, HIPAA was well-intentioned, if naïve. In 1996, when Netscape and Microsoft were fighting for browser dominance and patient records were kept almost exclusively in paper charts and transferred via courier or fax, the only electronic media in use in healthcare settings were digital images for radiology studies. Post-HITECH, the Federal government has effectively forced almost 20% of the U.S. economy to adopt electronic medical records. What began as an attempt to stop people from leaving patient records lying around medical facilities has now mushroomed into a punitive system that treats the law as a hammer and every piece of patient data as a nail.

Keeping medical information private seems like a noble ideal, even if apparently every other part of a person’s information is fair game, whether for Google or Facebook or the NSA or some 17-year-old in North Korea. However, the practical result of HIPAA is that every healthcare provider wants to shift an undefinable business risk enforced by the Federal government to their technology vendors.

There is an easy solution used frequently by the Federal government: a “safe harbor” for HIPAA. HHS has longstanding “safe harbor” regulations for various business practices and relationships that could be viewed as a violation of Medicare and Medicaid regulations but, within the safe harbor, are not.

Occasionally, people who work for healthcare systems are curious about a particular case or a famous patient, and they inappropriately access that patient’s record. That behavior is obviously wrong and should be punished. But the vast majority of data breaches are inadvertent or stupid, not nefarious.

The lack of a safe harbor for HIPAA creates enormous friction costs, in terms of legal fees, security reviews and extended time to deployment, if at all. While healthcare providers act somewhat rationally when they ask for unlimited liability from their vendors, non-monopolistic technology vendors are ill-equipped to provide that financial reassurance. Even so, the “unlimited liability” approach is short-sighted, as a vendor subject to unlimited liability for one customer could theoretically face bankruptcy for a breach incident, rendering the vendor incapable of providing services for other customers that were unaffected by that incident.

Although the Federal government has repeatedly demonstrated its inability to prevent bad actors from accessing data that is much more valuable than PHI, the Federal government never punishes itself. Although most data breaches are focused on using PHI for other purposes, such as financial fraud, the Federal government is more lenient with other sectors, such as the financial services industry, when customer data is stolen for the same purpose as the theft of PHI.

In contrast, the Department of Health and Human Services has consistently levied massive fines for PHI breaches. In some instances, the actual breach was the fact that data was on a laptop that was stolen. Is it dumb to leave your laptop in plain view in your car? Sure. Is it likely that the people who steal laptops out of cars are looking for PHI? No. If a thief finds PHI on a stolen laptop, is it likely that they will rejoice over having a copy of someone’s medication history? Doubtful.

The adoption of technology, particularly for healthcare interoperability, would rapidly accelerate if healthcare providers and their vendors knew that there was a safe harbor for breaches that were not grossly negligent or for some nefarious purpose. The Federal government’s failure to create a safe harbor in 1996 when Internet adoption was nascent was completely understandable; failing to have done that in 2025 suggests that the Federal government still doesn’t understand the practical barriers to a digital health economy.