Regulatory Disruption and Arbitrage in Healthcare Data Protection

75 Pages Posted: 5 May 2016 Last revised: 30 Jun 2016

See all articles by Nicolas Terry

Nicolas Terry

Indiana University Robert H. McKinney School of Law

Date Written: May 3, 2016


Regulatory turbulence, disruption and arbitrage presuppose the juxtaposition of at least two regulatory domains. In the simplest case one domain would be highly regulated; the other unregulated. Turbulence and disruption exist on a continuum. Regulatory turbulence may be only transient or, in the scheme of things, relatively benign. Regulatory disruption has more permanent and serious implications. Regulatory arbitrage occurs when a business purposefully exploits disruption, making business choices on the basis of the differential between the two regulatory domains. Policymakers’ persistent, systemic failure to safeguard healthcare data outside the HIPAA domain is now exemplified by the minimal, sub-HIPAA data protection afforded healthcare data either held by data brokers or created by mobile apps and wearables outside of the conventional health care space. The former, healthcare data held by data brokers is an example of regulatory arbitrage. The latter, mobile health is presenting with regulatory turbulence and disruption. This article explains how the structure of U.S. healthcare data protection (specifically its sectoral and downstream properties) has led to a chronically uneven policy environment for different types of healthcare data. It examines claims for healthcare data protection exceptionalism and competing demands such as data liquidity. In conclusion the article takes the position that healthcare data exceptionalism remains a valid imperative and that even current concerns about data liquidity can be accommodated in an exceptional protective model. However, re-calibrating our protection of healthcare data residing outside of the traditional healthcare domain is challenging, currently even politically impossible. Notwithstanding, a hybrid model is envisioned with downstream HIPAA model remaining the dominant force within the healthcare domain, but being supplemented by targeted upstream and point-of-use protections applying to healthcare data in disrupted spaces.

Keywords: HIPAA, Privacy, Security, data protection, health, health policy, health law, big data, mobile health

Suggested Citation

Terry, Nicolas P., Regulatory Disruption and Arbitrage in Healthcare Data Protection (May 3, 2016). Yale Journal of Health Policy, Law, and Ethics, Vol. 17, Indiana University Robert H. McKinney School of Law Research Paper No. 2016-24, Available at SSRN:

Nicolas P. Terry (Contact Author)

Indiana University Robert H. McKinney School of Law ( email )

530 W. New York St
Indianapolis, IN 46202
United States

Do you want regular updates from SSRN on Twitter?

Paper statistics

Abstract Views
PlumX Metrics