Regulatory Disruption and Arbitrage in Healthcare Data Protection

75 Pages Posted: 5 May 2016 Last revised: 30 Jun 2016

See all articles by Nicolas Terry

Nicolas Terry

Indiana University Robert H. McKinney School of Law

Date Written: May 3, 2016

Abstract

Regulatory turbulence, disruption and arbitrage presuppose the juxtaposition of at least two regulatory domains. In the simplest case one domain would be highly regulated; the other unregulated. Turbulence and disruption exist on a continuum. Regulatory turbulence may be only transient or, in the scheme of things, relatively benign. Regulatory disruption has more permanent and serious implications. Regulatory arbitrage occurs when a business purposefully exploits disruption, making business choices on the basis of the differential between the two regulatory domains. Policymakers’ persistent, systemic failure to safeguard healthcare data outside the HIPAA domain is now exemplified by the minimal, sub-HIPAA data protection afforded healthcare data either held by data brokers or created by mobile apps and wearables outside of the conventional health care space. The former, healthcare data held by data brokers is an example of regulatory arbitrage. The latter, mobile health is presenting with regulatory turbulence and disruption. This article explains how the structure of U.S. healthcare data protection (specifically its sectoral and downstream properties) has led to a chronically uneven policy environment for different types of healthcare data. It examines claims for healthcare data protection exceptionalism and competing demands such as data liquidity. In conclusion the article takes the position that healthcare data exceptionalism remains a valid imperative and that even current concerns about data liquidity can be accommodated in an exceptional protective model. However, re-calibrating our protection of healthcare data residing outside of the traditional healthcare domain is challenging, currently even politically impossible. Notwithstanding, a hybrid model is envisioned with downstream HIPAA model remaining the dominant force within the healthcare domain, but being supplemented by targeted upstream and point-of-use protections applying to healthcare data in disrupted spaces.

Keywords: HIPAA, Privacy, Security, data protection, health, health policy, health law, big data, mobile health

Suggested Citation

Terry, Nicolas P., Regulatory Disruption and Arbitrage in Healthcare Data Protection (May 3, 2016). Yale Journal of Health Policy, Law, and Ethics, Vol. 17; Indiana University Robert H. McKinney School of Law Research Paper No. 2016-24. Available at SSRN: https://ssrn.com/abstract=2774471

Nicolas P. Terry (Contact Author)

Indiana University Robert H. McKinney School of Law ( email )

530 W. New York St
Indianapolis, IN 46202
United States

Register to save articles to
your library

Register

Paper statistics

Downloads
113
Abstract Views
630
rank
242,150
PlumX Metrics