Skip to main content

HIPAA Was the Floor—Now We Need a Roof

March 31, 2025
Image: [image credit]
Photo 206731010 | Health © Inna Kot | Dreamstime.com
Viewing: 4

When the Health Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996, the internet was still a curiosity. Smartphones didn’t exist. Cloud computing wasn’t even a concept. Yet nearly three decades later, HIPAA remains the bedrock of healthcare privacy regulation in the United States.

That’s a problem.

HIPAA was a critical step in its time. It established foundational protections for patient information and gave the industry a much-needed framework to build on. But it was never designed for the age of artificial intelligence, real-time analytics, remote monitoring, or decentralized digital health ecosystems.

Put simply, HIPAA was the floor—a baseline for safeguarding protected health information (PHI). What we need now is a roof: a new regulatory architecture that reflects the complexity and velocity of modern healthcare.

Because today’s threats, technologies, and ethical questions have outgrown yesterday’s rulebook.

Cracks in the Framework

HIPAA’s core principles—limiting access, ensuring confidentiality, requiring patient consent—still make sense. But its scope and specificity fall short in the face of today’s realities:

  • AI-Driven Diagnosis: HIPAA doesn’t require explainability or fairness audits for algorithms making clinical predictions.

  • Consumer Health Tech: Fitness apps, wearables, and direct-to-consumer genetic testing tools collect enormous volumes of health data—yet many fall outside HIPAA’s reach.

  • Third-Party Ecosystems: As health systems outsource more operations to vendors, HIPAA’s business associate agreements often prove too rigid, outdated, or weakly enforced.

  • Data Interoperability: HIPAA doesn’t address the risks introduced by broader data sharing across APIs, HIEs, and patient portals.

  • Cybersecurity Threats: The law’s security rule is principles-based but lacks teeth or specificity when it comes to modern ransomware, zero-day exploits, or AI-enabled attacks.

Meanwhile, patients are increasingly confused. Who is responsible for their data? What rights do they actually have when data is de-identified, repackaged, or used to train commercial algorithms?

HIPAA doesn’t offer clear answers. And that’s a trust problem as much as a compliance one.

The Emerging Roof: What We Need

A new framework for health data privacy, security, and ethics must do more than patch the holes. It must elevate the entire structure to meet the demands of a digitally transformed industry.

Here’s what that roof should include:

1. Cross-Sector Data Protection

Health data is no longer confined to hospitals and clinics. It’s generated by apps, social platforms, smart homes, and more. A modern privacy framework must extend beyond HIPAA-covered entities to include any organization that handles sensitive health-related data.

The proposed American Data Privacy and Protection Act (ADPPA) is a starting point—but it needs alignment with healthcare-specific realities.

2. AI and Algorithmic Accountability

AI systems used in care delivery should be subject to transparency, explainability, bias testing, and performance monitoring. Patients should have the right to know when an AI influences their care—and what recourse they have if it fails.

Think of it as an FDA label for algorithms.

3. Real-Time Breach Response Standards

Ransomware and data theft are not rare events—they’re weekly realities. We need clearer, faster breach notification rules, coordinated federal response frameworks, and enforceable minimum security standards that go beyond self-assessments.

4. Stronger Patient Consent Models

Today’s consent processes are vague, transactional, and difficult to understand. We need layered, contextual, and digital-first consent models that reflect the complexity of modern data use—including downstream analytics, research, and third-party access.

Consent should not be a one-time checkbox. It should be a continuous, informed relationship.

5. Ethical Use Requirements

Beyond privacy, we must grapple with the ethics of how health data is used. Does it reinforce inequity? Is it sold to advertisers? Is it used to train models that patients will never benefit from?

We need enforceable guidelines for ethical data stewardship, not just technical compliance.

The Role of Healthcare Leaders

While we wait for regulators to act, healthcare leaders can’t afford to stay passive. There are steps organizations can take now to build above the floor:

  • Create internal AI and data ethics boards to review how data is collected, shared, and used.

  • Vet vendors rigorously—not just for HIPAA compliance, but for security posture, bias risk, and transparency.

  • Educate patients about what data is being collected, by whom, and why.

  • Adopt zero-trust cybersecurity models that assume breach and verify continuously.

  • Push for clarity—from regulators, associations, and policymakers—on the evolving definitions of privacy and harm.

The digital health revolution cannot succeed on a 1996 foundation. We need leaders who are ready to help frame the future.

Building the Future on Trust

At its heart, HIPAA was about trust. Trust that patient data would be protected. Trust that health information wouldn’t be misused. Trust that the system cared.

That same trust is at stake now—but the architecture must evolve.

The question we face is no longer “Are we HIPAA compliant?” but “Are we worthy of patient trust in a digital age?”

Compliance is the floor.

Trust is the roof.

It’s time we build accordingly.