The following is a guest article by John Roach, President at Resultant
Common Misconceptions about Data Regulations are Stifling Healthcare Innovation
At a packed panel discussion at CES on health data privacy earlier this year, I made a confession on stage that made several attorneys in the audience visibly uncomfortable: I think healthcare’s legal departments are often the biggest barrier to innovation, and to better patient outcomes.
Let me explain why I believe this, and why it matters far beyond healthcare.
The Compliance Trap
First, I must acknowledge the complexity. Healthcare organizations face HIPAA, HITECH, state privacy laws, FDA regulations, FTC oversight, and increasingly, sector-specific AI governance rules. It’s genuinely complicated.
But stepping back, as a consumer and as a citizen, I think expectations are straightforward. If an organization is going to collect our data, we expect them to comply with privacy regulations. Full stop. And increasingly, people assume that compliance is not optional or impressive. It’s simply the baseline.
At the same time, there is a growing expectation that if organizations and governments are collecting this data, they have a responsibility to use it to improve services and outcomes.
This is where things break down.
The General Counsel Problem
I’ve worked closely with a lot of general counsels. And if you ask many of them what their job is, they’ll joke that it’s to keep someone out of jail. The safest way to do that is often to say no.
And while that instinct is understandable, I do not think it is the right default mindset.
Here’s what this looks like in practice: A healthcare system wants to identify patients at high risk for readmission so they can provide preventive care. The data science team can build the model. The clinical team sees the value. But the legal team kills the project. While it doesn’t violate the regulations, it might create risk, and navigating the compliance framework seems too complex.
Meanwhile, that same patient’s behavioral data is flowing freely from their smartwatch to a third-party app to a data broker, with almost no legal protection. The organization that could actually use the data to improve care is paralyzed. The organization selling the data to the highest bidder faces minimal constraints.
The contradiction is absurd.
Reframing the Question
What I’ve seen work is a push from organizational leadership to reframe the question. Not “can we do this?” but “how do we do this responsibly?” That means creating value from data within a complex legal framework, not avoiding the framework altogether.
The most effective organizations change the internal posture from “no” to “yes, but with guardrails.” Yes, we will protect privacy. Yes, we will comply with regulations. And yes, we will still find ways to responsibly use data to improve how we serve people.
Most regulatory frameworks ultimately point back to the same underlying security standards, often those put forth by the National Institute of Standards and Technology. So while it’s harder, it’s not unknowable. The bigger obstacle is organizational courage and the willingness to do the hard work of building proper governance.
Playing the Long Game
Here’s where I’m going to talk out of both sides of my mouth, because I think we have to hold two truths at once.
First, what data are we actually protecting? Historically, no one really envisioned the secondary use of the data being collected. In healthcare, especially, data existed to support transactional and clinical needs. You had to bill correctly. A physician needed to know what happened at the last visit. That was the core purpose.
What we’re realizing now is that this same data has enormous downstream potential to influence health outcomes. But these outcomes also operate on very long-term horizons. The characteristic timeframe for influence can be decades.
That means organizations have to think differently. You need to be extremely thoughtful about what data you collect and why you collect it. It should have a clear purpose and a clear rationale for being maintained.
At the same time, technology is a moving target. There may be things we can do with this data in 10 or 20 years that we cannot imagine today, and those insights may align perfectly with those long health timelines.
So the challenge is holding both truths at once: Be intentional and disciplined about data collection, while recognizing that responsible stewardship today can unlock powerful future value tomorrow.
A Technical Solution to a Trust Problem
There is an emerging approach that actually points the way forward. Historically, organizations would hand over large datasets to researchers or partners and hope their controls were sufficient. That introduces real risk, and it’s one reason legal teams default to “no.”
Instead of moving data to people, we’re increasingly bringing people to the data. Secure, virtual data environments allow researchers to analyze sensitive data where it lives, using familiar tools, without ever taking custody of the raw data.
This addresses both the legal risk and the trust gap. It enables insight while maintaining control. And it changes the calculus for organizations that have been sitting on valuable data, afraid to use it.
Organizations that get this right build trust not by limiting insight, but by designing systems that enable insight safely, transparently, and with clear accountability.
The Stakes
Every industry is facing some version of this challenge: the tension between data’s value and data’s risk. And every organization has lawyers whose job is to minimize liability.
But in healthcare, the stakes are literally life and death. When we fail to use data that could prevent disease, reduce suffering, or catch problems early, people get hurt. When we fail to combine social determinants data with clinical data because it’s “too complex,” we miss the opportunity to address health inequities at their root.
The regulatory environment isn’t going to get simpler. AI is going to make these questions more urgent, not less. And with healthcare costs rising at the fastest rate in 15 years, advanced data analytics could bend that curve. But only if we’re brave enough to use it.
About John Roach
John Roach is President at Resultant, a data and technology consultancy. John started Resultant’s data analytics practice in 2013, which laid the groundwork for capabilities that extend to nearly every client engagement today. Resultant specializes in data solutions for healthcare organizations across sectors, including Retina Consultants of America (acquired by Cencora), Children’s Hospital Association, and the Indiana Department of Health and Human Services.
The following is a guest article by 