This article is part of Access Partnership’s series ‘The New Privacy Playbook: Adapting to a Shifting Global Landscape’, which explores the evolving landscape of data governance – highlighting both the obstacles and the innovations emerging across sectors and regions.
The current state of healthcare data fragmentation in the US
Healthcare finds itself at a critical intersection where patient data, while increasingly valuable, remains fragmented across numerous systems and institutions. The US healthcare data ecosystem is complex, comprising components like Electronic Health Records (EHRs), insurance claims, clinical trials, wearable devices, and genomic data. Despite the potential of these diverse data sources to enhance patient care, their fragmentation poses challenges to achieving integrated and efficient healthcare delivery.
This fragmentation persists largely due to privacy regulations that, while well-intentioned, have created data silos that impede optimal patient care and scientific advancement.
Cultural and institutional factors have further reinforced data silos. Healthcare organisations often view data as a competitive asset, leading to reluctance in sharing information that could benefit competitors. Concerns about liability and data breaches also contribute to the hesitancy in data sharing. Many healthcare organisations operate legacy systems incompatible with modern interoperability standards, and proprietary data formats worsen integration challenges.
Privacy regulations: intentions vs. outcomes
The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, established national standards for protecting sensitive patient information while enabling the flow of health information needed to provide quality care. A major goal of the Security Rule is to protect the security of individuals’ ePHI (protected health information) while allowing regulated entities to adopt new technologies that improve the quality and efficiency of health care.
Over time, interpretations of HIPAA and varying state laws have evolved significantly. Healthcare organisations, responding to potential penalties and liability concerns, have often adopted conservative interpretations of privacy rules. Legal departments typically exercise caution when evaluating data-sharing requests, frequently defaulting to restrictive approaches even when regulations might permit broader sharing options.
This ‘privacy-as-default’ approach has produced several unintended consequences. Researchers face administrative barriers to collecting sufficient data for meaningful studies, and clinicians sometimes lack comprehensive patient information from other providers. Privacy restrictions limit analytical tools that could identify patterns across large populations.
Patients often bear the brunt of these fragmented systems, facing repeated tests, delayed treatments, and increased frustration, ultimately compromising the quality of care. A 2020 survey found that 67% of consumers said every step of the healthcare process is an inconvenience. Financially, data fragmentation contributes to inefficiencies that escalate healthcare costs: a recent study estimated that 20-25% of US healthcare spending, approximately USD 1 trillion, is wasted, with 50-75% of this waste potentially eliminable through updated and shared electronic medical platforms. Addressing these issues requires a concerted effort to harmonise regulations, modernise technical infrastructures, and cultivate a culture of collaboration within the healthcare industry.
Case studies in overcoming silos while preserving privacy
Bridging data silos while preserving patient privacy is a major global challenge, yet several pioneering efforts offer promising case studies. Estonia’s national health information system stands out as a global benchmark. Launched in 2008, the country’s system integrates data across all levels of care – primary, specialist, emergency, and public health – using a secure, blockchain-backed infrastructure. Citizens have a unique digital ID enabling them to access their records and control who can view them, fostering transparency and trust. The success of Estonia’s system stems from a strong legal framework, early investment in digital infrastructure, and a culture that values patient privacy and efficiency.
In the United States, the Mayo Clinic has tackled siloed data through its clinic platform. Built to enable AI-driven research and clinical decision support, the platform harmonises data from EHRs, imaging systems, lab results, and genomic data, while employing advanced de-identification and federated learning techniques. These innovations ensure that sensitive patient data remains secure and private, even as it is used to drive research and clinical improvements. By using a platform model, Mayo Clinic also enables collaboration with external partners while retaining strict data governance protocols.
Finally, the COVID-19 pandemic prompted unprecedented levels of rapid data sharing. Emergency use authorisations, temporary regulatory waivers, and public-private partnerships, such as the CDC’s COVID Data Tracker and Johns Hopkins’ global dashboard, allowed health systems, governments, and researchers to share critical information in real time. Despite the urgency, privacy-preserving practices such as aggregated reporting, contact-tracing protocols with anonymisation, and open-source APIs helped balance public health needs with individual patient rights.
Technological and policy solutions
Innovative technical solutions are playing a critical role in overcoming healthcare data silos while preserving patient privacy:
- Federated learning and distributed analytics allow institutions to collaboratively train machine learning models without moving sensitive data from its source, thereby minimising privacy risks.
- Privacy-preserving computation methods – such as homomorphic encryption and secure multi-party computation – enable data analysis without exposing raw data, maintaining confidentiality while enabling insight generation.
- The adoption of standardised APIs and frameworks like Fast Healthcare Interoperability Resources (FHIR) has further enabled interoperability across disparate systems, allowing different healthcare providers to exchange information in a structured, secure, and scalable manner.
- Blockchain technology is being explored to create tamper-proof audit trails and decentralised consent management systems, offering patients greater visibility and control over how their data is used.
On the policy side, several forward-thinking approaches are complementing technical innovations to promote responsible data sharing:
- Tiered consent models allow individuals to authorise different levels of data access depending on sensitivity – such as distinguishing between anonymised research use and identifiable clinical use – thus respecting patient preferences while enabling broader utility.
- Policies that establish presumed data shareability for treatment, with opt-out provisions, are helping shift the default from ‘closed by default’ to ‘open with safeguards’. Streamlined research access protocols, supported by data-use agreements and governance frameworks, are reducing bureaucratic hurdles while maintaining accountability.
- Perhaps most importantly, the push for consistent national standards – rather than a patchwork of conflicting state regulations – is emerging as a critical enabler of interoperability and equitable data access across the healthcare system.
Through careful policy analysis, stakeholder engagement, and technical expertise, healthcare institutions can protect patient privacy while unlocking the full potential of their data. Access Partnership’s specialised advisory team works with health sector stakeholders to develop tailored strategies for navigating the intersections of technology, policy, and healthcare delivery.
For organisations interested in optimising healthcare data governance or in contributing to policy developments in this space, please contact Nada Ihab at [email protected] and Trey Flowers at [email protected].
