07 July 2016

Apps, Privacy and Regulatory Arbitrage

'Regulatory Disruption and Arbitrage in Healthcare Data Protection' by Nicolas Terry in (2016) 17 Yale Journal of Health Policy, Law, and Ethics argues 
Regulatory turbulence, disruption and arbitrage presuppose the juxtaposition of at least two regulatory domains. In the simplest case one domain would be highly regulated; the other unregulated. Turbulence and disruption exist on a continuum. Regulatory turbulence may be only transient or, in the scheme of things, relatively benign. Regulatory disruption has more permanent and serious implications. Regulatory arbitrage occurs when a business purposefully exploits disruption, making business choices on the basis of the differential between the two regulatory domains.
Policymakers’ persistent, systemic failure to safeguard healthcare data outside the HIPAA domain is now exemplified by the minimal, sub-HIPAA data protection afforded healthcare data either held by data brokers or created by mobile apps and wearables outside of the conventional health care space. The former, healthcare data held by data brokers is an example of regulatory arbitrage. The latter, mobile health is presenting with regulatory turbulence and disruption. This article explains how the structure of U.S. healthcare data protection (specifically its sectoral and downstream properties) has led to a chronically uneven policy environment for different types of healthcare data. It examines claims for healthcare data protection exceptionalism and competing demands such as data liquidity. In conclusion the article takes the position that healthcare data exceptionalism remains a valid imperative and that even current concerns about data liquidity can be accommodated in an exceptional protective model. However, re-calibrating our protection of healthcare data residing outside of the traditional healthcare domain is challenging, currently even politically impossible. Notwithstanding, a hybrid model is envisioned with downstream HIPAA model remaining the dominant force within the healthcare domain, but being supplemented by targeted upstream and point-of-use protections applying to healthcare data in disrupted spaces.