The Health Data Goldilocks Dilemma: Sharing? Privacy? Both?

Is it possible to advance interoperability while protecting privacy? This series explores the tensions and possible resolutions in achieving these goals.

“We need a new generation of laws to govern a new generation of tech.”

–Brad Smith, President and Chief Legal Officer, Microsoft

Welcome to the Roadmap page of THCB’s series: “The Health Data Goldilocks Dilemma: Sharing? Privacy? Both?”

On this page you’ll find:

The Scope of the Series

Once upon a time, there lived a little girl whose name was Goldilocks. She was a wise girl who was aware that there was great value in health data. One day she decided to go for a walk in the forest of the U.S. healthcare system. 

Goldilocks learned that there are risks of TOO LITTLE health data being shared:

  • That she and her care providers would not have the best information for clinical decision making
  • That clinical researchers would be stifled from conducting groundbreaking analyses and studies
  • That next generation technologies, which rely on vast quantities of data (e.g., AI and machine learning) could be suffocated
  • That the promises of personalized medicine would be repressed

She also learned that there are risks of TOO MUCH health data being shared:

  • That her privacy and personal safety could be violated
  • That trust in care providers and the healthcare system would be eroded
  • That the value created by health care data would be captured by third parties, e.g., large technology companies

How did we get to this Goldilocks Dilemma — where there are risks of TOO LITTLE or TOO MUCH health data being shared? Federal health policy has been geared toward advancing two seemingly conflicting goals:

  1. Broader data interoperability and data sharing, and
  2. Enhanced data privacy and data protection.

On the one hand, public policy has been striving to advance widespread data interoperability and data sharing. More than two decades of Federal legislation have contributed: HIPAA, the HITECH Act, the 21st Century Cures Act.

Health IT interoperability and data sharing are widely viewed as having many benefits: improving care quality and care coordination, lowering costs, liberating data to turbocharge AI and machine learning, clinical research, and personalized medicine.

On the other hand, the public has become increasingly concerned that tech companies and governments have increasingly broad access to all types of personal data. Think — Cambridge Analytica, Russian election interference, Facebook scandals, “techlash” against Silicon Valley giants, European GDPR and U.S. state privacy legislation. Most recently, the U.S. Congress has been considering sweeping legislation to revamp privacy and data protection laws.

Is it possible to advance data sharing and interoperability while protecting privacy?  This series explores the tensions and possible resolutions in resolving the Goldilocks Dilemma.

A list of Posts Published and Pending

An Invitation to Guest Authors

We invite guest authors to submit posts. We encourage a broad range of points-of-view relating to policy, technology, clinical care, law, business models & strategy, or other areas of interest to THCB readers.

If you would like to contribute a piece to the series, please email it to

Possible topics for future posts:

  • How could federal legislation address clinical researchers’ needs for patient data?
  • How is Europe’s GDPR legislation affecting healthcare?
  • Resolving potential tension between privacy legislation (limiting data sharing) vs. ONC/CMS NPRM etc. (encouraging data sharing)
  • Patient perspectives on privacy: privacy maximizers vs. privacy optimizers
  • How should federal legislation address the challenges of next-generation technologies?
  • States vs Feds: Why is federal preemption such a big issue?
  • Ethical issues relating to privacy legislation/data protection
  • New business models enabled by privacy/data protection legislation
  • Others?

Brief Bios of the Series Hosts – Vince Kuraitis and Deven McGraw

Pineapple Vince Kuraitis, JD/MBA (@VinceKuraitis) is an independent healthcare strategy consultant with over 30 years’ experience across 150+ healthcare organizations. He blogs at A more extensive bio is available here.

Pineapple Deven McGraw , JD, MPH, LLM (@healthprivacy) is the Chief Regulatory Officer at Ciitizen (and former official at OCR and ONC). She blogs at Medium A more extensive bio is available here.

An Updated List of Congressional Privacy Legislation 

The tables below list COMPREHENSIVE and FOCUSED privacy/data protection legislation currently in front of Congress. We’ll keep these tables updated as new bills are introduced. You can access and download the tables here.

The National Conference of State Legislatures also tracks state legislation relating to consumer data privacy.

2 replies »