Is HIPAA Still Protecting Your Medical Data? An Analysis of Deidentification as a Security Measure in the Age of AI.

Authors

Jessica Novak

Abstract

Artificial Intelligence is rapidly altering the landscape of many industries, and for some, faster than the law can necessarily keep up, leaving those industries unprotected from AI-related concerns. For the healthcare industry in particular, the integration of AI presents large-scale data privacy concerns. The current law protecting patient data privacy, the Health Insurance Portability and Accountability Act (“HIPAA”), is potentially already outdated and inadequate; concerns about HIPAA’s efficacy have long-existed and AI’s integration has only solidified this concern. It is potentially inadequate because of a provision within the law itself-deidentification. HIPAA allows healthcare providers to remove identifying information from a data set (i.e., deidentify) and then transmit that data set to a third party. The concern with deidentification is that, by statute, data is considered deidentified when a series of steps are performed by the healthcare provider; it does not actually correspond to the risk of reidentification of the data. Thus, a paradox exists whereby the thing the HIPAA seeks to protect, patient data, is easily exposed because of the inadequacy within HIPAA itself, particularly in the age of AI. Most alarmingly, is that if and when patient data exposed, aggrieved patients have no avenues for recovery because healthcare providers are in compliance with the law. Therefore, HIPAA needs to be rapidly amended to close this loophole and ensure that it still accords with its original goal of patient data protection.

Repository Citation

Jessica Novak, Is HIPAA Still Protecting Your Medical Data? An Analysis of Deidentification as a Security Measure in the Age of AI., 24 U.N.H. L. Rev. 535 (2026).