I'm going to say something that might be controversial in healthcare circles: I don't believe in de-identified health data.

Not that it doesn't exist technically, it does. Data can be stripped of obvious identifiers, names, addresses, dates, and processed according to HIPAA Safe Harbor or Expert Determination standards. But the premise that de-identified data actually protects patient privacy? That's a legal fiction that technology is rapidly dismantling.

The Bargain the Industry Made

Healthcare has built an enormous data economy on a simple premise: remove identifying information from patient data, and you can use it without patient consent.

This bargain underpins clinical research using retrospective data, health analytics and population health tools, AI and ML model training, commercial data marketplaces, and benchmarking and quality measurement. Organizations access and monetize patient data every day under the assumption that "de-identified" data isn't really patient data anymore.

Most patients don't know this is happening. They signed a HIPAA authorization for treatment, payment, and healthcare operations. They didn't explicitly consent to their data flowing through de-identification pipelines into commercial uses.

The Re-Identification Problem

Here's what keeps me up at night: de-identified data can increasingly be re-identified.

Research has demonstrated this repeatedly. Demographic combinations are surprisingly unique; date of birth, gender, and ZIP code alone can identify a significant percentage of the US population. Longitudinal patterns act as fingerprints; your specific sequence of diagnoses, procedures, and medications is often unique to you even without a name attached. Cross-dataset matching creates inference pathways — de-identified health data combined with de-identified consumer data combined with public records is often enough. And computational power keeps improving. Attacks that were infeasible five years ago are routine today.

This isn't theoretical. Academic researchers have re-identified patients in supposedly de-identified datasets. The tools and techniques advance constantly.

What concerns me most is the trajectory. Re-identification will only get easier. Moore's Law continues in various forms. Machine learning techniques improve. More datasets become available for correlation. De-identification standards that seem adequate today may be trivially breakable in five years — and the data released under current standards will still exist then. We're creating a future re-identification problem with every "de-identified" dataset we release today.

The Ethical Question Nobody Asks

Even setting aside re-identification risk, there's a question the industry largely avoids: should patient data be monetized without patient knowledge or participation?

The de-identification framework answers yes, remove the identifiers, and consent isn't required. But patients, if actually asked, might see it differently. They might want to know their data is being used commercially. They might want to control which uses they permit. They might want to participate in the value their data creates. They might decline certain uses entirely.

De-identification doesn't give patients any of these choices. It assumes that removing names is sufficient to remove the need for consent. That assumption has always been ethically questionable. It's becoming legally questionable too.

Where This Is Heading

I believe we're moving toward a world where explicit patient consent is required for most uses of health data, regardless of de-identification status. Three trajectories point in the same direction.

The regulatory trajectory: GDPR already takes a stricter approach to health data. State privacy laws in the US are expanding. The direction is toward more consent, not less.

The technology trajectory: as re-identification becomes more feasible, the privacy premise of de-identification weakens. Regulators will eventually respond to that reality.

The public sentiment trajectory: patients are increasingly aware of how their data is used. Trust in healthcare data handling is declining. Political pressure for stronger protections is building.

The question isn't whether consent requirements will expand. It's when.

A Different Model

What if we built infrastructure for explicit patient consent instead of relying on de-identification as a default?

The technical foundation already exists. The 21st Century Cures Act established patient data access rights. FHIR APIs enable programmatic consent flows. The infrastructure is here. What's been missing is the will to move beyond de-identification as the path of least resistance.

A consent-based model looks different: every data use is visible to the patient, who can approve or deny it. Patients have complete visibility into who has accessed their information. When data creates commercial value, patients share in it.

Why This Shapes What I'm Building

This isn't an abstract policy position for me, it directly shapes how we've built Consolidate Health.

We focus on patient-directed data access, where patients explicitly authorize what's shared, with whom, and for what purpose. They can see it happening. They can revoke access. We're building infrastructure for a consent-based future, not a de-identification-dependent present.

Is this harder than accessing de-identified datasets without patient involvement? Yes. Is it more sustainable as technology and regulation evolve? I believe so — and I think the organizations building this way now will be significantly better positioned as privacy expectations tighten.

The de-identification loophole is closing. The only real question is whether you're building for what comes next.