Regulatory Arbitrage in the AI-Healthcare Industry: How Private Equity Exploits Gaps Between HIPAA and Modern Data Privacy Law

David Park

Over the last decade, the rapid development of Artificial Intelligence (AI) technology has fueled an unprecedented expansion of private equity investment in the American healthcare industry.[1] In 2024 alone, private equity funds deployed a record $115 billion in healthcare acquisitions, while AI-enabled health startups accounted for over sixty percent of all digital health financing in early 2025.[2] The Health Insurance Portability and Accountability Act of 1996 (HIPAA) remains the central federal statute governing medical privacy.[3] Despite decades of efforts to close potential gaps against exploitations of individuals’ health data, government efforts have yet to “catch up” with new methods of exploitation through fast-paced technological innovations and various creative business models.

Currently, the biggest loophole in the regulatory scheme of HIPAA is that the coverage is too limited. Throughout the years, the definition of covered entities and transactions has expanded in scope to include any individual or company that provides services on behalf of a HIPAA-covered entity.[4] However, the rapid development of AI models pose risks of bypassing the federal regulations because when the data transfers the Personal Health Information (PHI) to personal devices, that data is no longer protected under HIPAA.[5] Furthermore, companies such as Google or Microsoft that integrate AI chatbot systems into their services create substantial privacy risks by its ability to re-identify de-identified data sets of the American public.[6]

The risk of public health data is further exacerbated by Private Equity (PE) firms who have significant incentives to exploit regulatory loopholes due to the nature of their business.[7] PE firms have entered the healthcare industry at an accelerating rate, reaching a deal value of $115 billion in 2024.[8] The nature of PE’s business model, which relies on substantial debt or leverage with the obligations to generate the maximum profit in the shortest amount of time, does not align with the moral standards required in health data privacy.[9] PE firms employing various strategies such as Management Services Organizations (MSOs), which allow independent physician practices to consolidate administrative functions while maintaining clinical autonomy, allows them to shield themselves from liability and regulatory compliance.[10] The merge of AI technology with the healthcare sector employed by PE firms creates almost endless loopholes each time the HIPAA make amendments to “catch-up” to the most pressing issues.

Both federal and state governments are well aware of the rising concerns caused in privacy of the healthcare sector and are actively making efforts to find the ultimate solution. The Trump administration has made significant legislative changes that address specifically the healthcare industry through appointment of key officials in the Health and Human Services (HHS).[11] With the joint alliance of the FTC, DOJ, and HHS, they have launched a cross-governmental public inquiry into PE firms to solicit public comment on deals conducted by health systems and private equity firms.[12] State legislatures have also  targeted private equity-backed healthcare transactions by enacting laws to review those transactions with the utmost scrutiny.[13]

However, many scholars are skeptical of the recent approach by the government arguing that the risk of health data privacy will not be entirely terminated because future development of AI technology will continue to make regulatory loopholes.[14] Thus, it may be time to switch gears and find other ways of approaching the issue. One proposal is to amend HIPAA by shifting the focus to the nature of the data, rather than the entity that produces the data or where it is transmitted.[15] In other words, any entities that may be held responsible for handling health-related data will be subject of HIPAA compliance. The European Union General Data Protection Regulation (GDPR) of 2016 offers useful examples of how this method can be operated.[16]

Additionally, scholars have recently recommended to integrate ethical standards in the healthcare & AI sector through blockchain technology. The blockchain’s attributes of decentralization, immutability, and transparency complement AI’s capabilities while enhancing the security, privacy, and efficiency of healthcare systems.[17] The biggest benefit of blockchain technology is its decentralized method of data storage and access control.[18] Blockchain-based smart contracts’ self-execution ability eliminate the need for intermediaries and reduce the potential for human error when handling sensitive health data.

In conclusion, the HIPAA framework looks nearly obsolete in the eyes of many critics as proven by decades of history with no resolution. The explosive growth of AI technology and attention by PE firms have raised the privacy crisis concern at an alarming level. At this time, the key components that must be addressed are (1) ensuring transparency in the ownership structure of PE firms; (2) imposing strict requirements for medical organizations to establish robust data privacy policies; and (3) mandating blockchain technology focused on protecting the data itself.

[1] See Bain & Co., Global Healthcare Private Equity Deal Value Soared to $115 Billion in 2024 (2024), https://www.bain.com/about/media-center/press-releases/2024/spurred-by-megadeals-global-healthcare-private-equity-deal-value-soared-to-$115-billion-in-2024-the-second-highest-total-on-record/.

[2] See id.

[3] Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d et seq.

[4] Covered Entities, U.S. Dep’t of Health & Hum. Servs., https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html (last visited Apr. 5, 2026).

[5] Delaram Rezaeikhonakdar, AI Chatbots and Challenges of HIPAA Compliance for AI Developers and Vendors, 51 J.L. Med. & Ethics 988, 991 (2023), https://doi.org/10.1017/jme.2024.15.

[6] See Gilad Maayan, HIPAA Compliance in the Age of AI, Atlantic.Net (Apr. 3, 2025), https://www.atlantic.net/hipaa-compliant-hosting/hipaa-compliance-in-the-age-of-ai/#what-is-hipaa-compliance.

[7] Judith Garber, The Rising Danger of Private Equity in Healthcare, Lown Inst. (Jan. 23, 2024), https://lowninstitute.org/the-rising-danger-of-private-equity-in-healthcare/.

[8] Bain & Co., supra note 1.

[9] Mary Anderlik Majumder & Christi J. Guerrini, Federal Privacy Protections: Ethical Foundations, Sources of Confusion in Clinical Medicine, and Controversies in Biomedical Research, 18 AMA J. Ethics 288 (2016), https://journalofethics.ama-assn.org/article/federal-privacy-protections-ethical-foundations-sources-confusion-clinical-medicine-and/2016-03.

[10] SovDoc, Why Private Equity Is Investing Heavily in Healthcare in 2025, https://sovdoc.com/why-private-equity-is-investing-heavily-in-healthcare-in-2025/ (last visited Jan. 3, 2026).

[11] Kirkland & Ellis LLP, 2025 Healthcare Private Equity Outlook and Considerations (2025), https://www.kirkland.com/publications/kirkland-alert/2025/01/2025-healthcare-pe-outlook-and-considerations.

[12] Fed. Trade Comm’n, Dep’t of Justice & Dep’t of Health & Hum. Servs., Agencies Launch Cross-Government Initiative on Healthcare Competition (Mar. 2024), https://www.ftc.gov/news-events/news/press-releases/2024/03/federal-trade-commission-department-justice-department-health-human-services-launch-cross-government.

[13] Kirkland supra, note 5.

[14] [14] Tate Ryan-Mosley, Melissa Heikkilä, Three Things to Know About the White House’s Executive Order on AI, MIT Tech. Rev. (Oct. 30, 2023), https://www.technologyreview.com/2023/10/30/1082678/three-things-to-know-about-the-white-houses-executive-order-on-ai/.

[15] Chad Konnoth, AI and Data Protection Law in Health, in Research Handbook on Health, AI and the Law 7 (B. Solaiman & I. G. Cohen eds., Edward Elgar Publ’g 2024), https://www.ncbi.nlm.nih.gov/books/NBK613196/; https://doi.org/10.4337/9781802205657.ch07.

[16] Paul Quinn & Gianclaudio Malgieri, The Difficulty of Defining Sensitive Data—The Concept of Sensitive Data in the EU Data Protection Framework, 22 German L.J. 1583, 1593 (2021); See also Gianclaudio Malgieri & Giovanni Comandé, Sensitive-by-Distance: Quasi-Health Data in the Algorithmic Era, 26 Info. & Commc’ns Tech. L. 229, 233 (2017).

[17] Steven M. Williamson & Victor Prybutok, Balancing Privacy and Progress: A Review of Privacy Challenges, Systemic Oversight, and Patient Perceptions in AI‑Driven Healthcare, 14 Appl. Sci. 675 (2024), https://www.mdpi.com/2076‑3417/14/2/675; https://doi.org/10.3390/app14020675.

[18] Id.