But today one of the main effects of the law is to make it much harder for doctors and hospitals to share data with researchers. The fees they would have to pay for legal experts, statisticians and the other consultants needed to ensure compliance with the law are just too steep to bother.

[Technology has made our lives easier. But it also means that your data is no longer your own. We’ll examine who is hoarding your information — and give you a guide for what you can do about it. Sign up for our limited-run newsletter.]

Julia Adler-Milstein, the director of the Center for Clinical Informatics and Improvement Research at the University of California, San Francisco, told me that “the costs associated with sharing data for research purposes in a Hipaa-compliant way are beyond what many hospitals can justify.” She added, “The fines associated with a potential data breach are also a deterrent.”

These fines are a blunt instrument that don’t correspond to varying levels of harm, creating a climate of fear that discourages sharing. Leaking personal information onto the internet has rightfully led to fines in the millions. But so have cases of data loss in which it was unlikely that anyone ever gained access to the lost data, because it was stored on a laptop or on thumb drives that may never have even left the office. This isn’t to say that the latter case shouldn’t be fined, only that the current amounts are excessive.

What can be done? One solution is to increase patient control. The government could create a data repository to which patients could upload their information, and that would give them controls over how much they wanted to share and with whom. The problem with this plan is that it is unlikely many would bother to use the platform .

We could offer an incentive by allowing private companies to purchase the data from patients, but millions of people would need to participate. The fact that Chinese companies are already getting hundreds of thousands of records cheaply compounds the problem: The price of an A.I. cancer scanner from an American company that paid millions for its data would risk being undercut by a low-cost Chinese competitor.

A more pragmatic alternative would be to ease some of Hipaa’s more onerous requirements and think more deeply about when we need more privacy and when we could live with less.