Your AI strategy will die in the data access queue.
AI demand for health data grows with every AI system you deploy. Committees don't scale. The fix is health data that's safe to use by default.
Chapter 01
The most valuable data in healthcare is the least accessible.
In brief: US healthcare holds decades of clinical data that could show which treatments actually work — and almost none of it is used, because data access infrastructure predates AI.
The American healthcare system holds the largest collection of structured clinical data ever assembled. Decades of diagnoses, labs, prescriptions, procedures, and outcomes for hundreds of millions of people — a longitudinal record of what happened when they got sick, got treated, and either got better or didn't. Taken seriously, this data could tell us which treatments work for which patients, which billions in annual spending produce no measurable benefit, and which populations are dying of conditions we already know how to treat.
Almost none of it is being used, because the infrastructure for data access was built for a world that no longer exists.
Chapter 02
AI doesn't submit projects. It sends prompts.
In brief: AI agents turn one research question into hundreds of queries against clinical data. The unit of access is no longer a multi-month project — it's a prompt, and volume scales with compute, not headcount.
For decades, the unit of data access in healthcare has been the project. A researcher drafts a protocol, an IRB reviews it, a privacy officer evaluates the data request, a data use agreement is negotiated, an engineer prepares the tables. Six to eighteen months pass. Many requests are quietly outlasted until the investigator moves on and the question goes unanswered. The researcher who survives the process begins.
If this is how your institution shares data with its researchers, AI will bury you.
When an AI agent is asked to analyze readmission patterns, it writes a query, examines the result, refines the query, and writes another — a hundred times, perhaps, in the course of answering a single question. The unit of data access is no longer a multi-month project. It is a prompt. And the volume will grow by orders of magnitude, because demand will no longer track with analyst headcount. It will track with available compute.
Researcher era · 4 per week
Analytics era · 20 per week
Agent era · 100 per minute
Chapter 03
No human review process scales to AI.
In brief: Governance committees approve a fixed number of data requests per week while AI demand grows exponentially. Review capacity is linear; there is no faster-committee future.
The instinct is to reach for operational fixes. Faster committees. Better triage. More reviewers. None of them are sufficient, because the mismatch is mathematical: capacity grows linearly, demand grows exponentially. You can double your review staff — at ten to thirty thousand dollars per request in institutional overhead — and buy yourself a few months of headroom. The demand curve will consume it inside a quarter.
There is no faster-committee future. The committee model has a fixed ceiling, the demand curve does not, and the ceiling has already been reached.
Chapter 04
This isn't about training data.
In brief: Healthcare's AI data crisis isn't about training models — it's inference: every query a deployed agent sends against clinical data needs approval, at machine speed, for questions no one can predict.
The conversation about AI and health data has focused, to its detriment, on whether clinical records should be used to train foundation models. The data access crisis arriving in healthcare has almost nothing to do with training.
Training is a discrete event: a model is built once, approved once. Inference is continuous — a deployed agent querying structured data with every prompt, every refinement, every follow-up, for questions that cannot be anticipated in advance. Structured clinical data is a weak substrate for training large language models. It is extraordinarily valuable at inference time. What does a proposed payer contract mean for revenue across last year's case volume? Which service lines are outliers on risk-adjusted readmissions? How many patients matching twelve inclusion criteria were seen here in the last three years? Each of those questions hits a data warehouse at inference time, and for each one the current compliance infrastructure offers the same answer: get in line.
Training · one-time event
Inference · continuous
Chapter 05
Make the data safe before anyone asks.
In brief: Health data that is safe to use by default — de-identified at the origin — makes compliance a property of every output rather than a gate in front of it.
If demand grows exponentially and review capacity grows linearly, the shape of the answer is settled before anyone writes a line of code. You cannot put a faster gate in front of an exponential flow. You move safety from the point of use to the point of origin — which is how critical infrastructure problems have been solved for a century.
Before treatment plants, cities accepted that thousands of residents would die from unsafe water. They replaced inspectors at the tap with infrastructure at the source: treatment plants that made every drop safe before it entered the pipe. The inspection moved from consumption to production, and then it disappeared.
Health data is ready for the same transformation: compliance that is a property of every output, not a gate in front of it.
Every request verified at origin
HIPAA compliant · SOC2 Type 2 · Evaluated by Datavant
Take the first step to AI-native governance.
We partner with health systems and research institutions to make health data safe to use by default — starting with a de-identified digital twin of your data, in your analytical workflows.
- Proven in production at UT Southwestern Medical Center
Read the Microsoft case study → - Health data access in minutes, not months — governance that runs at machine speed
- Expert determination as software: every output verified de-identified before release
Not ready for a form? See the platform → or write to hello@getsubsalt.com
Got it — talk soon.
We'll reach out within two business days. In the meantime, see how the platform works →
Common questions about AI and health data access
How long does it take researchers to get access to clinical data?
Typically 6 to 18 months. A data request moves through IRB review, privacy evaluation, data use agreement negotiation, and engineering preparation — and many requests are simply outlasted until the question goes unanswered. Subsalt reduces this to minutes by delivering data that is already de-identified and safe to use.
Why can't data governance committees keep up with AI?
Committee capacity grows linearly — more reviewers, faster triage — while AI-driven demand grows with available compute. An AI agent may send hundreds of queries to answer a single question, so no human review process can match the volume.
Is the health data problem about AI training or AI inference?
Mostly inference. Training is a discrete event, approved once; a deployed AI agent queries clinical data continuously, with every prompt and follow-up. Each query needs the data to already be safe — which is why compliance has to move from review gates to the data itself.
What does "safe to use by default" mean for health data?
Every output carries its own compliance artifact: data is de-identified at the origin — expert determination performed as software — before anyone, human or AI, touches it, instead of being reviewed request by request. This is Subsalt's approach to health data infrastructure.
How does Subsalt help healthcare organizations prepare for AI?
Subsalt makes health data safe to use by default: a de-identified digital twin of your data for exploration in minutes, plus a secure runtime for real-data results where every output is verified before release.
Is this synthetic data?
Yes — in the sense that it is not the original protected health information (PHI). Subsalt generates a synthetic digital twin of your data: statistically faithful, and de-identified in accordance with HIPAA's Expert Determination standard. Health information that has been properly de-identified is no longer PHI, so the HIPAA Privacy Rule does not restrict its use or disclosure. And when you need results you can publish, Subsalt executes your queries against the source data in a secure runtime — so outputs, whether row-level data or artifacts such as charts and tables, are publication-ready.
What is expert determination under HIPAA?
Expert determination is one of the two methods HIPAA recognizes for de-identifying health data: a qualified expert applies statistical and scientific methods to determine that the risk of re-identifying anyone in the data is very small, and documents that determination. Subsalt performs expert determination as software — continuously, on every output — instead of as a one-time consulting engagement.
Is this Safe Harbor de-identification?
No. HIPAA offers two paths to de-identification: Safe Harbor, which strips 18 categories of identifiers, and expert determination, which statistically determines that re-identification risk is very small. Subsalt uses expert determination because it preserves far more analytical utility than Safe Harbor while meeting the same regulatory standard.