The Work Between Policy and Technology
Why policy–technology alignment determines whether systems actually work
Back in 2018, I was tasked with conducting something called “policy-technology alignment” as part of California’s Alameda County Whole Person Care pilot. At the time, I didn’t fully understand what that meant. I recently found a note in an old notebook that literally read, “what does this mean?”, written sincerely, not rhetorically.
I understood health care policy and the data sharing landscape reasonably well. I did not yet understand technology in the same way. And at that point, most health information exchange was still centered on clinical, HIPAA-regulated data. California’s Whole Person Care pilots (the precursor to CalAIM) were pushing into new territory: cross-sector care coordination that brought together health care providers, housing organizations, behavioral health and substance use treatment providers, justice-involved systems, community based organizations, and others that had not historically shared data or infrastructure.
The use case was clear. Counties were being asked to coordinate care for Medi-Cal beneficiaries with complex needs by breaking down silos across systems. What was far less clear was how to design technology and workflows that could support that coordination without violating the law, undermining trust, or defaulting to overly restrictive approaches that defeated the program’s purpose.
That ambiguity is exactly where policy-technology alignment shows up in practice.
At a basic level, policy-technology alignment is the work of translating policy requirements and intent into technical and operational decisions—how systems are designed, configured, and used in practice. It involves understanding not just what the law says, but how it is meant to function in real-world programs, and then ensuring that system design reflects those realities. This work is distinct from compliance alone. Compliance asks whether something is permitted. Policy–technology alignment asks how permission, restriction, consent, and accountability are actually implemented in systems that people have to use.
In the Whole Person Care context, this translation problem surfaced immediately. Data from different sectors came with different legal regimes, different expectations around consent, and varying institutional norms. HIPAA was only one piece of the puzzle. Housing data, social services data, behavioral health information, and justice-related data did not fit neatly into a single framework, yet the technology was expected to bring them together into shared care plans, coordinated workflows, and common operating pictures.
The core question I kept encountering was how to integrate these disparate data types into a shared environment without running afoul of the law or eroding trust among partners.
Practically, that often meant grappling with how to move from a strictly HIPAA environment to a hybrid one. It required careful interpretation of overlapping laws, a clear understanding of where flexibility existed, and deliberate choices about how consent, access controls, and data segmentation would be handled in the system over time, not just at go-live.
Policy–technology alignment, in that context, involved several interrelated activities. It meant interpreting policy intent rather than relying solely on literal readings. It meant distinguishing hard constraints from areas where programs had discretion. It meant translating legal and policy concepts into system logic: permissions, workflows, data flows, and user roles. And it meant anticipating how implementation choices would shape behavior over time, especially as systems scaled or partnerships evolved.
As this work expanded to other jurisdictions—Marin and Santa Cruz counties and the City of Sacramento—it became clear that these challenges were not unique to a single pilot or county. The same dynamics repeated themselves. New partners entered the ecosystem with varying levels of experience handling sensitive data. Legal counsel, often deeply familiar with HIPAA but less comfortable with broader cross-sector data sharing, approached system design from a place of understandable risk aversion. Program leaders, meanwhile, were focused on achieving outcomes that depended on timely, coordinated access to information across organizations.
Technology sat in the middle of these competing pressures. Systems were expected to operationalize highly nuanced agreements, layered consent models, and complex regulatory interpretations. When that nuance was flattened or misunderstood, the technology made decisions by default. Those defaults—who could see what, under what circumstances, and for what purposes—effectively became policy in practice.
Looking back, I didn’t set out to build a practice around policy–technology alignment. I kept encountering the same problems, regardless of geography or organizational structure. The work lived in a translation layer that was essential but rarely named, and often poorly understood. Sometimes it showed up in policy or legal teams. Sometimes in product or implementation. In technology companies, it even surfaced in sales contexts, where teams were asked to explain how a product fit within complex and evolving policy environments. In some of those settings, the work was described as “policy–product fit.” The terminology varied, but the underlying challenge remained consistent.
Over time, it became clear how often this work is treated as incidental rather than foundational. When policy–technology alignment is not done deliberately, systems tend to be technically compliant but operationally fragile. Tools struggle to gain adoption because they do not reflect how programs actually function. Data sharing efforts stall because consent, governance, and trust were never fully translated into system design.
As health and social care systems become more interconnected, the consequences of these failures become more pronounced. Cross-sector data sharing, secondary data use, and emerging technologies increase the stakes of design decisions that once seemed minor. Policy–technology alignment is no longer a niche concern. It is a core requirement for building systems that are lawful, usable, and worthy of trust.
The work has existed for some time. The question is whether we are prepared to recognize it as a distinct discipline—one that sits between policy, technology, and practice—and approach it with the rigor it demands. As policy expectations continue to outpace technical clarity, this translation work will only become more consequential.
