| > Can you give an example about fewer protections than people think? For starters, HIPAA doesn't actually prevent your doctor or health insurer from selling your data to a third party. It also doesn't prevent that third party from giving that data to a fourth party, who can give it to another, and so on. What happens if one of those tertiary parties has a breach and ends up exposing your data? In theory they're supposed to report it back up the chain, but in practice it doesn't go more than one or two links, if that. So in short: - you have no way of enumerating the number of entities who have legal access to your health data - you have no way of finding out when it's been illegally exposed by any of the parties who have legal access to it - if by chance you happen to find out about an exposure[0] you have no recourse except to report it to HHS, who may apply a statutory fine, but the fine is typically minuscule compared to the size, revenue, and profit of the guilty party - if by chance you find out about an exposure of your PHI, you are not entitled to receive any compensation All things considered, it's easier to enumerate the very limited ways that HIPAA does actually protect you than to enumerate the protections that most people incorrectly think HIPAA provides. [0] a real-life example is you Googling the name of your partner and stumbling upon a publicly visible Excel spreadsheet containing the name, SSN, addresses, and medical diagnoses of thousands of patients [1] see above |