In the US, HIPAA is pretty much the strongest privacy legislation there is. There's probably no group that would have a more severe penalty for leaking your info than your healthcare provider.
HIPAA has strict rules with severe penalties, but enforcement is at best spotty. So honest hospitals and doctors offices bend over backwards to comply with the rules at great expense, but bad actors are rarely punished. It's the worst of both worlds. I'm pretty sure that is why the punishments are so harsh, because they need to put the fear of god into practitioners to make them take it seriously since there are so few inspectors.
It's the difference in medical establishment skill level between your doctor and you. You are always at a disadvantage. I've long thought that a disinterested third party needs to be involved. Someone with real oversight taking a position adversarial to the hospital and strictly to create the best possible outcome for the patient.
This is true, however getting it funded is the difficult task.
For it to be effective, the money can't come from the provider, meaning it's either from the payer or the patient. The payer doesn't really care, costs are contained as far as they are concerned, with the various Quality Initiatives. That leaves the patient to sign up for a subscription model.
I explored that as a business 12 years ago, and sadly there is still a need. The worst part is that most clinicians actually want to do the right thing but it's the admins in their organization who set up processes that result in terrible outcomes.
Perhaps true, but the strongest privacy protections in the US are still pretty weak. The biggest penalty I know of is Anthem 2018, where they leaked HIPAA-qualifying records on 80 million customers. Their financial penalty was a whopping... $16 million. Two dimes per affected customer!
It's true that the US rarely penalizes corporations enough to really disincentivize things, but healthcare providers probably take client data security more seriously than just about any other group besides maybe law firms. It's weird to single them out as being particularly unconcerned with and unpenalized for leaks.
HIPAA was designed for portability -- the 'p' standards for portability not privacy -- of health info, so there are immense carve outs in service of that objective. Fines for violating HIPAA are almost non-existent.
HIPAA is wildly misunderstood by the public as a strong safeguard, meanwhile medical offices just get any patient (a captive audience) to sign a release waiver as part of patient intake ...
They get patients to sign something permitting them to share PHI with other entities like e.g. the lab that runs blood work, not to disclaim liability for leaking it unintentionally.
How many healthcare providers do you know personally who have faced severe penalties for leaking information?
The reality is that for a small doctor/dental/whatever office, there is essentially 0 risk. HIPAA violations that carry significant penalties go to huge hospitals and healthcare companies.
Your neighborhood doctor has to screw up in a major way for an extended period of time to have a minute risk of any consequence.
How much information do you think your neighborhood PCP is “leaking” compared to, say, Elevance? This is such a goofy take. Are you expecting that every small provider group is just firing your data off on Facebook every Tuesday, and somehow, no one cares? They’re all using certified EMRs. They all take security seriously because their licenses are literally on the line. Do you work in healthcare?
If they provably expose your data, and you report them, they will get fined. Or they would have last year, who knows if those people still have jobs.
