But if genuine and serious privacy violations are so rare, then enforcing the law in these cases should be relatively cost-effective and efficient. And there would be not-insignificant deterrent effects. Instead, we appear to have an enforcement scheme tilted entirely toward industry, with no incentive to comply. Where’s the protection against your health plan leaking information to your employer? Or your hospital letting loose your identifying information via the kind of slip-up we saw with the VA? If we’re accepting promises to “do better” as the only remedy, then the HIPAA Privacy Rule might as well not exist.

Or maybe the HHS/Bushies understand that our medical costs are high enough without the cost of dealing with private-right nuisance suits, especially when compared to the aggregate benefits of such a right. Remember, all the “savings” from HIPAA are from transaction code sets, not privacy regs.