HIPAA was designed for portability -- the 'p' standards for portability not privacy -- of health info, so there are immense carve outs in service of that objective. Fines for violating HIPAA are almost non-existent.
HIPAA is wildly misunderstood by the public as a strong safeguard, meanwhile medical offices just get any patient (a captive audience) to sign a release waiver as part of patient intake ...
They get patients to sign something permitting them to share PHI with other entities like e.g. the lab that runs blood work, not to disclaim liability for leaking it unintentionally.
HIPAA is wildly misunderstood by the public as a strong safeguard, meanwhile medical offices just get any patient (a captive audience) to sign a release waiver as part of patient intake ...