I find this a bit shocking:
Ruling Limits Prosecutions of People Who Violate Law on Privacy of Medical Records
An authoritative new ruling by the Justice Department sharply limits the government's ability to prosecute people for criminal violations of the law that protects the privacy of medical records.
The criminal penalties, the department said, apply to insurers, doctors, hospitals and other providers - but not necessarily their employees or outsiders who steal personal health data.
...If a hospital sells a list of patients' names to a firm for marketing purposes, the hospital can be held criminally liable.... But if a hospital clerk does the same thing, in defiance of hospital policy, the clerk cannot be prosecuted under the 1996 law, because the clerk is not a "covered entity." ...
What's going on here? Is the administration all but inviting hospital corporations, insurance companies, HMOs, and so on to let privacy standards lapse -- just so long as any violation can be blamed on "some guy in the mailroom"?