Well, HIPAA is intended to protect patient health information. The issue is that 3rd party entities end up included within the groups that get to see that information. There's also the fact that human error is high, and people are extremely fucking incompetent. Say you go to a provider to get a mole removed on your shoulder. You might get an Assistant that takes a picture including your entire face, and then that goes to the insurance company where the person triaging the file sees your face, the person taking care of your claim potentially sees your face, and anyone that has access to your file with the right levels of accessibility can see it too. Hospital staff and provider facilities can be pretty shitty about blacking out personally identifiable information, ie: mother/baby units that don't redact the separate patient info, couples at fertility centers being analyzed, and even families receiving genetic counseling. They're technically supposed to be fined for each offense, but lol. Your medical records go through many hands, but they're all technically supposed to be directly involved in your patient care. This fucks over collections agencies when you demand that they verify with proof that you had those services done btw, because they can't prove it. It's meant to be a good thing, but you know how good things usually end up fucked up when they're in the hands of idiots.