I think the most illuminating thing about HIPAA is the fact that it lays bare just how poorly doctors and lawyers and healthcare administrators actually understand logical security in the computer science sense. I will point to the use of fax machines as a superb example. The law essentially considers PGP and a fax machine to be security equivalents.
I think that ignores a lot of the technology involved. A fax van be intercepted, but an email is guaranteed to be recorded by intermediate servers. In most cases, e-mail will be data mined in a webmail system. So while PGP is clearly better, I think its reasonable to say fax is, in practice, better than email. Unless you want patients suddenly getting Valtrex ads because someone sent their health records over webmail.
