That's not true. It's intended to define a regulated and standard means of transferring medical information while ensuring confidentiality and patient privacy.

https://www.hhs.gov/hipaa/for-professionals/privacy/laws-reg...

You have to explicitly grant permission for your data to be sold. What's very likely is that either the healthcare provider or insurance company included a request for authorization to sell that data, and the authorization was signed without paying much attention to it.

Narrator: "But it did neither."

Honestly, we're better off with it than without it, speaking as someone with exposure to that industry's internals. That act drives a lot of good security practice within the organizations (mostly liability shifting, but still good). Specifically, the fear it instills of ruinous penalties from regulators drives good practice adoption, IME.

Further, multiple crappy patient portals across providers is a crummy experience, but it's an improvement over the world where providers held the data hostage and had zero interest in accommodating your requests for it, or even the idea that you owned it.

"The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a US federal law designed to protect sensitive patient health information from disclosure without consent."

The second “P” in HIPAA stands for “Privacy”