alt Hacker NewsThat's not true. It's intended to define a regulated and standard means of transferring medical information while ensuring confidentiality and patient privacy.
https://www.hhs.gov/hipaa/for-professionals/privacy/laws-reg...
You have to explicitly grant permission for your data to be sold. What's very likely is that either the healthcare provider or insurance company included a request for authorization to sell that data, and the authorization was signed without paying much attention to it.
Replies
You wouldn't need such a modern privacy rule if it weren't for the need for information portability in the digital age. The distinction between whether or not portability or privacy is primary in the law kind of doesn't matter. The real purpose of HIPAA was to help make the newly emerging market forms of health care sustainable. Protocol standardization and modernization of the Hippocratic Oath were both necessities, technical and ideological respectively.
You're referring to the privacy rule, which is only part of the law (and not its primary prupose). The original intent of the law was to ensure easy transfer of information to keep health coverage when changing jobs. The privacy rule was not even part of the original law, it was added by HHS 3 years later. See more details here: https://www.ncbi.nlm.nih.gov/books/NBK9576/