HIPAAs rules were not designed to address privacy risks introduced by widespread personal information collection and use in the modern digital ecosystem. HIPAAs rules were designed to support information flows within the health care system and allow for broad uses and disclosures of data by both covered entities and business associates without the need to obtain patient consent. HIPAA is leaky it expressly allows covered entities and business associates to share data outside of HIPAA, including selling de-identified data, without patient consent. HIPAAs rules protect data and also protect incumbents interests in controlling health data. Ultimately Congressional action is needed to establish meaningful privacy protections for personal data.