Taliesin--(great name, BTW)--I work in health research. Until April 14 I could call most hospitals and doctors' offices in America, give their medical records and billing departments your name, and sweet-talk them into giving me all sorts of alarming data about you. Sometimes they'd fax me your entire medical record, including the most personal information in your life. You'd be horrified at how chatty those medical records clerks and doctors' practice admins are. I was always scrupulous about sending them a signed authorization form, but a lot of them just spilled their guts and then told me that the authorization wasn't necessary. I could have been anybody--your ex-wife's attorney, your employer, a criminal; they had no way of knowing I was who I said I was or served the organization I actually work for.
As of April 14, however, everybody clammed up. The stringent penalties HIPAA imposes for violating patient privacy has had a strong chilling effect on their tongues. Now there is no way I'm prying information out of any but the most slovenly clerks unless I fax a signed authorization in first. It's very refreshing.