In the B2B context, the answer is relatively easy, but troubling.  The Leahy Amendment only applies if a debtor has made a direct promise, in connection with a sale of goods or services, not to share personal information.  Since there is no direct relationship between you and your doctor's Business Associate, the Leahy Amendment simply doesn't apply.  Thus, if a Business Associate fails and breaches its contract with the HIPAA covered entity (your doctor) by selling or failing to protect your data, the sole protection is likely to be a contract or tort claim in the Business Associate's bankruptcy.  This is not just a problem under HIPAA.  A similar strategy of regulating outsourced data processing services through contract is used to protect financial privacy under the Gramm Leach Bliley Act. (for a more extended discussion see here).

In the B2C context, the Leahy Amendment applies, but does not do much good, because it relies entirely on consumers to contract effectively for privacy protection.  The Leahy Amendment was formulated in response to the Toysmart case, where a first generation dot.com sought to break a privacy promise by selling its customer lists in bankruptcy.  The Leahy Amendment solves that limited problem, but ignores the fact that most modern "privacy policies" are privacy policies in name only.  In most cases the privacy policy is merely a disclosure of the ways in which an entity will use and share your data.

Now, here's the qualification.  The other folks testifying during my session were proponents of various forms of online medical record data banks.  The idea, a good one in theory, is that a patient's medical history should be available in one central location so that doctors can have the benefit of a patient's full medical history, even if the services were provided years ago, in another city, and the patient has forgotten. Needless to say, the providers of these services promise the patients absolute control over their own information.  These facts look like Toysmart, and here, the Leahy Amendment would provide significant protection.

However, there are two reasons why I'm still dubious. 

• First, the Leahy Amendment only applies in bankruptcy, so a data sale that occurred prior to bankruptcy would not receive any protection. 
• Second, the problem with these online medical data banks runs to a deeper consumer contracting problem rather than a bankruptcy problem.  Even if consumers are given absolute control over their medical records, that control includes the power to give them away to people who ask for them (such as employers or insurers).

Here medical privacy begins to look a lot like consumer credit, and poses a question that is similar to the ones that Susan and I have been asking elsewhere.  To what extent do our concerns about consumer contracting that arise from problems of cognition, heuristic bias, time inconsistent preference, and plain old adhesion and inequality of bargaining power counsel limitations on consumer choice?