This article is needless fear mongering. The legislation talked about here, HIPAA, is designed to prohibit the exact things discussed in the article. The federal law is superseded by state law where state law is more stringent, so it's essentially federal legislation that provides a regulatory floor where state law does not intervene.
Trust me, doctors don't want to do this because it is way more work than they are currently doing to protect privacy. HIPAA requires providers and their associates to be more accountable and document disclosure of information. They don't currently have to do that consistently.
A business associate falls under the physician's risk as if they were an employee of the practice. Protected health information is specifically to be used for treatment, payment and "medical operations."
Bad news is that HIPAA is not specific enough and will be wrung out in case law for years to come.
All the regs are here:
http://aspe.hhs.gov/admnsimp/
The privacy rule is 1500 pages long.
The "privacy rule" allows/requires ANY federal or state official to get your medical records whenever they want them.
The rest of the 1500 pages merely conceal that little fact.
ftroop.... member since July 8th 2002.