There are a number of articles on this that I was going to link to, but once again Schier on Security has it all summed up:
Schneier on Security: U.S. Medical Privacy Law Gutted:
"In the U.S., medical privacy is largely governed by a 1996 law called HIPAA. Among many other provisions, HIPAA regulates the privacy and security surrounding electronic medical records. HIPAA specifies civil penalties against companies that don't comply with the regulations, as well as criminal penalties against individuals and corporations who knowingly steal or misuse patient data...."