A number of prominent health law experts agree that patients have very limited recourse to protect themselves against violations of privacy. They have concluded that more state and federal legislation is necessary, because there are major holes in the way current health care law is written. Some enlightening and relatively nontechnical details are given in a representative 2007 article in the University of Illinois Law Review entitled `Ensuring the Privacy and Confidentiality of Electronic Health Records`, by Nicolas Terry and Leslie Francis. (Very few primary changes have occurred during the intervening years.) In brief, personal health information has been judged to be under threat either by its collection or its disclosure. The law has parsed these threats separately, expressed as the distinct models of privacy and confidentiality. When I read this legal splitting of hairs, my antennae quickly went way up. It turns out that contemporary U.S. confidentiality and privacy models are shaped and constrained by several persistent features. First, the regulation of medical records is primarily a creature of state (not federal) law, has a number of exceptions, and is highly qualified. Moreover, and unsurprisingly, there is remarkable variation by state. Second, the law relating to the privacy of medical information is described as underdeveloped and narrowly circumscribed. As a result, common law privacy actions have been successful in only a few extreme cases. Gaps in data protection may be especially apparent if data are transferred across regimes, as when health records are made available to insurers or employers. Any EHR system that transcends state boundaries (including virtually all of the major software providers) thus poses the issue that patient protection is only as strong as the weakest state link. Worse, privacy dispute resolution has been in the hands of the Office for Civil Rights, in the Department of Health and Human Services. Although this may sound benign or neutral, in practice, from a patient’s perspective, enforcement has been placed in the hands of an `insider` primarily interested in ensuring the efficiency and continuity of the present system. This is the same agency that enforces the HIPAA Privacy, security and breach notification rules.