> But it's my privacy and security that's at issue. I don't think it's obvious why I shouldn't be able to waive those concerns.
You could, in theory, consent to a disclosure to of your PHI in insecure form to the doctor's email provider (or maybe to the whole chain between the doctor and you, but i don't think that would be necessary since once its been disclosed under your consent to someone not covered by HIPAA they can do anything they want with the data, including delivering it to you), but doctors would probably to use a method that doesn't require that overhead and not also manage the kind of consent tracking that would be necessary to use unsecure email (and would rather not deal with the PR fallout that would happen when someone who didn't really understand the implications got bit by it.)
The fact that you could, in theory, under the law consent to certain insecure disclosures to third parties doesn't mean that doctors are mandated to maintain the infrastructure to deal with every conceivable way you might want to do that. They are required to provide information to you under certain circumstances, and not to provide it to others except as allowed under the law.
You could, in theory, consent to a disclosure to of your PHI in insecure form to the doctor's email provider (or maybe to the whole chain between the doctor and you, but i don't think that would be necessary since once its been disclosed under your consent to someone not covered by HIPAA they can do anything they want with the data, including delivering it to you), but doctors would probably to use a method that doesn't require that overhead and not also manage the kind of consent tracking that would be necessary to use unsecure email (and would rather not deal with the PR fallout that would happen when someone who didn't really understand the implications got bit by it.)
The fact that you could, in theory, under the law consent to certain insecure disclosures to third parties doesn't mean that doctors are mandated to maintain the infrastructure to deal with every conceivable way you might want to do that. They are required to provide information to you under certain circumstances, and not to provide it to others except as allowed under the law.