The Health Insurance Portability and Accountability Act (HIPAA), and its final rule, raised fears among practitioners of new and complex regulations that might interfere with medical practice, lead to inadvertent liability and unwanted expense. It generated a dizzying set of health-care administrative activities and a new work for legal consultants. It has extensive scope, and includes most health plans and practitioners. It has regulated both privacy and security, including electronic, paper, and oral communications. However, after a HIPAA compliant office structure is established, and the privacy notice is reviewed and signed by the patient, disclosure of medical information for treatment, payment or "health-care operations" is permitted without recurrent consent forms, thus allowing substantially familiar patterns of doctor-to-doctor communication about treatment. Further, the initial approach to enforcement appears to some legal observers to be more likely corrective rather than punitive, although providers remain uneasy over the mere possibility of criminal penalties. As regards medical research, uncertainties about the application of HIPAA seem less resolved and more variably interpreted by different institutions, with ongoing fear in the research community that important public health and epidemiologic research activity may be compromised by well meaning IRBs using inconsistent, overly strict or erroneous interpretation of the intent of HIPAA regulations.