> But about 1.5 million private entities can legally access your data

Somewhat. They are allowed to access it "for treatment purposes", not just to nose around out of curiosity.

I found myself explaining this to a number of my patients (I used to be a paramedic) who were irate about disclosures they'd made to their therapist, doctor, etc., that they had said they didn't want revealed to other providers (but were actually germane to their care).

"Does the HIPAA Privacy Rule permit doctors, nurses, and other health care providers to share patient health information for treatment purposes without the patient’s authorization? Answer: Yes. The Privacy Rule allows those doctors, nurses, hospitals, laboratory technicians, and other health care providers that are covered entities to use or disclose protected health information, such as X-rays, laboratory and pathology reports, diagnoses, and other medical information for treatment purposes without the patient’s authorization."

https://www.hhs.gov/hipaa/for-professionals/faq/481/does-hip...