On top of the GDPR/American concept of "it is all OK if there is consent" which applies to most organization, health related organizations face stronger HIPPA regulations in the US.