sorry if i was unclear. if a company is storing medical history data that falls under HIPPA which is serious.
If a company just has data about you that is not medical data then there is no legal requirements as to who can have access to it internally. (So Joe's Sprocket's has a list of everyone who has bought sprockets and their phone numbers - anyone in the company could look at that info and there would be no legal implications)
I see. I think I misinterpreted the "0 legal requirements" part of your comment. It gave me the impression employees not involved in the care could access medical data. Thanks for clarifying.
If a company just has data about you that is not medical data then there is no legal requirements as to who can have access to it internally. (So Joe's Sprocket's has a list of everyone who has bought sprockets and their phone numbers - anyone in the company could look at that info and there would be no legal implications)