In the US, HIPAA would apply to individually identifiable health information. HIPAA Providers share information with other HIPAA-covered entities all the time under contracts where the associate entities (non-providers) agree to comply with HIPAA privacy rules.
Those are generally with patient's previous consent though, right? Things get a lot easier if you have somebody sign some documents before you start working on them.
Probably, I'm somewhat of a fundamentalist pragmatist ("this cannot be legal!" - "everybody does it, judges say it's okay" - "oh, I guess it's legal then :("), but in this case I'm not so sure. I still believe that Google does not consider them data processors (possibly because they don't consider a google_push id PII), because if they did, they'd have to name them in their privacy terms as entities they share data with. They don't. Of course, this might be because they don't care, but since it's a delicate issue and the stakes are somewhat high already, that doesn't sound plausible to me.
Pretty much all examples for data processing I've read are similar in this regard: the data controller (DC) passes data to the data processor (DP) so the DP can perform a specific task for them (handle invoicing, do analytics, run a web server, mail packages etc). The DP must not use the data for anything else, must not share the data with anyone (except for sub-processing, which has strict rules, too). "Exchanging/Syncing PII of users so we can create better profiles, more efficiently track them and show ads to them that are more personalized" doesn't fit the bill at all from what I understand. Similarly, landlords cannot get together and share all the data on their tenants to figure out who was a pleasant renter and who sued because the heater broke in winter.
So, in my understanding, even if you and I used the same invoicing provider, they wouldn't be allowed to tell me if they've invoiced a certain person for you previously, because we're different entities using them as a data processor and our data is to be kept separate. If we wanted to do data sharing (or even share aggregate probabilities like credit check agencies), we'd need a different construct, explicit consent and a bunch of additional compliance requirements.
