You already
do have mandatory disclosure on shenanigans like that in the US. It's the boilerplate HIPAA agreement you sign when you first see a provider.
Good luck finding a provider that doesn't ship your sensitive medical data out to an EMR company though.