There are two pathways for data regulation, and one of them is better than the other. The public debate -and American legislature - often revolves around controlling who can use the data. We hardly ever hear about data collection regulations, however, despite the fact they may be more effective.
This is in part because enforcing a downstream data privacy regulation places an impossible burden on individuals. Let’s pretend your health data has reached a potential employer. Let’s then pretend you were the target of discrimination by this employer.
To legally enforce your right to privacy under a downstream policy, you would need to somehow be notified of a data breach regarding your personal health information. As unlikely as this seems, this piece of information would not be sufficient to cover your rights. You would then need to prove this data has been used in a discriminatory fashion towards you.
With an upstream approach, we could limit the type and amount of health-data that may be collected by non-medical entities in the first place. The trouble with this approach is that it impedes on IOT and other great inventions. Two tensions to be contended with.