The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to regulate health insurance in the USA. It is a very complex law with lots of moving parts, but includes both data privacy and security sections. The data protection part of HIPAA is found in The Security Rule and data confidentiality requirements that can be found in The Privacy Rule.
The Privacy Rule contains a convoluted list of rules on who gets to see PHI under what circumstances. A healthcare provider or “covered entity” has permission to use patient data if it’s related to “treatment, payment, and health care operations.” However, using the data for marketing purposes, other staff simply viewing patient records out of curioisty or selling the PHI requires explicit authorization.
HIPAA’s minimum necessary requirement is a good example of PbD principles applied to sharing of PHI. It says that covered entities that share data for marketing purposes other than the ones mentioned above should limit who gets to see it. Health organizations are supposed to evaluate their data and practices, and put in place safeguards to limit “unnecessary or inappropriate” access to PHI.