Typically customers handle this through some type of waiver system. Generally at the initial visit in an organization a patient signs a ton of releases that state that the parent organization allowed to share patient information as needed through the course of treatment. Most people want to share their information, but there are systems in place to restrict access as needed by law/best practices. Patients can opt out of data, and some data sharing systems support this through various technical choke points. If you were a nurse at one organization, you may not want people snooping through your medical records at another medical organization. The Direct Protocol supports this through pseudo-anonymity of accounts.
I worked at an insurance company for five years. Part of my job was to get authorizations so I could request medical records. I had annual hippa training. I was not allowed to read any medical records or request any medical records that were not directly involved in doing my job. One standard of hippa is "minimum necessary." That means I am only entitled to as much information as is absolutely necessary to do the job and not more. So I suspect that some system to share records has serious challenges.
