You missed one of the biggest, one so important it has its own, separate, overriding privacy law: Substance use disorders. (Though perhaps you can argue it’s in psychiatry!)
Addiction treatment falls under 42 CFR II, colloquially known as “part 2”[0]
Part 2 data is significantly more encumbered than other medical data. If I want to get it I need to be explicitly allowed as a named entity by the patient to receive it. If the data is shared with me under a “general designation”whoever gave it to me has to record that and tell the patient on request. And I have no TPO carve outs, I have to get explicit consent to pass it along.
It is, often times, treated as radioactive data - my company deals in medical data but explicitly says in our contracts that we refuse any receipt of it.