I wholeheartedly agree. I worked with one of the founders of the bioelectric sciences and biomedical engineering (rest his soul) and it was his passion to one day see medical records become digitized but also permit ownership and control solely by the patient. I see nostr as a good foundation for such a system. For example, the doctor's office might run a relay and the patient could consume the information from the clinic then securely share it with other doctors by adding the new clinic's public key to the list of recipients.

Most people don't understand HIPPA and are over-protective of patient data in my opinion. For those handling other people's medical data, that's absolutely necessary but so far as I understand it the patient always retains the right to decide who is allowed access and by what means. Even though it may be insecure, be it fax, email or encrypted zip file on a thumb drive, the patient could insist on these communication media. The wrinkle is when a clinic recommends one or another means, that's when it becomes a liability. Most clinics insist on patients logging into their portal to access their data, but that level of security is a clinic policy and not necessarily required by HIPPA is the patient requests the data is shared via email.