[chrisseaton]

Medical records are PII.

Do you mean store without names? The conditions, times, places, etc, are inherently PII themselves.

My wife gave birth on a given day in a given hospital. She also broke her ankle once. No names, but record uniquely identified.

[Indy9000]

What you say is that our actions even without explicit names, etc. can be used to identify the actual person. This is kind of missing the point. Because, that sort of reverse lookup can't scale, and in a very large number of cases it won't be. [Edge case: only person in a village or a post code].

By removing the directly identifiable info, the damage done in a breach would be less. Where as now, a single breach contains all the data that could identify a person and every person in that breach, without having to do any/much reverse look up.

Now, the orgs that collect this data does not have a certification standard and verification that they have to obtain before going operational. Even a restaurant kitchen has that.

On that note, I'd say that there should be a severity grading for the data items. Even Eggs have a grading system. Our personal data is a tad more valuable.