[Veserv]

Well if they are only going to use the data for good purposes and not for nefarious purposes or for sale, then there is no downside to just writing it into their contracts and privacy policy.

Just add a irrevocable guarantee that they will never sell or transfer to someone who will sell any data and if they do the company will immediately dissolve and become encumbered with a debt of the highest seniority equal to all lifetime company revenues to the people whose medical data they have. The C-suite and Board of Directors must also provide a personal financial guarantee equal to their entire compensation package, and must provide sworn testimony yearly that they are engaging in no business deals which include the sale of private medical data.

Since they do not intend to ever use the data for bad purposes, they have nothing to lose by keeping their word. Literally no downside to them since they were not going to do it anyways and it provides peace of mind to the public, a win-win.