We have laws regulating what personal information you are allowed to ask for, and what you're allowed to do with it. These laws have teeth too, at least in the EU.
Passively snooping on health info you have no business looking on gets health personnel sanctioned regularly in the present system. It would be even more risky if they actively had to ask for the information they didn't need.
Of course, for medical information there often has to be emergency overrides because you might need immediate help and you (or your designated trusted person) might not be accessible and capable of giving active consent.
But doesn't this obviate the use of a specific protocol? The protocol itself does very little to help with this problem – only laws with teeth do that.
Meh, there's workarounds to the GDPR framework if you're a company outside the EU. I'd say if you had a big company outside the EU, like the US, you'd have even less regulation than EU companies have to adhere to.
Passively snooping on health info you have no business looking on gets health personnel sanctioned regularly in the present system. It would be even more risky if they actively had to ask for the information they didn't need.
Of course, for medical information there often has to be emergency overrides because you might need immediate help and you (or your designated trusted person) might not be accessible and capable of giving active consent.