The World Privacy Forum points out a lot of organizations keep some medical information, but are not covered by HIPAA. Organizations include: gyms, fitness clubs, most websites, employers, banks, home testing labs, massage therapists, nutritional counselors, alternative medicine practitioners, disease advocacy groups, and marketers of non-prescription health products and foods. And any website not run by a covered organization.
Most of these organizations have a privacy policy and terms and conditions but is that really all that comforting?