Yes, I think this is a serious matter, and I do think it should be prohibited.
I noticed that someone else provided an email address for the HHS Office of Civil Rights (OCR).
Here is what a quick Google search turned up from the HHS website:
"HHS' Office for Civil Rights is responsible for enforcing the Privacy and Security Rules. Enforcement of the Privacy Rule began April 14, 2003 for most HIPAA covered entities. Since 2003, OCR's enforcement activities have obtained significant results that have improved the privacy practices of covered entities"
I had a similar experience with Hope Connections in Bethesda Maryland. They wanted more information from me that I was comfortable giving, but I did it anyway, against my better judgment as an IT professional, because I wanted their services. Later, I had a bad experience with them and regretted having any dealings with them. I tried to get them to delete my private information, but they totally ignored me.
Yes, I think this is a serious matter, and I do think it should be prohibited.
I agree that this is a kind of predatory practice that exploits people in a vulnerable situation. I imagine that money is the motivation. I found out that Hope Connections has its offices in the Grosvenor Mansion in Bethesda Maryland. The building was formerly the summer home of a 19th-century robber baron. It is 14,000 ft.² of high-end real estate in the middle of a very expensive city. I don't know how much they paid for it, but it must have been many millions of dollars. It is a red flag for me when a so-called charity has its offices in a literal mansion.
Besides the Office of Civil Rights, I would encourage you to write your representative in Congress, because this might require a legislative remedy. You have inspired me to do so also.
As an IT person, you can also appreciate another level of undisclosed threat to personal privacy. First, even virtual viewers, were required to provide deep personal+ private information. There were fill in the blank questions plus pull down menus that required data entry and option selection. Doing so also gave them expressed permission to release your information inc your photo if captured, for their use. Those attending in person, which were thousands, received conference badges w barcodes. The charity then had prize drawings. The action of entering this lottery was having your badge scanned at a number of exhibits and vendors. Now, let's call this out for what it is: the scanned badges transfer their data to the vendors and exhibitors. This is obvious to me. And probably few ppl understood that. Which makes this deeply cringeworthy to me. And the winner had her photo, name and more emailed out to all, under subject "Winner of ______(medical condition) drawing. No permission was required.
To me, this entire approach is cringeworthy predation. The people who need this charity, which is a legitimate and very helpful one, have received one of the worst diagnoses and are truly frightened and desperate people. They range from young children to the elderly. It's such a disproportionate power field. Most would not give a second thought to giving any and all information for the opportunity to hear a doctor present the latest medical advancement or learn about the latest clinical trial they may have a chance to get into. At such a limitless cost. Your entire personal and medical information.
I hope the right to Medical PRIVACY is extended to sources beyond clinical settings. I recently read a poll in Medscape asking if readers (medical professionals) thought patients should have the right to selectively have withheld certain information contained in their electronic medical records. So the issue of medical privacy and control of information is an issue whose time may have come for reevaluation, policy, and legislation. I encourage you to pursue change bc you have IT knowledge, which is core of medical privacy.