Part of the system's design requirement is that caregivers should be able to access the records of an unresponsive patient. You know, the "found unconscious at an out-of-town auto wreck" scenario. And that's a worthy objective.
Trouble is, it also means that ANY medical personnel, anywhere, have to have access to everyone's medical records. Obvious potential for abuse, so all of the protections have to be post hoc.
I'm not sure I'm all in for that statement. Almost all EMRs these days have pretty robust security controls, and it's rare that celebrity patients come in on unplanned visits where that "all access" kind of response is necessary. Where it is, it's usually handled in the ED, where the expectation of privacy is necessarily low. In the case that the patient is a regular admission, a pre-admit for a procedure/care, or anything other than getting hit by a bus or other trauma, there are well-established practices that protect their identity.
For instance, my last employer had a case where a celebrity's wife came in for Labor & Delivery. The hospital admitted her under a pseudonym, and only her direct caregivers knew the true identity. An audit trail and special VIP protections were placed on her record, so that staff had to electronically "sign" and state a reason why they needed access to her chart if they weren't in the direct care group. For all intents and purposes, she was well protected.
The problem came in when billing entered the picture. You can't bill against a pseudonym, and the local papers broke the story soon after she delivered. Once she left the hospital, her pseudonym was replaced by her real name, and her chart was promptly accessed over 200 times by various personnel across the hospital. In the next week, five people were fired outright for unauthorized access, and about a dozen put on disciplinary action because we couldn't fully prove that their access was unnecessary, if suspect. In an ideal world, the system would have been able to bill out under the pseudonym with the identity correction occurring downstream, but people still talk and the cover would get blown eventually anyway.
Does this anecdote have a point? I'd like to think so: it's that there's only so much mitigation you can do, but a lot of hospitals and EMR vendors could certainly do more. There will always be people like me who have god-like access by necessity though, and as long as that exists, there will always be the potential for abuse and information leaks. I think the real benefit of electronic systems is that, previously, if someone absconded with the paper chart, there was no way to tell who accessed it. Even I leave entries in the logs, and there's pretty close to no way to effectively "leave no trace" of my presence in the system. The biggest benefit of modernization is accountability, but real privacy is a pipe dream that people need to abandon.