The advent of electronic medical records and health information exchanges has facilitated the possibility of patients exercising increasingly granular control over sensitive health information. In principle, patients should be able to control which of their health information is made accessible to which of their healthcare providers. To meet this goal, the architects of any system of granular control of patients' health information face a variety of challenges. In addition to technical, ethical, and prudential considerations, the architects of any effective system must also ensure compliance with applicable legal requirements. The extent of a patient's permissible control depends upon whether governing law prohibits providers from disclosing health information to other providers without a patient's authorization, permits providers to disclose to other providers at the provider's discretion, or requires such disclosure. To inform efforts to design a viable system, this article analyzes U.S. federal and state (Arizona) law in regard to the sharing of the following types of sensitive health information: substance abuse, mental health, genetic, communicable diseases, and sexual and reproductive health.