Should individuals and organizations with access to the databases be identified to the patient?

Yes.