Why should patients be informed of all individuals and organizations with access to their medical records?

I think what you may be saying is that, in the event of an improper disclosure, all people and organizations that improerly received the Protected Health Information (PHI) should be disclosed, upon request, to the patient, to the extent that they are known. Also, the Covered Entity (CE) is required to take all necessary steps to mitigate such a disclosure, and the first, most obvious step is notifying the patient.

However, if you share PHI for purposes of medical necessity (and this can be simply a consult), you don't need permission, nor do you need to record it unless, for medical reasons, the result of the consultation needs to be added to the chart (although recording consultations is pretty common medical best practices). Likewise, limited disclosures (invovling the Minimum Necessary PHI) to other non-caregiving CE's need not be disclosed, as long as the reason for the disclosure is for Payment or Operations (of the CE). This means, the disclosure, to warrant this relief from informing the patient, needs to be to a CE or another company bound by a Business Associate's Agreement (which binds non-CE's to follow HIPAA, and is enforced at the civil level), and fall under the Payment or Operations headings.

THis is a VERY brief explanation of HIPAA and disclosure, and is by itself NOT sufficient to protect a CE or a patient -- and is offered here only as a paritally informative description.