Accessing PHI through a patient portal is much trickier than just granting access to an individual. There are laws (HIPAA in the US) that govern what data can be accessed and how it can be accessed.
With that said - the biggest issue for a patient portal is how to identify and validate the patient. So - you try to login to the portal but there is nothing available that says you are 'Grant Fritchey'...and worse - that you are patient MRN12345678 with the same name in the EHR/EMR system.
It gets even worse - there could be several patients with the same name but different DOB, address, etc... Which one are you and what happens if we associate you with the wrong patient record? And what happens if someone gets enough information about you to identify themselves as you (name, address, dob, sex, state/local ID, SSN)? That person would now have access to all of your patient data - lab results, diagnoses, procedures, medications, etc...
So yeah - it seems to be locked down too tight, and maybe it is - but I would much rather have PHI and PII data locked down too tight than the possibility of that data being accessed by someone else.