Security is perception. If you think record are safe in a doctors office, you think again. Paper records can and are view by many people and sometimes these people that are not authorize. Paper records are carried in briefcases, left in cars, and at nurse station with no way to know who has been looking at them. Electronic records are carried around on PC by staff and are vulnerable to many intruders from different sources if not property secured. So, privacy and security, not so much.
.
A PHR (Personal Health Record) is your record to do as you will. If you want to store it on Google Health, MS HealthVault or on a napkin that is your decision. It is true that these two PHR are in the cloud (hosted client webapp system) but this has nothing to do with security or control. As with any system, security and control is based on the policies of the entity that you are using to store your records. Whether the entity honors those policies is a another story and must be controlled the same way banking or stocks are governed.
Are PHR a threat to privacy? They are no more of a threat than any other record or information. It does depend on how it is managed and the policies to govern them. Again, this is about trust in the organization that is holding your records. As a person that has been working with cloud security for many years. It is very safe under the correct supervision and control.
PHR services such as Google Health and MS HealthVault currently do not charge for their services so they will have to find another model to generate revenue. This is were there could be a problem with privacy and conflict of interest.
My recommendation is Health Banking where the patient pays to store their records and they own and controls the use and access.
Jeff Brandt CEO motionPhr for the iPhone and MyMobileMedBox for Android
Right now your health records are private.
Electronic Health Records (EHRs) are held by your doctor and your hospital. (Picture by John F. Blankenhorn. Yes, my son.)
Disclosure is subject to a strict federal law, called HIPAA. Violations are punished severely. When the “Octomom” had her records compromised early this year 15 people were fired, and the hospital drew nearly $500,000 in fines.
Google, Microsoft, and health reformers generally have another idea.
Copy those records to their clouds, they say, and give you control over them. Thus Google Health and Microsoft HealthVault products are called “Personal Health Record” (PHR) systems.
The rules of EHRs and PHRs, then, are different. Stepping across that threshold sounds easy. In practice it isn’t.
The difference was on full display last week when Google and Microsoft executives appeared before David Blumenthal, the National Coordinator for Health Information Technology (NCHIT) and Aneesh Chopra, the nation’s Chief Technology Officer (CTO).
Make EHRs compatible with Web standards so we can turn them into PHRs, said Google CEO Eric Schmidt and Microsoft chief strategy officer Craig Mundie.
Not so fast, said the bureaucrats. Blumenthal seemed to think this was beyond the scope of his work. Chopra wondered whether consumers should not be satisfied with a “summary” of their records.
The issue has also crossed the pond where David Cameron, leader of the Conservative Party, got into a public spat with David Davis, once a candidate for leadership himself, over the issue.
Put simply Cameron stood for access, Davis for privacy.
Which leads to this very non-partisan question. Are PHRs a threat to privacy? Can we put such records into the clouds and maintain control over them?
As you pointed out Dana, the bureaucracy?s response to HIPAA has been to put EHR into a ?Lock Box?, just to be original here. 
By the way, did the Veterans Health Administration get an exemption from HIPAA? I?ve read that veterans EHR are available at any VA facility.
