The push toward electronic medical records has made storing personal health information in a locked filing cabinet in your doctor's office an outmoded guarantee of confidentiality. Today, patients can gather their jumbled health information—hospital visits, drug prescriptions and health insurance plans—and manage them through a number of different online services, including Google Health, Microsoft's HealthVault and AOL co-founder Steve Case's Revolution Health.



Privacy advocates, however, point out that even though these companies are storing sensitive medical information, they are not bound by the strict data sharing and protection laws that govern the health care industry. The 1996 Health Insurance Portability and Accountability Act (HIPAA) regulates how health care entities, such as insurance companies and hospitals, exchange an individual's health information, but the law does not apply to personal health record storage services, according to the U.S. Department of Health and Human Services.



Because there are no laws that directly protect a user's online health information, all of the vendors who sell weight scales and/or blood glucose and pressure monitors that can send data directly to services like HealthVault set their own privacy policies, which means some will be weaker than others. "There isn't anyone to regulate the security and privacy of the personal health information records," says Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology, a nonprofit Washington, D.C.–based public advocacy group that focuses on the impact of technology on individual rights. "It is not a very good landscape for consumers in regards to very sensitive health information."