Though not overtly stated, medical records are implied here. Just wanted to toss in my $0.02 that PHI (personal health information) has a standard of deidentification that renders it immune to Narayanan and Felten's reidentification methods: location, for starters. Here is the relevant HHS standard in that case for removing patient identifiers:
(B) All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census:
(1) The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and
(2) The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000
The larger PHI deideintification standard is here.
Still I think it would be naive to think that reidentification were 'impossible' given enough data points. But is absolute what we need,or is this a risk analysis cost/benefit type situation? Lives lost because PHI isn't easily shared clinically or for research purposes is staggering. This is public record (i.e, "To Err is Human", 1999).
This is a societal problem and issues on privacy hinder the flow of clinical and research based health information. This will get worse when genomics information becomes readily available. Though healthcare is regulated to a far greater degree than any other sector and our data privacy standards are higher, the fear over privacy is palpable to people that otherwise have no beef (other than bitching -> actions not words) with the Facebooks, the Googles, and the Visas of the world.
So it's a hurdle. And it's a hurdle that impedes medical progress. Balancing privacy and the need for information is something society needs to address. But in HC the fear is so overblown and the regulations so onerous that I see us coming very close to an 'opt-in' scenario re patient data. Right now technically this is the case, but it isn't the case in practice (patient's aren't educated enough to be stewards of their own PHI). This is even more likely in the case of 'personalized medicine' which I see as both the advent of personal health records (PHR) but mostly the coming of genomics. In theory patient's control their own data, but in practice somebody else does (possession being 9/10 of the law). With genomics data it's the opposite in terms of possession. The patient both owns and possesses the data and submits that data for the benefit of their own diagnostic outcomes at their own discretion.
So I see real 'opt-in' (not HIPAA 'opt-in') becoming a force in HC and the tipping point occurring (patient's willingly submitting personal information including genomics data) when the research shows far greater outcomes in the cases of more precise information. While encouraging the free flow of information would get us their quicker, from an insiders perspective, I don't see that as likely.