What makes you think it isn't already?

Hospitals & doctors outsource, and as long as the provider is HIPPA compliant (which AWS is[1]), your data is probably out there already.

[1] http://awsmedia.s3.amazonaws.com/AWS_HIPAA_Whitepaper_Final....

What's the threat model?

Careless or corrupt health staff releasing my information without my permission? Well, it doesn't really matter where the data is stored.

What's the difference? We trust such data to be in all sorts of insecure places. Do you really think one of the low payed secretaries at a medical office isn't easily bribable? Or that every IT system your data eventually touches has Bruce Schneier doing their security?

All the people I wouldn't want to have access to my medical history (governments, insurance companies, and doctors) already do. Ditto for shopping data. The legal/security front for that sort of data is entirely pointless, as the bad guys are authorized parties, so you may as well save some money by putting it in the cloud.

There were always only two defensible privacy fronts: keeping the data off electronic records or filling the records with shit.