Many moons ago, before departing the Silicon Forest for the Ivory Tower, I worked for a company that was trying to design a way for patients and doctors to have internet office visits. Several large companies in my field has discovered that most of the time they lost to employees going to the doctor was spent in driving and waiting. The obvious solution was to make little internet kiosks on campus, where you could video conference with your doc. It was an interesting idea, although a bit ahead of its time.
Speaking from long hours of personal experience and many HIPAA-induced headaches, generating compliant security online is a constantly shifting game of playing catch-up. The technology is constantly changing, and what is cutting edge today will be obsolete security next week. Online medical records, in any sort of centralized system, is going to require not a couple of people doing security, but an entire department of health record security, able to mobilize on a moment's notice to protect those records.
Right now, it sounds like what we have is a far cry from that, and I'd be highly apprehensive of any effort to import my medical records into their currently existing "system".