I had a brief conversation with a family member's provider about this recently. She hadn't considered that fly-by-night SAAS providers often have atrocious infosec and she had thought of it all as upside; her company had asked her to do it (with consent). The opt out was easy but no other patients had declined before. On the other hand, another provider's after-visit notes are always full of mistakes and need correction, which is fairly important in tracking longitudinal progression of degenerative conditions. We didn't even get into data backup SOP's, obviously, but on my systems I would need to take special care to ensure that production data wasn't restorable to a snapshot for at least two years, and it's hard to imagine folks who don't secure their S3 buckets are doing this right. "It's complicated." Third-party certification is likely needed.