This is possibly one of the most short-sighted discussions I've ever heard on Cloud-based security and encryption standards. I work for the marketing department at an academically based healthcare system in the United States. When I started using Evernote, I was still in commercial real estate fielc. Evernote was my GTD life saver. And then, no more. Had to stop using it, which kills me because it could be so terribly useful for blogging, marketing plans, meeting notes, etc. One forum member wrote in another post, "It would be unusual for any commercial organisation to focus so specifically on one narrow potential market unless there were obvious potential substantial returns." This frankly, took my breath away because healthcare is a narrow market, like the Amazon is a narrow river. And if it's so "narrow" why have Box.com, Microsoft OneNote, Huddle.com and Backupify gone HIPPA compliant? Because when you're HIPPA compliant, all users benefit from tighter encryption and data standards. That and by not supporting the HIPPA compliance requirements of the medical market, those companies realized they were leaving money on the table by turning their backs on close to 8 million healthcare workers in the U.S., which does not count all the back office people like me. Just think of all the physical therapists, behavioral therapists, psychologists, case workers...hell, even the chaplains, who could make use of this. Now that Evernote is pursuing the business community and making announcements about app integrations like FileThis which allow you to effortlessly store financial data in the software, Evernote will feel an increasing pressure to deliver more stringent encryption and security standards. It will be such a shame that the company that provided by most engaging UX, best compilation of features and the greatest collection of ancillary products like Post-it and Moleskin, could ultimately lose dominance because it considered itself "too cool for HIPPA" or too arrogant to think that offering a solid encryption and security standard would be important to their customer base. Unless there's a good financial reason why they aren't pursuing HIPPA, which implies some chilling arrangements. I'll give them the benefit of the doubt, and assume their sinning on the side of arrogance (and not strategic information access arrangements), here's some information on HIPPA security information that 2 seconds with a Google search engine turned up. http://resource.onlinetech.com/encrypting-data-to-meet-hipaa-compliance/http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/security101.pGet with the program.