We propose to apply the requirements of this rule to the subset of individual identifiable health information which is maintained or transmitted by covered entities and which is or has been in electronic form. The provisions of the rule would apply to the information itself, referred to as protected health information in this rule, and not to the particular records in which the information is contained. Once information has been maintained or transmitted electronically by a covered entity, the protections would follow the information in whatever form, including paper records, in which it exists (while it is held by a covered entity).
We understand that our proposal would create a situation in which some health information would be protected while other similar information (e.g., health information contained in paper records that has not been maintained or transmitted electronically) would not be protected. We are concerned about the potential confusion that such a system might entail, but we believe that applying the provisions of the rule to information only in electronic form would result in no real protection for health care consumers. We have requested comment on whether we should extend the scope of the rule to all individually identifiable health information, including purely paper records, maintained by covered entities. Although we are concerned that extending our regulatory coverage to all records might be inconsistent with the intent of the provisions in the HIPAA, we believe that we do have the authority to do so and that there are sound rationale for providing a consistent level of protection to all individually identifiable health information held by covered entities.