Comment: Some commenters stated that privacy concerns would be significantly reduced if patient information is not stored electronically. One commenter suggested that consent should be given for patient information to be stored electronically. One commenter believed that information stored in data systems should not be individually identifiable.
Response: We agree that storing and transmitting health information electronically creates concerns about the privacy of health information. We do not agree, however, that covered entities should be expected to maintain health information outside of an electronic system, particularly as health care providers and health plans extend their reliance on electronic transactions. We do not believe that it would be feasible to permit individuals to opt out of electronic transactions by withholding their consent. We note that individuals can ask providers and health plans whether or not they store information electronically, and can choose only providers who do not do so or who agree not to do so. We also do not believe that it is practical or efficient to require that electronic data bases contain only de-identified information. Electronic transactions have achieved tremendous savings in the health care system and electronic records have enabled significant improvements in the quality and coordination of health care. These improvements would not be possible with de-identified information.