My view is that the reason why they get this answer is because of the way they ask the question, but more specifically because everyone fears the unknown. There is very little evidence that the move to EHR will result in more privacy violations. YES, there is some evidence, and when it happens it is usually large amounts of patients that have been violated or very specific high value patients. But these kinds of things happen, and is it really made worse by EHR or even HIE? I think it is, but don't think that is the problem.
Here is a good skeptic post on HISTalk
There is good reason for patients to worry. With financial breaches, the bank is compelled to limit the damages. This is offset by the banks through technology that makes revocation of credentials fast and effective, but also through managing the likelihood of the risk through the use of insurance. These same factors simply are useless in the case of health data. First, there is not equivalent regulations on those that do the breaching to make the breached individual whole; yes there is some weak regulations and I am happy that HHS is posting the big offenders. Second, there is no way to revoke the health information. Health information is facts (or observations) made about the patient. These facts can't be revoked. So, there is not really any way to fix the problem after the fact.
There are actually some really important Privacy factors that only can happen with EHR use. This is the Privacy factors of Access to their health data and the factors of providing their preferences. These could be done in the paper world, but they are so expensive there that I will assert that these will only happen as we move to an EHR.
There is also simply too much FUD (Fear Uncertainty and Doubt). Much of this FUD is based on true and realistic concerns. I am just worried that we are being overly concerned, without a track record of true harm. I am not saying that we should let things happen so that we can observe privacy violations in the wild. I am simply saying that naturally those patients participate with EHR, PHR, and HIE; that can see a benefit that THEY see is more helpful than the RISK. Those that are not convinced should be allowed to not participate, or be flagged as being very concerned.
For example Army Mental Health Providers Not Entering Data Into EHR System