What is a health information exchange (HIE)?

Purpose of health information exchange

The main purpose of HIE is to facilitate appropriate, timely and secure access and retrieval of a patient's health information among various healthcare professionals (and sometimes patients). Through HIE, different kinds of clinicians -- such as physicians, social workers and nurses -- can access patients' vital medical history and other useful information. They can also confidentially share the information with other providers. In doing so, they can coordinate patient care, improve diagnoses, deliver interventions and treatments tailored to a patient's unique medical needs, avoid duplicate tests and treatment, and even avoid costly mistakes that can financially affect the organization or put patients' health and lives at risk.

Furthermore, electronic HIE can help standardize patient data. Standardized data is easier to integrate into a patient's electronic health record (EHR). This helps create a fuller picture of a patient's health status, which then enables healthcare professionals to deliver higher-quality, safer care to patients. Overall, the appropriate, secure, timely, standardized and regulatory-compliant exchange of health information is meant to improve the cost, quality, safety and speed of patient care.

Benefits of HIE

HIE helps enable care coordination among diverse healthcare providers. The U.S. Agency for Healthcare Research and Quality (AHRQ), created when former President Bill Clinton signed the Healthcare Research and Quality Act of 1999, defines care coordination as "deliberately organizing patient care activities and sharing information among all of the participants concerned with a patient's care to achieve safer and more effective care." The "sharing information" part is where HIE comes in.

HIE enhances communication among healthcare providers. It ensures that the right clinicians have a more complete, up-to-date view of the patient's health history at the right time. This bigger and detailed picture is vital to provide safer and more effective care, which is then crucial to ensure better health outcomes for the patient. For instance, a cardiologist caring for a heart failure patient would need to know if the patient had been treated for cancer previously, as that knowledge could shape their treatment plan. Alternatively, HIE enables a primary care physician to share an electronic prescription with the patient's pharmacy to support medication compliance. Timely and reliable HIE also helps providers to reduce the risk of errors (e.g., in medication, diagnoses or treatments), and minimizes the need for duplicate treatments, unnecessary tests and readmissions.

Other potential benefits of HIE include the following:

• Increases providers' efficiency and effectiveness by facilitating fast and appropriate sharing of vital patient information.
• Reduces or eliminates unnecessary documentation (for both providers and patients) and health-related costs.
• Enables providers to provide better, more tailored care that can improve patients' overall health outcomes.
• Informs and improves decision-making at the point of care.
• Facilitates interoperability among EHRs maintained by different providers (physicians and organizations).

HIE also helps to improve patient knowledge and engagement. Easier access to their own medical information empowers them to have more substantive discussions with providers about their health concerns and status. Access to the same information at the same time -- and then reviewing the information during visits -- improves patient-provider communication so they can participate in joint decision-making regarding treatment plans, medications, future visits, preventive care and more. In this way, patients can take a more active role in their own care. With HIE, patients can also inform providers if some information is incorrect or missing, thus helping to prevent costly and potentially dangerous medical errors.

Beyond the realm of direct patient care, HIE can help to close the gap between scientific research and clinical practice. Researchers rely on aggregated data from clinical care to identify patterns and recommend appropriate steps to deliver more effective care and treatment.

HIE also has benefits for broader populations. For one, it can be used to improve population health. Some public HIEs collect data from multiple healthcare facilities -- hospitals, ambulatory practices, labs, etc. This information, along with detailed reports, can help health agencies to monitor and manage the health status of certain cohorts (e.g., HIV-positive populations) in a given geographic area (e.g., a state). The agency can also use the data to design and deliver public health initiatives to provide necessary therapies and improve health outcomes for that cohort.

Forms of health information exchange

There are three main forms of HIE:

Directed exchange

This method involves the exchange of patient health information between healthcare providers who know and trust each other, with the goal of coordinating their efforts and providing better care to the patient. This information can include some or all of the following:

• Laboratory orders and results.
• Patient referrals.
• Details about medications.
• Electronic care summaries.
• Discharge summaries.

Providers also use directed exchange for sending immunization data to U.S. public health organizations, such as the Department of Health and Human Services (HHS), National Center for Health Statistics (NCHS), National Institutes of Health (NIH), Centers for Disease Control and Prevention (CDC) and so on. Clinicians also use directed exchange to report quality measures to the Centers for Medicare & Medicaid Services (CMS), a U.S. federal agency that oversees federal healthcare programs.

When exchanged electronically, directed HIE must always occur in an encrypted, secure manner to protect patient privacy and safeguard their information from misuse. Moreover, when done in a timely and reliable fashion, directed HIE removes the need for redundant information collection.

Query-based exchange

This HIE method is used when providers need to request information about a patient to provide unplanned care. Examples of unplanned care include emergency room visits and unexpected pregnancy complications.

In these cases, clinicians like emergency physicians and ob-gyns might need to treat patients they have never cared for previously, nor do they have access to their medical history. They would then use query-based exchange to access crucial information that would inform diagnoses and care-related decisions. This information might include the following:

• Current medications.
• Radiology images (CT, X-ray, MRI, etc.).
• Medical conditions.
• Prenatal care records.

Consumer-mediated exchange

This method is meant to help patients to aggregate their health information and control its use among various providers. In doing so, they can proactively track and monitor their health and actively participate in their own healthcare coordination, decisions and outcomes. They can also identify and correct wrong or missing information regarding their health or healthcare billing, thus helping providers to avoid costly and potentially life-threatening mistakes and address gaps in care delivery.

Public HIE architecture types

A public HIE is an organization that facilitates the electronic sharing of patient health information among different healthcare organizations, usually within a specific geographic region. Developers of health information technology (health IT) are also considered HIEs.

Most public HIEs are structured along one of three architecture types to facilitate information exchange:

• Federated (also known as decentralized).
• Centralized (also known as local level).
• Hybrid.

The architecture determines how data might flow within public HIEs, as well as how they manage and secure data and protect patient privacy.

Federated model

In a federated model, health records are stored in independent databases or repositories. Each healthcare organization or provider maintains ownership of and control over its own repository; access to the health record within that repository is granted to authorized users as needed.

This model allows individual organizations to access data in real time, which can be critical during emergencies. In addition, they retain ownership and maintain better control over their data. These aspects are crucial to ensuring data security and compliance with privacy laws.

These benefits notwithstanding, federated HIE makes data exchange more complex. Interoperability issues across multiple repositories are common, which can hinder information sharing and care coordination.

Centralized HIE model

In a centralized HIE model, health records are collected from different health organizations in the HIE and stored in a single database known as a clinical data repository (CDR). The HIE member organizations can access the CDR uniformly, while a designated HIE authority collects and maintains the data within the CDR.

Since storage is centralized, this model allows for fast access to clinical data. It also improves data oversight and governance. This enhances accountability, facilitates usage audits and makes it easier to implement uniform security and compliance measures.

Conversely, it can be costly to set up a centralized HIE due to the upfront investment required in technology and infrastructure. Data mismatches might occur if member HIEs do not use unique patient/data identifiers. These mismatches can negatively affect patient care and health outcomes.

Hybrid model

A hybrid model combines centralized and decentralized aspects. HIE member healthcare organizations can determine which data elements to store locally while maintaining other information in a federated repository. In doing so, they can both retain control over their data, while also participating in timely information exchange with other organizations.

Since this model leverages both local and centralized data access, it is suitable for supporting population health initiatives. Moreover, it is more scalable than the other two models, so more organizations can be accommodated as healthcare information and needs evolve.

How data is stored and shared in HIEs

There are two methods of data exchange in HIE: push and pull.

When a message or document, such as a lab result or physician referral, is sent from one participant to another, this is called a push, point-to-point or transactional data exchange. In this method, the recipient makes the request, the sender initiates the transfer and the requested data is then electronically deposited in the recipient's system, such as their clinical inbox.

In contrast, when a healthcare provider actively accesses a system and then queries it to find a patient's health information, this is called a pull exchange or multisource data acquisition. This HIE method aggregates data from multiple sources to provide a more comprehensive medical record for a patient with a single request. The provider requesting a patient's medical records must have the patient's consent before they can request that information.

HIE governance and exchange standards

In 2004, the Office of the National Coordinator for Health Information Technology (ONC) -- which in 2024 was renamed the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP/ONC) -- created the Nationwide Health Information Network (NHIN or NwHIN). The NHIN was meant to provide a mechanism and conventions for the nationwide exchange of health information and its meaningful use.

Federal agencies, HIEs and healthcare providers agreed to adopt NHIN standards for secure HIE at local, state and national levels. They also agreed to support common web services and data content for private and interoperable HIE across the public internet. NHIN became known as the eHealth Exchange in 2012.

In 2018, eHealth Exchange became an independent, nonprofit organization. As of 2025, it is the largest healthcare information network in the United States. One of its key components is the eHealth Exchange Hub, which is not a repository of patient information but rather a facilitator of interconnections among organizations participating in HIE. In addition, eHealth Exchange provides a single API that allows participants to exchange information with minimal expense and complexity.

Compliance with HIPAA and other laws

All HIEs must comply with HIPAA rules and regulations. HIPAA is a U.S. federal law meant to protect the privacy and security of patient health information. Healthcare organizations are considered covered entities (CEs) or business associates (BAs) under HIPAA when using HIEs, so they are also required to comply with HIPAA's Privacy Rule and Security Rule.

Administered by the HHS, the HIPAA Privacy Rule establishes a federal baseline that is applied consistently to HIPAA CEs and BAs across all 50 U.S. states, but it does not preempt state laws that place greater privacy rights and protections on the information in an exchange.

Per the HIPAA Privacy Rule, CEs and BAs can disclose ePHI to an HIE for the purpose of reporting to a PHA without asking for prior individual authorization, as long as it is for public health purposes or the disclosure is required by law. That said, the disclosure must be limited to the minimum necessary information to achieve the stated purpose only.

In order to maintain HIPAA compliance in the context of HIE, healthcare organizations should perform comprehensive risk assessments to identify HIE-based vulnerabilities. It is also advisable to define policies and procedures governing HIE use, data access and security measures. Additionally, stringent measures to obtain patient consent and restrict ePHI access are crucial to comply with HIPAA and protect patient data. Finally, organizations must implement comprehensive breach response plans to respond to data breaches involving the electronic exchange of health information.

The HITECH Act strengthens the privacy and security provisions of HIPAA. It requires EHRs to be connected in a manner that facilitates electronic HIE to improve care quality. HITECH also enables the expansion of state-run HIEs and includes provisions to enable more efficient and secure information sharing -- leading to more coordinated care between providers.

Most U.S. states have an opt-in or opt-out consent policy for participation in an HIE, although there are some states that have no policy.

In states with an opt-out policy, patients might be automatically enrolled in the HIE, but they can choose to decline having their information stored in or disclosed by the HIE.

Opt-in states require patient consent before patient health information can be stored in or disclosed by the HIE. There might also be additional requirements, such as an opt-in for sensitive ePHI or an opt-in to allow a new healthcare provider to access ePHI.

According to the American Health Information Management Association, several other laws affect HIE:

• Privacy Act of 1974.
• Family Educational Rights and Privacy Act.
• Gramm-Leach-Bliley Act.
• Food, Drug, and Cosmetic Act.

Challenges with HIE

Health information exchange, although useful for care providers and patients, is not without its challenges. In a 2014 report to Congress, the U.S. Government Accountability Office (GAO) found four specific challenges after surveying multiple healthcare providers in the United States:

• Insufficient standards. Standards for electronically exchanging information within EHRs exist, but some providers reported that the standards were insufficient in some areas. GAO concluded that information that is exchanged electronically between providers must adhere to consistent standards in order to be correctly interpreted and used in the EHR.
• Variations in privacy rules. Providers reported that exchanging health information with clinicians in other U.S. states can be difficult because of variations in state privacy rules and a limited understanding of those variations.
• Difficulties accurately matching patients to their health records. Providers reported that they were sometimes unable to accurately and efficiently match patients to their records when exchanging health information electronically. This problem of incorrect patient matching creates record-keeping issues for healthcare organizations, which can result in clinical inefficiencies and, more importantly, increase safety risks for patients.
• Cost of exchanging health information. Some providers reported challenges covering the costs associated with HIE, including upfront costs of purchasing and implementing EHR systems, fees to participate in state or local HIE organizations, as well as per-transaction fees some HIE vendors charge.

The risk to patient privacy is another key barrier to HIE adoption. Although laws such as HIPAA impose strict standards to ensure that healthcare organizations safeguard patient data, the risk of data breaches remains high. A single vulnerability in a single system -- belonging to a healthcare provider, an HIE organization or even a third-party vendor -- can attract hackers looking to steal sensitive ePHI for malicious purposes.

Since identifying these issues, the GAO has been working with CMS and ASTP/ONC to develop and prioritize actions to advance HIE in the United States and to maximize its benefits for both providers and patients.

Notable breaches involving HIEs

The exchange of confidential and potentially sensitive data, such as patient data, brings with it the risk of data breaches. These breaches can occur through human error, unintended access or malicious actions like hacks and cyberattacks.

One such breach occurred in July 2016. The Codman Square Health Center in Dorchester, Massachusetts, reported that a person accessed the PHI of over 3,000 individuals using an HIE -- the New England Healthcare Exchange Network (NEHEN) -- without proper authorization. The individual, an employee of an outside vendor, used a Codman employee's credentials to get into the HIE and, ultimately, obtain access to patient information, such as names, genders, dates of birth, medical insurance coverage information and, in some cases, their Social Security numbers.

The health center suspended or terminated all employees involved in the incident and also notified all the patients whose information was compromised. These individuals included Codman's own patients as well as thousands of other patients in the HIE.

Also in 2016, Banner Health, an Arizona-based HIE, experienced a data breach when cybercriminals gained access to one of Banner's private servers. This resulted in the compromise of sensitive patient information -- including their names, addresses, birth dates and insurance data -- and even some physician information. The incident affected over 3 million patients, raising concerns about the safety of patient privacy and the security of HIE.

More recently, other HIEs have experienced breaches that exposed the data of millions of patients and put their privacy at risk.

In May 2020, Trinity Health, a healthcare delivery system that serves diverse communities across 26 U.S. states and also participates in HIE, blocked a ransomware attack attempt -- but not before the cybercriminals were able to successfully exfiltrate the information of over 3 million patients. Trinity suffered another breach in 2021. This incident affected over half a million patients. In both cases, the attackers targeted Trinity's third-party vendors or software. The compromised information included patients' full names, addresses, medical record numbers, lab results, medications and certain financial information.

In January 2022, Broward Health, a Florida-based hospital network that participates in a national HIE, suffered a data breach that compromised the data of over 1 million patients. It was later discovered that the breach resulted from the compromise of a third-party medical provider with access to Broward's patient database.

These and other cases of data breaches targeting HIEs demonstrate that healthcare organizations, including HIEs, are very attractive targets to hackers and data thieves. More importantly, the breach incidents reiterate the need to secure medical information using stronger cybersecurity controls like multifactor authentication, privileged access management and data loss prevention solutions.

Health data interoperability directly improves patient care by enabling better coordination, faster emergency responses, and greater patient engagement. Examine how the interoperability of health data enhances patient care and outcomes.