The push for health information exchange (HIE) began back in the Bush administration, with the long-term vision of a National Health Information Network (NHIN). While the NHIN remains a long way off, local and regional exchanges are developing in many areas of the country.[1]. The eHealth Initiative, in its 2010 survey, found 234 active HIE initiatives across the country. Seventy-three of these HIEs were actively exchanging data. Furthermore, there are now 56 state-designated entities that are working, often in coordination with state health officials, to guide HIE development in their state.

What will the availability of HIE mean for your practice? As HIEs are developing across the country, they face a number of decision points that will make a difference for what information you can obtain through the HIE. Here are some of the most critical:

Health information exchange

1. Some HIEs are record locator services, while others are data repositories.

HIEs that function as record locator services will not actually hold clinical data. Instead, when you query the HIE, you will receive a list of providers who have seen the patient during the time period available to the exchange. It will then be up to you to obtain the records of other providers by contacting the provider directly. HIEs that are data repositories will have clinical data that has been exported directly from electronic medical record systems of the participating providers. This may include encounters, medication history, procedures, significant findings, etc. In some areas of the country, you may find that local HIEs are data repositories, while state-wide HIEs are record locator services. For example, the Illinois Health Information Exchange is planned as a record locator service, while the Metropolitan Chicago HealthCare Council is working on implementing a data repository form of HIE.

2. You will probably need to sign a participation agreement in order to access data in the HIE.

HIEs typically establish common standards for providers seeking access to the HIE.  Providers will likely be asked to maintain confidentiality of access codes and passwords, use common security standards, and report data breaches.  In some cases, you may not be able to participate in the HIE unless you have an electronic medical record system that meets interoperability standards.

3. HIEs use different approaches for patient consent, sometimes due to differences in state law. Some require an opt-in approach, while others use an opt-out approach.

Providers participating in an HIE will need to inform patients about what this means. For an HIE that uses an opt-out approach, the patient will be informed, usually at the first encounter, that the provider participates in an HIE. The patient will then have the opportunity to opt-out of having his/her data shared through the HIE. If the HIE uses an opt-in approach, the provider will ask the patient if he/she consents to sharing data through the HIE.  

In both cases, physicians will need to maintain documentation that patients were given the opportunity to opt out (for HIEs using the opt-out approach), or that patients whose data is shared consented (for the opt-in approach). It will be helpful to physicians if the HIE can offer standardized descriptions of data exchange that can be integrated into the physician’s Notice of Privacy Practices or consent forms.

4. Some clinical information subject to stricter state confidentiality laws may be excluded from exchange, or may require special procedures.

The Health Insurance Portability and Accountability Act (HIPAA) privacy and security standards do not preempt state laws that provide greater protections for confidentiality than HIPAA. In many states, specific statutes protect the confidentiality of mental health records and other types of health information (HIV test data, genetic testing, etc.). These laws may require a particular form of authorization for disclosure of information. Also, the federal regulations that apply to federally supported alcohol and drug treatment centers contain strict requirements for authorization for release of records. Depending on the organization of the local HIE, the HIE may decide not to include this type of information at all, or may require that the provider sending this sensitive information maintain documentation of patient consent. If the HIE excludes sensitive information, possibly providers who cannot send information to the HIE (psychiatrists, psychiatric hospitals, alcohol and drug treatment centers, etc.) may be able to access the HIE on a “read-only” basis.

We are in the early stages of HIE adoption.  As HIEs proliferate across the country, we can expect to see standards of practice develop on when physicians should query the HIE to obtain or verify medication lists and other elements of medical history.  


[1]. eHealth Initiative, HIE Survey Report 2010, Key Findings, available at

About the Author

Patricia King, JDPatricia King is a health care attorney in Illinois, and principal of the web-based business Digital Age Healthcare LLC (

She has written extensively on, with topics including:

Understanding Accountable Care Organizations and their potential impact on medical practices.

Realizing the benefits of EHR for risk management.

The shared savings program that comes out Section 3022 of PPACA.

Topics #health information #health information exchange #HIE #medical information #medical practice #patient health information #physician information