HIPAA and Health Information Exchanges (HIEs): Secure Data Sharing

A Health Information Exchange exists to do the one thing HIPAA spends the most energy governing: move protected health information between organizations that do not share a roof, a network, or a patient-consent form. That is what makes HIE compliance distinct. In a single clinic, PHI mostly stays inside walls you control. In an HIE, a patient’s record may travel from a hospital, through a state or regional Health Information Organization (HIO), and into the EHR of an unaffiliated specialist — each hop a potential point of unauthorized access, and each participant legally accountable for its own safeguards.

Who is the covered entity and who is the business associate

In most exchanges the participating hospitals, clinics, and health plans are covered entities, while the HIO that operates the exchange infrastructure functions as a business associate of each of them. That structure has to be papered correctly: every participant needs a business associate agreement (or participation agreement with BAA terms) with the HIO, and the HIO in turn needs BAAs with its own subcontractors — the cloud host, the master patient index vendor, the interface engine. A gap anywhere in that chain means PHI is flowing to a party with no contractual obligation to protect it.

Permitted disclosure, consent, and minimum necessary

HIPAA permits sharing PHI for treatment without patient authorization, which is what lets query-based exchange work at the point of care. But many states layer their own consent rules on top — opt-in, opt-out, or heightened protection for behavioral health, HIV, or substance-use records under 42 CFR Part 2. The minimum necessary standard does not apply to treatment disclosures, but it does apply when the same data moves for payment or operations, so an HIE’s access controls have to distinguish purpose, not just identity.

The Security Risk Analysis for an interconnected node

Every participant and the HIO itself must conduct a Security Risk Analysis under 45 CFR § 164.308(a)(1)(ii)(A). For an exchange member that analysis cannot stop at your own firewall — it has to account for the interfaces, query endpoints, and credentials that connect you to the broader network. Role-based access, unique user IDs, and audit logging matter more here than almost anywhere else, because when PHI is queryable across organizations the question regulators ask after an incident is always “who could see this, and can you prove who did?”

What the proposed 2026 Security Rule update would add

The HIPAA Security Rule update proposed in the NPRM published in December 2024 is directly relevant to exchange participants. It is not finalized — once published as a final rule there would be a 240-day compliance window — but its direction is clear: mandatory asset inventories and network maps, written verification that connected partners actually deploy the safeguards they claim, encryption, and multi-factor authentication. For an HIE node, “know every system that touches PHI and every partner it connects to” stops being best practice and becomes the baseline.

How Medcurity helps

Medcurity gives exchange participants and HIOs a structured way to run and document the Security Risk Analysis the network depends on — inventorying the interfaces and endpoints that connect you to other organizations, tracking the BAAs across the chain, and producing the evidence regulators expect. Our platform is $499/year (about $42/month); larger health systems and HIOs with complex environments can request a quote. For the underlying control framework, see our guide to HIPAA Security Rule requirements, and review the business associate agreement guide before signing any participation agreement.

Frequently Asked Questions

Is a Health Information Organization a covered entity or a business associate?

In most arrangements the HIO that runs the exchange acts as a business associate of the participating covered entities, because it creates, receives, maintains, or transmits PHI on their behalf. That means each participant needs a BAA with the HIO, and the HIO needs BAAs with its own subcontractors.

Do patients have to consent before their data moves through an HIE?

HIPAA permits disclosure for treatment without separate authorization, but many states impose their own opt-in or opt-out consent rules, and sensitive categories like substance-use records under 42 CFR Part 2 carry heightened consent requirements. Participants must follow the stricter of HIPAA and applicable state law.

Does the minimum necessary standard apply to exchange data?

It does not apply to disclosures for treatment, which is why query-based exchange at the point of care is permitted. It does apply when the same PHI is accessed for payment or healthcare operations, so an HIE’s access controls should enforce purpose-based limits, not just authenticate users.

What is the most common HIPAA gap for HIE participants?

Incomplete accounting of the connections themselves — interfaces, query endpoints, and shared credentials that link one organization to the network are frequently left out of the Security Risk Analysis and the asset inventory, leaving an unmonitored path into PHI.