Health information exchanges store the personal medical information of a majority of Americans, with most of that in the cloud on the internet. Mainly non-profit organizations, these entities aggregate all patient health data from about 75% of US hospitals and likely a majority of the large integrated health systems which constitute a major part of the healthcare landscape. Data on rates of participation by private doctors is difficult to locate.

The prevalence of these exchanges presents dangers to our privacy and health freedom: Who will have access to our personal data, and what will they do with it?  

Health information exchanges exist in 47 states

We often assume that our health data is private, but HIPAA allows for the sharing of information in a range of situations, including to “business associates” such as these now-ubiquitous “health information exchanges” (HIE’s) that exist in at least 47 states. HIE’s are basically clearinghouses and data storage centers for all participating health care providers and patient information in a given state or portion thereof. One main reason for these entities is to allow providers for a given patient to access prior medical records and information. A major privacy exception that applies to HIE’s is information deemed important for state and local public health departments, as discussed below.

HIE’s around the USA: how many and what is their structure?

A 2024 survey from Health Affairs Scholar counted 76 HIE’s (also known as Health Information Organizations) that held data on over 600 million patients (including duplicate and overlapping records). This means that most Americans’ health information is being stored at one or more HIE, despite the fact that most people know little about the existence or functioning of these entities. HIE entities can be non-profits, for-profits, or quasi-governmental. Such diversity in part stems from the federal government’s 2010 State HIE Cooperative Agreement Program, which included about $580 million in grants to build HIE infrastructure. Now, many states have overlapping HIE’s, some at the state level, some regional, and some disease or health system specific.

How does HIPAA apply to public health information and HIE’s?

Under HIPAA, HIE’s mostly qualify as “business associates” of hospitals, health systems, and providers. HIPAA’s privacy rules allow HIE’s to disclose personal health information (PHI) without consent for treatment or payment purposes, as well are for many public health activities. Public health agencies are likely the largest recipients of data conveyed via HIE networks. PHI that can be shared for public health purposes without patient consent includes births and deaths, communicable diseases and related data, public health surveillance and investigation data, child abuse, FDA-related information about products and adverse events, notification to persons at risk from disease exposure and contact-tracing, and workplace-related illnesses or injuries as required by OSHA.

Public views on HIE

There is no easily available data about how many people know about the existence and workings of the HIE’s around the country. “HIE” can refer to both the entities discussed in this article and also to the concept of sharing health information via an electronic clearinghouse. On this latter meaning, one study showed that 70% of people were “very” or “somewhat” concerned about HIE privacy issues and 75% of people felt the same way about HIE data security. Other research from 2024 indicates that while most folks support HIE’s when it comes to having their data shared among their various health care providers, many have concerns about use for research and public health purposes, especially when there is a lack of transparency regarding these uses or when their data is not anonymized.

Can you opt-out of HIE’s?

The ability to opt-out of having your information shared by HIE’s in general varies from state to state. And even if a person chooses to opt-out, this primarily impacts sharing with providers, i.e. you generally cannot opt-out of public health uses that are allowed by federal law. In California, there is no statewide opt-out law; instead, each of the many HIE’s in that state sets its own policies. California’s largest HIE is Manifest MedEx, and their opt-out form makes clear that this only applies to “personal health information accessible by your healthcare team and your health plan” as opposed to other uses. On the other hand, Arizona has a specific law allowing one to opt-out.

But once again, this does not prevent HIPAA-allowed public-health disclosures to the Arizona Department of Health Services. New York has a government-partnered HIE, the Statewide Health Information Network for New York. It is one of the few states with an effectively “opt-in” system: for a doctor to access your data you must sign a consent form. At the same time, consent is not needed to share information for public health purposes or emergencies.

Dangers ahead?

The possible future of HIE’s poses many dangers. By normalizing the centralization of personal health information, these entities could be turned against individual choice. In future pandemics, they could be turned into the infrastructure for public health mandates, such as vaccine programs, and the enforcement thereof. They also could impinge on our individual doctor-patient relationships and create top-down care systems, if they take the place of our own doctor’s personal business records. Moving forward, we need to make sure these possible futures never occur.

Groups working for reform

As more health care providers consider participating in HIE’s, we need to be informed and involved in whether to use these systems and in also how to manage them in ways that both allow technical development and are consistent with our long-term values of health privacy. Many groups are working to support these issues, including Patient Privacy Rights, the Electronic Frontier Foundation, and the Privacy Rights Clearinghouse. These organizations are concerned about privacy, health-information surveillance, patient consent, data security, law enforcement access, and possible mission-creep.

If you want more information about the HIE’s in your home state, provider participation, and what rights you may have regarding these systems, contact one of the groups linked above or NHFC/NHFA Staff Attorney Steven O’Connor at info@nationalhealthfreedom.org.