Lifebit logo
BlogIndustryHealth Information Exchange (HIE): 2026 Definitive Guide

Health Information Exchange (HIE): 2026 Definitive Guide

Quick answer

A Health Information Exchange (HIE) is a regulated network that lets hospitals, clinics, labs and public health agencies share patient records across organisational boundaries using shared standards — typically HL7 FHIR R4, Direct messaging and a record locator service — without consolidating all records into a single central database. HIEs are run by state-designated nonprofits, multi-state networks and federally designated QHINs under TEFCA.

  1. HIEs route clinical data between care settings; they do not own the underlying patient record.
  2. The federation pattern — data stays at the source, queries travel to it — is the dominant HIE architecture in 2026.
  3. Federated Trusted Research Environments (TREs) extend the same architecture from clinical exchange into research and AI workloads.
Abstract image of ethereal fiber optic strands cascading with glowing blue lights.
Photo by Suki Lee on Pexels

A Health Information Exchange (HIE) is the regulated infrastructure that moves patient health information between organisations — hospitals, primary care, labs, pharmacies, public health agencies — under shared interoperability standards and data-use agreements. In the modern federated pattern, an HIE does not hoard a copy of every record; it routes queries to the institutions that hold the source data and returns the response in real time. That same architectural principle — data never leaves the source — now anchors the next layer above HIEs: federated Trusted Research Environments (TREs) for research and AI on sensitive health data.

Why HIE architecture matters in 2026

Two events in the last twelve months have made HIE architecture a board-level question rather than a back-office one. First, the Office of the National Coordinator for Health Information Technology (ONC) advanced the Trusted Exchange Framework and Common Agreement (TEFCA) to a working national fabric of Qualified Health Information Networks (QHINs), consolidating a decade of fragmented bilateral agreements. Second, the May 2026 UK Biobank incident demonstrated what happens when approved researchers operate inside a centralised SaaS environment that holds copies of source data: derived datasets walked out through the platform’s normal export workflow, with no malicious actor required. The architectural lesson cuts across both clinical exchange and research analytics. Networks that copy data face a permanent leakage surface. Networks where data never leaves the source do not.

This is why the federation pattern that US HIEs adopted in the late 1990s — pioneered by Regenstrief Institute’s Indiana Network for Patient Care (INPC) — is now being read as a template by ministries of health, biobanks and federal research programmes far beyond clinical operations. The European Health Data Space (EHDS), the NHS Federated Data Platform, Singapore’s Synapxe national health data fabric and CanPath’s pan-Canadian cohort are all variants of the same architectural claim: the only durable interoperability layer is one where governance, residency and compute boundaries match the data’s origin.

What an HIE actually does

HIEs serve three primary functions, each backed by a different standards stack and governance regime.

Patient record query and retrieval

A clinician at hospital A queries the HIE for a patient seen last week at hospital B. The HIE resolves identity through privacy-preserving record linkage, checks consent and treatment-relationship attestations, routes the query to hospital B’s source system, retrieves the response and returns it within seconds. In the federated pattern, the HIE itself stores no clinical record — only the routing logic, the master patient index and the audit trail. The conformance test for whether an HIE is genuinely federated is simple: if every participating institution went offline, would the HIE hold any patient data? If yes, it is a centralised repository wearing a federation costume.

Direct secure clinical messaging

HIE participants send discharge summaries, referrals, lab results and care-transition packets through the Direct Project protocol or FHIR R4 messaging endpoints. This replaces fax and unsecured email — still, in 2026, the dominant clinical communication medium in many US settings — with a standards-based, signed and audit-logged channel. DirectTrust maintains the trust anchors and accredits the Health Information Service Providers (HISPs) that operate Direct endpoints.

Public health, quality and population reporting

HIEs aggregate de-identified or consented data for state and federal public health surveillance (immunisation registries, syndromic surveillance, communicable disease reporting), CMS quality measure submission, and population health analytics. The National COVID Cohort Collaborative (N3C) assembled 22 million patient records from more than seventy-five institutions in 2020 to 2022 largely through HIE-mediated extracts and Regenstrief’s Linkage Honest Broker. That programme is the modern proof that HIE-style federation scales to national research workloads.

How HIEs are organised in the United States

US HIE infrastructure operates at four overlapping tiers in 2026.

State-designated HIEs. Most states designate one or more nonprofit HIEs — Indiana HIE, CRISP in Maryland and DC, Manifest MedEx in California, Healthix in New York, Michigan Health Information Network. These typically run on a mix of state grants, federal matching funds, and per-participant fees. They are the operational backbone for treatment exchange within a state.

Multi-state and national networks. eHealth Exchange (operated by the Sequoia Project), Carequality and CommonWell Health Alliance are the “HIEs of HIEs” that interconnect state HIEs, large health systems and federal agencies. The Veterans Health Administration, Department of Defense and Indian Health Service all exchange records with civilian providers through these networks.

Federally designated QHINs under TEFCA. The Trusted Exchange Framework and Common Agreement, launched by ONC, designates Qualified Health Information Networks that interoperate under one common legal and technical framework. As of 2026, multiple QHINs are designated, and TEFCA is the consolidation track that the entire US HIE landscape is now on. TEFCA defines six allowed exchange purposes — treatment, payment, healthcare operations, public health, government benefits determination, and individual access services. Research is not yet a primary TEFCA exchange purpose, which is why research-grade federated infrastructure (federated TREs) is emerging as a distinct architectural tier.

Specialty and condition-specific HIEs. Oncology networks, behavioural health information exchanges, long-term and post-acute care HIEs, and HIE infrastructure inside large integrated delivery networks. These interoperate with the general HIE tiers through standards-based gateways.

The standards stack underneath

Every modern HIE rests on the same interoperability stack, even when the operational details differ.

StandardRoleMaintainer
HL7 FHIR R4API standard for clinical resources (Patient, Encounter, Observation, MedicationStatement)HL7 International
USCDIUS Core Data for Interoperability — minimum required data setONC
Direct ProjectSecure point-to-point clinical messagingDirectTrust
C-CDAConsolidated Clinical Document Architecture — clinical summariesHL7
LOINC, SNOMED CT, RxNorm, UCUMVocabulary for labs, conditions, medications, unitsRegenstrief / SNOMED International / NLM
IHE profiles (XCA, XCPD, PIX/PDQ)Cross-organisational query and patient discovery patternsIHE International

TEFCA pushes the strategic direction toward FHIR-first exchange. The ONC’s Inferno conformance suite is the gate. Older standards (C-CDA documents, Direct messaging) remain operationally important — the installed base does not turn over in a year — but the API surface QHINs expose is now FHIR.

HIE versus federated Trusted Research Environment

The architectural overlap between HIEs and federated TREs is significant — both push compute toward data rather than copying data to compute. The functional separation is what most evaluators get wrong on first read.

DimensionHIEFederated TRE (Lifebit)
Primary purposeClinical operations: real-time record exchange for patient careResearch and AI: cohort discovery, analytics, ML model training
Latency targetSub-second to seconds (clinical workflow)Minutes to hours (analytic workload)
Data freshnessReal-time clinical eventsPeriodically refreshed analytic snapshots (OMOP, FHIR bulk)
Standards focusFHIR R4, Direct, USCDI, C-CDAOMOP CDM v5.4 plus FHIR R4 bulk export
Governance regimeTreatment / Payment / Operations under HIPAA; TEFCA Common AgreementStudy-specific IRB approval, Five Safes framework, data-use agreements
Egress controlsPer-query consent and audit; no derived-data airlock by defaultAutomated airlock on every output — code, model weights, summary statistics
Typical participantsHospitals, clinics, labs, pharmacies, public health agenciesBiobanks, academic medical centres, ministries of health, federal research programmes
Architectural patternFederated query with record locator serviceFederation: compute deployed inside each data custodian’s environment (US patent 12,519,781)

The clearest way to read the table: an HIE answers “can clinician A see patient X’s record from institution B in time to treat them?” A federated TRE answers “can researcher A train a model across patients X1 to Xn held at institutions B1 to Bn, without any of those institutions sending data outside their own perimeter, and with every result passing an automated airlock?” Both rest on federation. The TRE adds the airlock, the harmonisation layer (OMOP, FHIR bulk) and the research-grade audit chain that HIE governance under HIPAA’s Treatment-Payment-Operations regime does not need to enforce.

Federated infrastructure is not a slide-deck claim — it is the operational substrate of the most consequential national health programmes in 2026.

Genomics England’s 500,000 Genome Project runs on a federated TRE that holds whole-genome data plus longitudinal NHS records inside the boundary of the data custodian. Boehringer Ingelheim operates a federated R&D network across pharma research sites with the same pattern. The NIH National Library of Medicine’s unified discovery platform — FedRAMP authorised — uses federation to keep research data under each institution’s governance. CanPath, Canada’s pan-Canadian cohort, deployed a federated TRE in May 2026 to unify provincial biobanks without any cohort surrendering custody. Singapore’s Synapxe operates the national health data fabric under the same architecture. Flatiron Health’s federated real-world oncology network gives sponsors and academic groups regulated access to oncology EHR data without data leaving partner sites.

The thread connecting these deployments is not the vendor name. It is the architectural commitment: data never leaves the source. That commitment is what TEFCA codifies into US clinical exchange and what federated TREs codify into research and AI.

What evaluators should do next

If you are responsible for HIE participation, TEFCA strategy or research data infrastructure inside a health system, ministry of health or biobank, three practical steps separate teams that will lead from teams that will follow.

First, audit your existing exchange relationships for the federation conformance test above. Where any participating network holds copies of source records outside the data custodian’s perimeter, document that surface. Each copy is a permanent leakage risk and a future incident-disclosure obligation under GDPR, HIPAA breach reporting and emerging EHDS Article 50 secondary-use rules.

Second, map your TEFCA exposure. Identify which exchange purposes you support today, which QHIN relationships you will need over the next twenty-four months, and where FHIR conformance gaps exist. The Inferno test suite is the right starting point.

Third, separate clinical exchange (HIE / QHIN) from research and AI (federated TRE). The governance regimes, latency targets and egress controls are different enough that running both through one platform creates compliance friction in both directions. The federation principle is the same; the operational surface is not.

Frequently asked questions

What does HIE stand for?

HIE stands for Health Information Exchange. It refers to both the act of exchanging health information between organisations and the regulated nonprofit or federal networks that operate the underlying infrastructure (state-designated HIEs, multi-state networks, and QHINs under TEFCA).

Who runs HIEs in the United States?

Most US HIEs are operated by state-designated nonprofits (Indiana HIE, CRISP, Manifest MedEx, Healthix and roughly one or two equivalents per state). Multi-state interoperability runs through eHealth Exchange, Carequality and CommonWell. Federal designation now flows through ONC’s TEFCA framework, which accredits Qualified Health Information Networks (QHINs) as the national exchange backbone.

Is an HIE the same as an EHR?

No. An Electronic Health Record (EHR) is the clinical record system inside one institution — Epic, Oracle Health, MEDITECH, athenahealth. An HIE is the network that lets EHRs from different institutions exchange records under shared standards and governance. An HIE without participating EHRs has nothing to route; an EHR without HIE connectivity is an information silo.

What is TEFCA and how does it change HIE infrastructure?

TEFCA is the Trusted Exchange Framework and Common Agreement, ONC’s national framework that replaces the patchwork of bilateral data-use agreements between HIEs with one Common Agreement. Networks that sign it and meet the technical bar become Qualified Health Information Networks (QHINs). TEFCA mandates FHIR R4 as the API standard and defines six allowed exchange purposes — treatment, payment, healthcare operations, public health, government benefits determination, and individual access services.

How is an HIE different from a federated Trusted Research Environment?

An HIE moves clinical data between care settings for treatment, payment and operations under HIPAA. A federated TRE moves research-grade analytic workloads to data held inside biobanks, ministries of health and research consortia, under study-specific governance and with an automated airlock on every output. Both rest on federation — compute moves to data, data never leaves the source — but the TRE adds harmonisation (OMOP, FHIR bulk), airlock controls and research-grade audit chains that HIE governance does not require.

Do HIEs comply with HIPAA?

Yes. HIEs operate as either Business Associates or Covered Entities under HIPAA, depending on their participant relationships, and are bound by the Privacy Rule, Security Rule and Breach Notification Rule. HIEs additionally operate under state-level health information privacy statutes (some materially stricter than HIPAA — for example 42 CFR Part 2 for substance use disorder records, and state-specific reproductive health, mental health and HIV statutes) and the TEFCA Common Agreement where they hold QHIN designation.

Can HIE infrastructure support AI and research workloads?

HIE infrastructure can support cohort identification, data extraction and some research-grade exchange — N3C, All of Us, FDA Sentinel and AIM-AHEAD all rely on HIE-mediated data flows. But HIE governance under TEFCA does not yet treat research as a primary exchange purpose, and HIE platforms do not typically include the automated airlock, OMOP harmonisation layer and study-specific governance chain that AI and research workloads require. That gap is what federated Trusted Research Environments fill — applying the HIE federation pattern to research and AI, with the additional controls that secondary use demands.


Federate & Discover Everything. Move Nothing.


United Kingdom

3rd Floor Suite, 207 Regent Street, London, England, W1B 3HH United Kingdom

USA
228 East 45th Street Suite 9E, New York, NY United States

© 2026 Lifebit Biotech Inc. DBA Lifebit. All rights reserved.

By using this website, you understand the information being presented is provided for informational purposes only and agree to our Cookie Policy and Privacy Policy.