Data privacy, security & HIPAA in exchange
Moving health data between organisations only works if everyone trusts that it is protected on the way. In the United States, that trust rests on HIPAA — the Privacy Rule that governs how protected health information may be used and shared, and the Security Rule that governs how electronic records are safeguarded. Here is how both apply to a health information exchange.
Two rules, two jobs
The Privacy Rule and the Security Rule
HIPAA's protections are usually discussed as two distinct rules:
- The Privacy Rule sets the conditions under which protected health information (PHI) may be used and disclosed. Its best-known principle is minimum necessary: when PHI is used or shared, the access should be limited to what is reasonably needed for the task at hand — not the whole record by default.
- The Security Rule applies specifically to electronic PHI (ePHI). It requires administrative, physical and technical safeguards: who may access systems, how facilities and devices are protected, and the technical controls — access control, audit logging, encryption — that protect the data itself.
How this lands on an exchange
An HIE is a participant in this framework, typically operating under business associate agreements with the organisations whose data it moves. That means the exchange itself must implement the same safeguards: unique user authentication, least-privilege (minimum-necessary) access, audit logging of who accessed what, encryption of data in transit and at rest, and automatic session timeouts. Privacy is not a setting that is switched on at the end; it is designed into how the exchange routes and stores every record.
The technical safeguards an exchange relies on
These are the controls that turn the HIPAA Security Rule from policy into practice inside a health information exchange.
Authentication and least-privilege access
Every user is uniquely identified, and access is scoped to the minimum necessary for their role. A front-desk user and a treating clinician do not see the same data, and the system enforces that difference rather than trusting policy alone.
Audit logging and review
The exchange records who accessed which record and when, with centralised log collection and regular review. Audit trails are what make accountability real — they let an organisation detect and investigate inappropriate access after the fact.
Encryption in transit and at rest
Data is encrypted as it moves between systems and while it is stored, so that intercepted or stolen data is unreadable. Under the strengthened Security Rule, encryption moves from an addressable consideration to an expected control.
Session control and incident response
Automatic session timeouts limit exposure from unattended sessions, and a defined incident-response process governs what happens if a breach is suspected — including the notification obligations HIPAA imposes.
Once-optional safeguards are becoming mandatory
The HIPAA Security Rule was first adopted in 2003 — before cloud computing, modern telehealth, ransomware and the wave of connected medical devices now common in care. A proposed update moving through 2025 into 2026 would remove the old distinction between "required" and "addressable" safeguards: controls that organisations could previously justify skipping — including encryption, multi-factor authentication, audit logging and regular technical testing — would become firmly required, with periodic compliance review expected.
For exchange participants, the direction is clear: the safeguards a well-run HIE already treats as baseline are becoming the explicit floor for everyone. AzHeC tracks these changes and explains them neutrally so Arizona stakeholders are not caught flat-footed.
Frequently asked questions
01Does HIPAA prohibit sharing data through an exchange?
No. The Privacy Rule explicitly permits using and disclosing PHI for treatment, payment and health-care operations, which is what most exchange does. The rule sets the conditions and the minimum-necessary limit; it does not block the legitimate movement of records needed for care.
02What does 'minimum necessary' mean in practice?
It means access and disclosure should be limited to what is reasonably needed for the purpose. An exchange enforces it technically through least-privilege access — scoping what each user and system can see to their legitimate need rather than exposing the full record by default. Note that treatment disclosures to a provider are a recognised area where the standard is applied differently.
03Is encryption legally required?
Historically encryption was an 'addressable' specification under the Security Rule, meaning an organisation had to either implement it or document a reasonable alternative. The proposed 2025–2026 update would make encryption of ePHI in transit and at rest a required control with only limited exceptions. In practice, a serious exchange already encrypts both.
04How is especially sensitive data handled?
Certain categories — substance-use treatment records under 42 CFR Part 2, for example — carry protections beyond baseline HIPAA. Exchanges handle these through more granular consent and data-handling controls. We cover that in the consent and data-sharing material under The Network.
Privacy is the foundation of trust in exchange
If your organisation is working through HIPAA obligations for data exchange, the council offers a neutral, standards-first read — no vendor agenda, nothing to buy.