Health Information Exchange (HIE)
HIE allows authorized users to securely and electronically access and share patient health information for quality improvement, clinical, and public health purposes. Organizations providing HIE services (HIEs) help improve safety and efficiency in health care by making the right information available in the right place at the right time.
HIE Registration
Entities operating in Maryland that meet the definition of an HIE are required to register with the MHCC annually, including EHR developers whose systems offer data exchange capabilities.
Information for Health Care Consumers
Consumers benefit from understanding how their health information is electronically exchanged among treating providers. The MHCC is helping raise consumer awareness and understanding of HIEs and their role in electronic data exchange.
State Regulations
Maryland law (2011) requires the MHCC to adopt regulations governing the privacy and security of protected health information (PHI) obtained or released through an HIE. COMAR 10.25.18 Health Information Exchanges: Privacy and Security of Protected Health Information (regulations) builds upon protections established by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009. These regulations aim to ensure the privacy and security of PHI while improving providers' access to clinical records and supporting public health goals.
The MHCC regularly considers amendments to the regulations to keep pace with federal policy and support the implementation of legislation passed by the Maryland General Assembly.
Consumer Consent Management Application, Health Data Utility, and Dispenser Reporting of Noncontrolled Prescription Drugs
Maryland Law enacted in 2021 requires the State-Designated HIE to develop and maintain a Consent Management Application (CMA). The CMA aims to centralize the process for health care consumers to opt-out or back into having their electronic health information shared or disclosed by an HIE.
Legally Protected Health Information
Maryland law enacted in 2023 prohibits the disclosure of legally protected health information by HIEs and electronic health networks (EHNs) operating in the State, with some exceptions. Legally protected health information includes mifepristone data; the diagnosis, procedure, medication, and related codes for abortion care; and other sensitive health services with a date of service after May 31, 2022, as determined by the Secretary of Health and defined in COMAR 10.11.08, Abortion Care Disclosure.
Chapter 248 (Senate Bill 786) and Chapter 249 (House Bill 812), Health - Reproductive Health Services - Protected Information and Insurance Requirements (2023).
The MHCC convenes virtual Town Halls to provide a forum for stakeholders to share implementation progress and ask questions.
MHCC prepared implementation guidance based on stakeholder questions. The following documents serve as a resource for HIEs and EHNs in the management, disclosure, and protection of legally protected health information:
EHNs and HIEs submitted an affirmation of compliance or an implementation plan to comply with the law (January 2024). The majority of HIEs submitted implementation plans in the interim while they implement the technical requirements for handling legally protected health information.
The MHCC continues to request implementation updates, since vendor implementation strategies are fluid and timelines are subject to change.
- The next update is due July 3, 2026, and can be completed using the Implementation Update form.
HIE Policy Board
The MHCC engages stakeholders diverse perspectives to advise staff on policies for statewide health information exchange. The HIE Policy Board is responsible for:
- informing development of COMAR 10.25.18 to ensure private and secure data exchange
- increasing consumer control over use of and access to their health information, to the extent technically feasible
- maximizing the benefit of HIE for clinical and public health purposes
In 2021 and 2022, the HIE Policy Board convened to deliberate on proposed draft updates to COMAR 10.25.18 with the goal of aligning the regulations with evolving federal and state policies. For more information, visit HIE Policy Board.
State-Designated HIE
Maryland law (2009) charged the MHCC and the Health Services Cost Review Commission with designating a statewide HIE. The State-Designated HIE is responsible for building and maintaining technical infrastructure and an effective data management strategy that can support the secure statewide exchange of electronic health information.
In 2009, the Chesapeake Regional Information System for our Patients (CRISP) was competitively selected to serve at the State-Designated HIE. Based on their performance, CRISP has been reselected for this role at each successive three-year designation cycle.
CRISP offers a variety of tools and services to meet the needs of health care facilities, providers, patients, and State agencies. CRISP submits a quarterly report to the MHCC with information on participating organizations and their use of HIE services.
Related Resources
Health Data Utility
The Maryland General Assembly passed Chapter 296 (House Bill 1127) Public Health - State Designated Exchange - Health Data Utility, which requires the State-Designated HIE to operate as a health data utility (HDU) for certain purposes effective October 1, 2022. An HDU has advanced technical capabilities to support electronic exchange of clinical, non-clinical, administrative, and public health data to enhance care delivery, bolster population health, and expand public health reporting.
For more information on the evolution of HIEs to advance multi-directional exchange, see Health Data Utility (HDU).
Contact Us
For more information, please email Anna Gribble at anna.gribble1@maryland.gov.