EFFECTIVE DATE: 7/17/2024
LAST UPDATED: 4/24/2026

Surescripts is a registered Health Information Exchange (HIE) in Maryland. An HIE is a network of entities that lets healthcare providers and others share information for a variety of purposes including treatment, payment, and healthcare operations. The HIE registration applies to Surescripts’ Record Locator and Exchange and Clinical Direct Messaging products. Healthcare providers, health systems, hospitals, and other healthcare organizations may be participants in Surescripts’ HIE through their use of Record Locator and Exchange and Clinical Direct Messaging products. If your healthcare provider participates in Surescripts’ HIE products, your provider must inform you in their Notice of Privacy Practices.

The information that participants exchange through Surescripts’ Record Locator and Exchange and Clinical Direct Messaging products and services may include basic demographic information and health information contained in medical records include medication lists, diagnoses and conditions, medical history, and provider notes and visit summaries. For Record Locator and Exchange, Surescripts uses basic demographic information provided by healthcare providers, for the purpose of patient matching and identification.

Federal and state law gives you certain rights with respect to your health information that may be exchanged through Surescripts. To amend or obtain copies of the health information about you available through Surescripts, submit a request to your healthcare providers that participate in Surescripts’ HIE.

You may also choose to “opt out” and not have any of your health information shared through our Record Locator and Exchange product and services by completing and submitting the Opt-Out Request Form to Surescripts. You may email optout@Surescripts.com to obtain the form. If you opt out with Surescripts, please be aware that your health information will no longer be shared through Surescripts and may affect your healthcare providers’ ability to obtain your health information. You may also make a request to opt-out through one of your healthcare providers that uses Surescripts’ Record Location and Exchange product; however, opt outs at the healthcare provider level will still allow your health information to be made available through Surescripts. Also, note that even if you opt-out, a certain amount of your health information may remain available to authorized entities as permitted or required by law. Surescripts does not capture patient demographic information through Clinical Direct Messaging and is not able to limit exchange through this service because as a Health Information Service Provider, Surescripts is limited in what information is accessible through the service. As such, you can request to opt out of these services through your healthcare providers that use Surescripts.

Surescripts takes the security of your health information seriously and follows all applicable federal and state laws to protect the privacy and security of your information. Healthcare providers and other organizations that participate in Surescripts’ HIE through the use of the Record Locator and Exchange and Clinical Direct Messaging products and services agree to only use and share your information as permitted by federal and state laws, including HIPAA. You will be notified if there is a breach of your information or if your information is accessed by someone without authorization.

See below for more information about Surescripts as an HIE and your rights with respect to the information exchanged through Surescripts.

Health Information Exchange FAQs

What kind of information can be accessed through Surescripts’ HIE? How is this information used?

Participants in Surescripts’ HIE can access your demographic information and the medical information about you that is maintained by organizations that participate in Surescripts’ HIE. The medical information that may be accessed through Surescripts’ HIE may include your medical history, your diagnoses and illnesses, test results, a list of your medications, notes from your providers, and summaries of provider visits.

This health information could include sensitive information that receives additional protections under state and federal laws including:

  • HIV/AIDS records
  • Genetic Testing records
  • Substance Use Disorder records
  • Mental Health records
  • Reproductive Health records

Surescripts requires that providers or organizations using Surescripts’ Record Locator and Exchange and Clinical Direct Messaging services to get all consents or authorizations required by law from you before they share or access sensitive health information about you through Surescripts’ products. To ensure your sensitive health information is protected and only shared or used in ways permitted by law, Surescripts may also filter out certain information like national drug codes data associated with sensitive health information about you when accessed by certain authorized participants. Surescripts does not share your information with law enforcement unless it is legally compelled to do so by court order.

Participants in Surescripts’ HIE use your information to help make better treatment recommendations, improve care coordination between your providers, and coordinate payment for the care you receive.

What information about me does Surescripts store?

With the exception of Clinical Direct Messaging services, Surescripts only stores basic demographic information, provided by healthcare providers, for purposes of patient matching and identification. All other information about you that is maintained by Surescripts is incidental to transmitting clinical information requested and responded to by providers or organizations using Surescripts’ Record Locator and Exchange and Clinical Direct Messaging services. Surescripts does not use or disclose that information unless required to do so under applicable law.

What rights do I have with respect to my health information?

Under federal and state laws, you have the following rights for your health information that is shared with Surescripts: 

  • Request a list of who has shared, accessed or viewed your healthcare information through Surescripts. You may request a list of who has viewed or accessed your health information by submitting a request to one of your healthcare providers that participates in Surescripts’ HIE.
  • Opt-out of having your information shared through Surescripts’s HIE.
  • Be notified if there is a breach of your health information or if your information has been viewed by an unauthorized person.

See below for more information about each of these rights.

How does Surescripts keep my health information safe?

Surescripts complies with all state and federal privacy laws that apply to your data and requires providers or other organizations using Surescripts’ products and services to access or share your data to comply with all applicable laws. These laws include protections related to how your data may be used, who may access your data, and whether your consent is required before your data is disclosed. Surescripts also uses a variety of security measures to ensure your data is secure including systems checks and audits, system penetration testing, and advanced monitoring tools.

In the case of a breach of your personal health information, Surescripts will work to mitigate any damage caused by the breach and take steps to ensure a similar breach does not occur in the future. Additionally, Surescripts will provide written notice to individuals whose information was impacted by the breach and will notify law enforcement authorities as required by law.

How can I request an amendment or get a copy of the information about me that may be accessed through Surescripts?

To amend or obtain copies of the health information about you available through Surescripts, submit a request to your healthcare providers that participate in Surescripts’ HIE.

If you need your information in the event of an emergency, the procedures above still apply.

Can I opt-out of having my information shared through Surescripts’ HIE?

Yes. You can choose to opt-out of having your information shared or accessed through Surescripts’ products and services. More details on opting out can be found here.