Health Information Management: Governance, Roles & Professional Standards [2026]

Health information management sounds administrative. It is anything but. HIM practitioners determine whether a cancer diagnosis is coded as "malignant neoplasm, unspecified" or with the specificity that justifies the treatment protocol — a coding difference that can determine whether a claim is paid, denied, or audited. At every hospital in the United States, HIM professionals sit at the point where clinical quality, legal compliance, and financial performance converge.

This guide covers HIM as a professional discipline and governance framework — the people, standards, processes, and legal obligations that govern how health information is managed across the care continuum. For the technology stack that supports HIM — EHR platforms, FHIR APIs, master patient index systems — see our companion guide to healthcare information management systems.

What Is Health Information Management?

AHIMA defines health information management as "the practice of acquiring, analyzing, and protecting digital and traditional medical information vital to providing quality patient care." But that definition understates the scope. HIM professionals are responsible for everything from ensuring a physician's clinical notes are specific enough to support a DRG assignment to managing the HIPAA-compliant release of records to attorneys, payers, and other providers. The credential on the wall is just the starting point; the daily work spans clinical, legal, and financial territory that most job titles don't capture.

HIM evolved from medical records management in the early 20th century. The American Association of Medical Record Librarians — now AHIMA — was founded in 1928. For decades, the discipline was largely custodial: organizing paper charts, managing physical storage, and ensuring records could be retrieved when needed. The transformation began in earnest with ICD coding adoption in the 1980s and accelerated dramatically with the introduction of DRG-based hospital reimbursement in 1983. HIPAA in 1996 layered on the privacy and compliance dimensions. Electronic health records — federally incentivized through the HITECH Act of 2009 — fundamentally changed the technical landscape. And now, in the 2020s, AI-assisted documentation and ambient clinical intelligence tools are reshaping what HIM professionals do in real time.

The professional scope is wider than most administrators realize. HIM spans clinical coding, clinical documentation improvement, privacy and compliance, release of information, data quality management, health information exchange governance, revenue cycle, and increasingly, healthcare analytics and informatics. An HIM department at a large health system might include coders who never touch a paper chart, CDI specialists who spend their days querying attending physicians via EHR messages, a privacy officer managing HIPAA breach investigations, and an informaticist optimizing the EHR data model for analytics use cases. At a small rural hospital, one or two credentialed professionals may wear all of those hats simultaneously.

Why does HIM matter financially? The numbers are stark: 75% of claim denials trace to documentation or coding errors (MGMA, 2024). The American Hospital Association estimates $262B in claims were denied in 2024 — denied, not just adjusted, denied — representing revenue that providers expend significant resources pursuing or writing off entirely. Health information management is not a back-office function. It is the data governance layer that determines whether clinical work gets paid for, whether the organization survives a HIPAA audit, and whether the data used to make strategic decisions is trustworthy.

Health Information Governance — The Strategic Framework

Information governance is HIM at the organizational strategy level. AHIMA defines information governance as "an organization-wide framework for managing information throughout its lifecycle and for supporting the organization's strategy, operations, regulatory, legal, risk, and environmental requirements." It's the difference between managing data reactively — cleaning up the mess after a breach, scrambling to respond to an audit, correcting a year's worth of miscoded claims — and managing it proactively, so that the mechanisms are in place to prevent those failures before they occur.

The AHIMA Information Governance Adoption Model (IGAM) provides a maturity framework built around eight core information governance principles. Accountability establishes designated data ownership so that every data element has a responsible steward. Transparency requires documented, accessible policies that staff and auditors can verify. Integrity ensures that data is accurate and trustworthy from point of entry through archival. Protection means proactive safeguards — not just reactive security responses. Compliance addresses regulatory adherence across the full spectrum of applicable law: HIPAA, CMS Conditions of Participation, state health records laws, and payer-specific requirements. Availability guarantees that the right data reaches the right people at the right time to support patient care. Retention establishes legally compliant timelines for how long different record types must be preserved. Disposition governs the secure, verifiable destruction of records that have reached end of life.

What information governance looks like in practice: a health system with mature IG has a Chief Information Governance Officer — or a VP of HIM who carries equivalent authority — with documented data stewardship policies mapped to specific data types and use cases. It has a formal data quality management program with defined metrics and regular reporting. It has retention schedules built in coordination with legal counsel and updated when state law changes. It runs regular governance audits, not just compliance audits. A health system without mature IG has siloed systems where the same patient might have three different medical record numbers across three facilities. It has inconsistent coding practices that produce inflated denial rates. It has HIPAA vulnerabilities that remain undiscovered until someone files a complaint or a breach occurs. It has rising denial rates that nobody can trace to a root cause because the data quality isn't good enough to support that analysis.

The business case for information governance is no longer theoretical. Organizations with formal IG programs report 23% fewer data breaches (Ponemon Institute, 2023), measurably lower denial rates because data quality problems are caught at the source rather than discovered by payers, and stronger performance on regulatory audits because governance documentation demonstrates systematic compliance rather than reactive scrambling. Governance isn't overhead. It's the infrastructure that makes every other healthcare operation function reliably.

"Information governance is what separates organizations that manage health data from organizations that are managed by it."

Medical Records Management — Legal Obligations and Operational Reality

Medical records management — the custodianship, organization, and access control of the official health record — sits at the intersection of clinical operations, legal obligation, and patient rights. The "official medical record" is simultaneously a clinical document and a legal instrument. When it's used as evidence in a malpractice case, the accuracy and completeness of that record can determine the outcome. When it's used to justify a billing claim, its specificity determines payment. When it's requested by a patient seeking a second opinion, its completeness determines whether the receiving provider has what they need to make a good clinical decision. Errors in the medical record are errors in all of those contexts at once.

Retention requirements are more complex than most administrators appreciate, and the consequences of non-compliance are real. The federal minimum under Medicare is 10 years from the date of service (42 CFR Part 482). HIPAA requires that policies and procedures governing records be retained for 6 years from creation or last effective date — note that this applies to the policies, not just the records themselves. State laws vary dramatically and frequently establish more stringent requirements than federal minimums: California requires 7 years (or until the patient turns 19, for minors), Texas requires 10 years, and New York requires 6 years. For pediatric records, most states require retention until the patient reaches the age of majority plus the applicable state minimum — which means a record for a newborn in California might need to be retained for 25 years. Multi-state health systems must track the most stringent applicable requirement for each patient record, which is a governance challenge that requires explicit, documented policy and technology support.

Digitization and its implications deserve more attention than they typically receive in HIM discussions. Converting paper records to electronic format eliminates physical storage costs and enables search and retrieval at scale, but introduces new governance requirements that must be addressed explicitly. Metadata integrity — ensuring that the electronic record accurately reflects the original document's provenance — is a legal requirement. Format migration as technology changes over 10- or 25-year retention periods is a genuine technical challenge: the PDF/A format exists specifically for long-term archival because standard PDFs can become unrenderable as software evolves. Scan quality verification is a compliance requirement, not just a quality preference. And the access audit trail — who viewed what record, when, and for what stated purpose — is both a HIPAA requirement and a critical tool for detecting inappropriate access. The transition from paper to electronic also creates a gap period where records may exist in both formats, requiring explicit policy about which version is the "official record" and how discrepancies are resolved.

Patient rights under HIPAA and the 21st Century Cures Act have expanded significantly and HIM departments must operationalize them. Under HIPAA, patients have the right to access their records within 30 days of request (one 30-day extension is permitted with written notice explaining the delay), the right to receive electronic copies when records are maintained electronically, the right to request amendments to records they believe are inaccurate, and the right to receive an accounting of disclosures for most non-routine uses. Since the ONC 21st Century Cures Act Rule took full effect in 2022, information blocking — defined broadly to include policies or practices that impede patient record access — is a federal violation carrying civil penalties of up to $1 million per violation. Health systems that erected artificial barriers to patient record access for competitive or administrative convenience have had to dismantle those practices.

Clinical Documentation Improvement — Where HIM Meets Revenue

CDI is perhaps the highest-ROI function within health information management, and it operates on a deceptively simple premise: physician documentation, written in clinical language, must be translated into billing codes. The specificity of that documentation — whether a condition is documented as "heart failure" or "acute systolic heart failure with reduced ejection fraction (HFrEF)" — determines the DRG assigned, which determines what Medicare or a commercial payer reimburses the hospital for that patient's entire stay. CDI specialists exist to bridge that gap between clinical language and billing language, in real time, while the patient is still in the hospital.

Understanding why CDI exists requires understanding the DRG system. When CMS introduced Diagnosis Related Groups in 1983, it fundamentally changed hospital reimbursement: instead of paying for actual costs incurred, Medicare began paying a fixed amount based on the patient's principal diagnosis and procedure. A patient with a more complex, resource-intensive condition generates a higher DRG weight and therefore higher payment. The medical record must document that complexity with specificity for the DRG to accurately reflect the true case. A hospital treating a patient with multiple serious comorbidities but documenting only the presenting complaint is receiving payment that understates the actual care complexity — and leaving legitimate revenue on the table. CDI programs were created specifically to address that gap, ensuring that documentation reflects the full clinical picture before the claim is submitted.

The financial impact of effective CDI programs is measurable and substantial. Hospitals with robust CDI programs have a Case Mix Index 15–20% higher than those without structured programs, according to 3M Health Information data — and CMI is the multiplier on every DRG payment the hospital receives. Each CDI query that results in more specific physician documentation adds an average of $1,200–$8,000 per encounter in appropriate, legitimate reimbursement (AAPC). For a medium-size hospital processing 20,000 inpatient encounters annually, a 5% improvement in CDI query response rate — from 85% to 90% of queries answered by physicians — can represent $12M–$80M in additional legitimate revenue capture over a year. These are not inflated projections; they are the operational mathematics of how DRG-based reimbursement works when documentation is complete versus incomplete.

The CDI workflow runs concurrently with patient care, not after it. When a patient is admitted, a CDI specialist reviews the admission documentation within 24 hours, identifying conditions mentioned but not specified, comorbidities that may be relevant to DRG assignment, and potential clinical indicators (lab values, imaging findings, medication orders) that suggest diagnoses not yet documented. During the patient's stay, the CDI specialist sends concurrent queries to the attending physician — via the EHR messaging system or a dedicated CDI platform — asking for clarification or additional specificity: "The patient's BNP is 980 and she is receiving IV diuretics. Can you document whether this represents acute systolic heart failure, acute diastolic heart failure, or combined systolic and diastolic heart failure?" After discharge, coders assign the final ICD-10 and CPT codes based on the complete record. When payers deny claims, the CDI documentation — including the physician's original query response — forms the backbone of the appeal.

CDI programs are measured on two primary metrics that together define program effectiveness. Query response rate — the percentage of CDI queries answered by physicians — should target at least 90%; below that level, either physician engagement is low or the query volume is unsustainable. Query agreement rate — the percentage of answered queries that result in an actual documentation change — should target at least 80%; below that level, the queries may be low quality, speculative, or clinically inaccurate, which creates compliance risk. Programs also track CMI trends over time to confirm that documentation improvements are translating to appropriate reimbursement, denial rates attributed specifically to documentation issues rather than other causes, and coding accuracy rates to detect systematic errors in final code assignment.

AI's impact on CDI is already significant and accelerating. Natural language processing tools now analyze clinical documentation in real time, identifying potential CDI opportunities before the physician leaves the unit — not after the patient is discharged when physician recall and motivation to clarify are both lower. Nuance's AI CDI tools process documentation in seconds and surface potential queries at the point of care. Optum's NLP platform resolves approximately 60% of CDI queries automatically without requiring a human specialist to compose and send the query — a capacity multiplier that allows CDI teams to cover more encounters with the same staffing. These tools do not replace CDI specialists. They enable CDI specialists to work at higher volume and on more complex cases, while routine documentation gaps are handled automatically. For verified results from AI-assisted documentation tools, see our healthcare AI ROI analysis.

Release of Information — The HIPAA Compliance Workflow

Release of information is the process of disclosing patient health records to authorized requestors — other providers coordinating care, payers adjudicating claims, attorneys managing litigation, government agencies conducting investigations, and patients exercising their own right of access. The function sounds straightforwardly administrative. It is anything but: every ROI decision is a legal compliance decision. Getting it wrong — disclosing records without valid authorization, releasing more information than the minimum necessary, processing an authorization form that doesn't meet HIPAA requirements — creates HIPAA liability that can result in civil penalties, OCR investigations, and corrective action plans that cost far more than the operational investment in proper compliance systems.

The HIPAA compliance framework for ROI is more nuanced than a simple authorized/unauthorized binary. Disclosures for treatment, payment, and healthcare operations — the "TPO" carve-out — are permitted without patient authorization, because the privacy rule recognizes that healthcare cannot function if every record disclosure for routine operational purposes requires a separate patient signature. Most other purposes require a HIPAA-compliant written authorization from the patient, and HIPAA specifies exactly what that authorization must contain (45 CFR §164.508): a description of the specific information to be disclosed, the name of the person or organization authorized to receive it, the purpose of the disclosure, an expiration date or event, the patient's signature and date, and notice of the patient's right to revoke. An authorization that omits any of these elements is invalid under HIPAA, and processing it exposes the organization to liability. The Minimum Necessary Standard applies to most non-treatment disclosures: the organization must make a reasonable effort to disclose only the information actually needed for the stated purpose — not the entire medical record when only recent lab results are requested.

The operational challenge of ROI at scale is significant. A mid-size hospital ROI department may process 300–500 requests per month — from attorneys requesting records for personal injury litigation, from life insurance companies conducting underwriting, from disability adjudicators evaluating claims, from patients requesting their own records, from researchers seeking de-identified data. Manual processing — verifying authorization validity, pulling the relevant records, applying minimum necessary filtering, packaging the response, generating the audit trail — averages 15–20 minutes per request. Automated ROI platforms (Ciox, MRO Corp, IOD) process routine requests in under 2 minutes — a 90% reduction in processing time. More importantly, automation enforces HIPAA compliance on every single request through the same logic every time: authorization validation checks for all required HIPAA elements, minimum necessary filtering applies consistently regardless of which staff member processes the request, audit trail generation is automatic and tamper-evident, and expiration tracking prevents processing requests against authorizations that have expired. For health systems managing thousands of monthly ROI requests, automation is not optional — it is the only mechanism available for maintaining consistent compliance at that volume.

Health Data Interoperability — The Governance Perspective

Interoperability governance is the policy and compliance dimension of health data exchange. The questions at its center are governance questions, not technical ones: Who is authorized to share what data with whom? Under what legal agreements? With what safeguards applied in transit and at rest? With what patient consent mechanisms? What happens when a breach occurs? The technology that enables interoperability — FHIR APIs, HL7 interfaces, health information exchange networks — is covered in our companion systems guide. This section covers the governance framework that determines who can do what with health data, under what legal conditions, and what the enforcement consequences are for getting it wrong.

The 21st Century Cures Act, signed in 2016 and implemented in 2021, made information blocking a federal violation with teeth. An information blocking practice is defined as any action by a healthcare provider, health IT developer, or HIE network that "is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information" — unless a recognized exception applies. Actors who engage in prohibited information blocking face civil penalties of up to $1 million per violation. HIM professionals must understand all eight recognized exceptions to information blocking — including the Privacy Exception, Security Exception, Infeasibility Exception, and Health IT Performance Exception — and must be able to document why a given data withholding practice qualifies under an exception if the organization is challenged. The burden of proof is on the organization to demonstrate that a restriction is a permitted exception, not on the regulator to prove it was prohibited.

TEFCA governance represents the most significant development in national health information exchange policy since HIPAA. The Trusted Exchange Framework and Common Agreement, operationalized in 2023 through the ONC, creates a national policy framework that enables any TEFCA participant to exchange data with any other TEFCA participant through a network of Qualified Health Information Networks (QHINs). For HIM professionals, TEFCA changes the compliance landscape in a specific way: participating organizations must align their data sharing agreements, consent mechanisms, and access control policies with TEFCA terms and their QHIN's operating rules. Data that flows through TEFCA is subject to standardized data use limitations, security requirements, and breach notification obligations that may differ from an organization's existing bilateral data sharing agreements. Staying current with TEFCA governance requirements — and ensuring that contracts and internal policies reflect those requirements — is an active HIM governance function, not a one-time implementation task.

Data sharing agreements are the legal instruments that govern health data exchange, and managing their lifecycle is a core HIM governance responsibility. Business Associate Agreements — required by HIPAA for any vendor or contractor who handles protected health information — must specify the permitted uses of PHI, security obligations, breach notification requirements, and data return or destruction at contract termination. Organizations participating in HIE networks require additional network participation agreements governing their specific obligations as senders and receivers of data. Multi-facility health systems may have dozens or hundreds of active BAAs and participation agreements at any given time. Managing that portfolio — maintaining current, executed versions; monitoring compliance; triggering contract updates when an underlying legal requirement changes; terminating agreements for vendors who no longer have access — is the operational reality of interoperability governance. Organizations that treat this as a one-time legal task rather than an ongoing governance function accumulate compliance gaps that become expensive when discovered.

HIM Roles, Certifications, and Career Paths

Health information management is a professional discipline with a formal credential structure, established career paths, and growing demand. AHIMA, founded in 1928 as the American Association of Medical Record Librarians, administers the primary HIM credentials and sets professional standards that govern practice across the field. HIM professionals work across virtually every segment of the healthcare system: acute care hospitals, ambulatory surgery centers, physician practices of all sizes, insurance payers and managed care organizations, consulting firms that support provider coding and compliance programs, federal and state government agencies including CMS and state health departments, and healthcare IT vendors who require clinical expertise to build and configure their products. The variety of settings and roles makes HIM one of the more flexible career paths in healthcare — one where a clinician-adjacent professional can build a 30-year career without ever providing direct patient care.

Health Information Management Roles, Credentials, and Salaries (BLS 2024)

Role	Median Salary (BLS 2024)	Credential	Primary Function
HIM Director	$98,350	RHIA	Strategic leadership, compliance program
CDI Specialist	$72,000	CCDS, CDIP	Documentation quality, CMI optimization
Coding Specialist	$47,180	CCS, CPC	ICD-10/CPT code assignment
Privacy Officer	$85,000–$120,000	CHPC	HIPAA enforcement, breach response
HIM Informaticist	$104,000	CPHIMS (HIMSS)	EHR optimization, analytics, interoperability
ROI Specialist	$38,000–$52,000	—	HIPAA-compliant record disclosure

The credential landscape reflects the range of specialization within HIM. The RHIA (Registered Health Information Administrator) is the management-level credential, requiring a bachelor's degree in HIM or a related field and successful completion of the AHIMA national exam. RHIA holders typically serve in leadership roles — HIM directors, compliance program managers, informatics leads. The RHIT (Registered Health Information Technician) is the technical-level credential, requiring a two-year associate degree and passing the AHIMA exam — it's the entry point into professional practice for many HIM careers and a foundation from which RHITs often pursue RHIA credentials and advanced roles. The CCS (Certified Coding Specialist) validates expertise in inpatient hospital coding using ICD-10-CM and ICD-10-PCS. The CDIP (Clinical Documentation Improvement Practitioner) credential, administered by AHIMA, and the CCDS (Certified Clinical Documentation Specialist), administered by ACDIS, both serve CDI specialists — the AHIMA credential emphasizes HIM foundations while the ACDIS credential emphasizes clinical knowledge. The CHPC (Certified in Healthcare Privacy Compliance) focuses on the HIPAA privacy and compliance specialization that has become a distinct career path as enforcement has intensified.

The Bureau of Labor Statistics projects 16% employment growth for Medical Records and Health Information Technicians through 2032, compared to the 3% average growth projected for all occupations. That gap reflects three converging demand drivers. First, the aging U.S. population is increasing healthcare utilization across every care setting, generating more records, more coding work, more compliance obligations, and more data governance complexity. Second, EHR adoption is still expanding — particularly in small practices, behavioral health settings, and post-acute care — and each new adoption requires HIM expertise for implementation, training, and ongoing optimization. Third, the regulatory and reimbursement environment continues to grow more complex: ICD-10-CM adds new codes annually, payer requirements vary and evolve, and the interoperability mandates of the 21st Century Cures Act are generating new governance workload. Remote work is well-established in coding, CDI, and ROI — functions that are computer-based, productivity-measurable, and independent of physical location. HIM is, consequently, one of the most location-flexible career paths in all of healthcare.

AI Is Transforming Health Information Management — But Not Replacing It

AI is changing every function within HIM, but the nature of the change is more nuanced than the "automation replacing jobs" narrative that tends to dominate these discussions. In most HIM functions, AI is handling the volume work — processing the tenth identical release of information request that follows an identical authorization pattern, suggesting the obvious ICD-10 code for a straightforward diagnosis, flagging the routine documentation gap where a physician documented "pneumonia" without specifying the organism. HIM professionals are being freed from that volume work to focus on the complex, ambiguous, and high-stakes decisions that require professional judgment: the unusual coding scenario where the guidelines conflict, the CDI query that requires clinical knowledge to phrase correctly, the privacy exception that requires legal analysis rather than rule application.

AI-assisted coding is producing results that are measurable against professional benchmarks. Nym Health's AI coding platform achieves 97% coding accuracy on processed claims — compared to the 85% human average for first-pass coding accuracy (AHIMA 2024 benchmark). That 12-percentage-point gap translates directly to denial rates: every miscoded claim that reaches a payer costs the provider an average of $118 in rework costs in addition to the payment delay. Ambient clinical intelligence tools — Nuance DAX, Suki, Nabla — generate physician documentation in real time from recorded patient encounters, reducing documentation time by up to 79% in the UCLA randomized clinical trial published in NEJM AI (238 physicians, 72,000 encounters). The physician reviews the AI-generated note and approves or edits it; the resulting documentation is more complete and more specific than the typical physician-authored note because the AI captures everything said during the encounter rather than what the physician had time and energy to document at the end of a 10-hour shift.

Automated CDI and NLP are redefining the scale at which CDI programs can operate. NLP platforms analyze clinical notes continuously, identifying potential CDI opportunities in real time without requiring a CDI specialist to read every chart in sequence. Optum's platform resolves approximately 60% of CDI queries automatically — not by guessing, but by identifying cases where the clinical evidence in the record is sufficient to support a specific documentation update without requiring physician clarification. The result is not fewer CDI specialists; it is CDI specialists managing higher case volumes, more complex queries, more sophisticated denial management work, and more strategic program improvement rather than spending the majority of their time on routine, straightforward documentation reviews. The CDI specialists at hospitals using these platforms are doing more intellectually demanding, higher-value work — and those hospitals are capturing more appropriate revenue as a result.

The HIM professional who understands AI tools — who can supervise NLP coding reviews and identify systematic errors, interpret AI-generated CDI suggestions and evaluate their clinical accuracy, manage automated ROI workflows and audit their compliance output — will have increasing demand through 2030 and beyond (Gartner Healthcare Technology Trends, 2024). The credential matters, but it's a necessary condition, not a sufficient one. Adaptability — the willingness to learn new tools, challenge existing workflows, and position HIM expertise alongside technology rather than in opposition to it — is the differentiator. For the verified ROI data from AI tools deployed across hospitals — including the 79% documentation time reduction and $1M revenue recovery cases — see our healthcare AI ROI analysis.