Introduction
Architecture documentation is the most neglected deliverable in healthcare IT projects. Teams spend months sizing servers, negotiating vendor contracts, and testing HL7 interfaces — then hand off a production system with nothing more than a spreadsheet of IP addresses and a Visio file from the original proposal that no longer matches reality.
The consequences show up at the worst possible moments. A critical PACS outage at 2 AM, and the on-call engineer has no diagram showing which interface engine routes worklist queries to which modalities. A new integration engineer joins the team and spends three weeks reverse-engineering data flows that a single architecture diagram would have explained in minutes. A compliance auditor asks for evidence of network segmentation between clinical and administrative systems, and the team scrambles to reconstruct what should have been documented from day one.
This guide covers everything a healthcare IT practitioner needs to produce professional architecture documentation — what systems to include, which protocols to label, how to organize diagrams by pattern, and how to maintain living documents that stay useful long after go-live. Every recommendation here comes from real hospital deployments where the presence or absence of good documentation made a measurable difference in project outcomes.
If you want to build diagrams as you read, open the Healthcare IT Diagram Builder in another tab — it has pre-built nodes for every system type covered in this guide.
Why Architecture Documentation Matters
Architecture documentation serves five distinct purposes in healthcare IT, each with different stakeholders and different consequences when the documentation is missing.
Regulatory Compliance and Audit Readiness
Healthcare organizations operate under overlapping regulatory frameworks — HIPAA Security Rule, Joint Commission standards, HITRUST CSF, and increasingly SOC 2 Type II for cloud-connected systems. Every one of these frameworks requires evidence that the organization understands and controls its data flows.
HIPAA's Technical Safeguard requirements (45 CFR 164.312) specifically mandate access controls, audit controls, integrity controls, and transmission security for electronic protected health information (ePHI). Demonstrating compliance with these requirements is dramatically easier when you can produce a network architecture diagram that shows exactly where ePHI flows, which connections are encrypted, and where access control boundaries exist.
Joint Commission surveyors routinely ask IT teams to explain how clinical data moves between systems. A diagram that shows DICOM data flowing from modalities through a PACS to diagnostic viewers — with protocol labels, encryption indicators, and network zone boundaries — answers this question in seconds instead of hours.
Staff Onboarding and Knowledge Transfer
The average tenure of a healthcare IT engineer at a single organization is three to four years. Every departure takes institutional knowledge with it, and every new hire faces weeks of discovery before becoming productive.
Architecture documentation compresses this learning curve dramatically. A new PACS administrator who inherits a well-documented system can understand the complete imaging workflow — from modality acquisition through storage, routing, and viewing — on their first day. Without documentation, the same engineer spends weeks tracing connections, asking colleagues, and discovering configuration relationships through trial and error.
Incident Response and Disaster Recovery
When a production system fails at 2 AM, response time depends entirely on how quickly the on-call engineer can understand the system's dependencies. If the interface engine goes down, which systems lose connectivity? If the primary PACS storage fails, which failover path activates? If the HL7 feed from the HIS stops, which downstream systems are affected?
These questions are trivial to answer with a current architecture diagram. Without one, the engineer must mentally reconstruct the system topology while simultaneously troubleshooting — under pressure, with users waiting, and with the clock ticking on critical result delivery.
Vendor Evaluation and RFP Responses
When evaluating new systems or writing RFP responses, the architecture diagram becomes the shared language between the hospital team and vendor engineers. It shows what exists today, where the new system needs to integrate, and which interfaces need to be built or modified.
Vendors who receive a clear architecture diagram with their RFP can provide accurate scope estimates, realistic timelines, and precise integration specifications. Vendors who receive a vague description of "our PACS needs to connect to our HIS" will guess — and their guesses will be wrong in ways that surface during implementation, not during evaluation.
Go-Live Readiness Sign-Off
Every major healthcare IT deployment should include a go-live readiness review where stakeholders formally sign off that the system is ready for production use. Architecture documentation is a critical artifact in this review — it provides the definitive reference for what was built, how it connects, and what was validated.
The PACS Go-Live Checklist includes architecture diagram validation as one of its 47 checkpoint items. Without current documentation, the go-live review becomes an exercise in collective memory rather than a rigorous verification process.
What to Include in a Healthcare IT Network Diagram
A complete healthcare IT network diagram contains six layers of information. Missing any of these layers reduces the diagram's usefulness for at least one of the purposes described above.
Systems Inventory
Every system that participates in clinical data exchange should appear as a labeled node on the diagram. At minimum, each node should show:
- System name — the actual name used in the organization (e.g., "PACS" not "Picture Archiving and Communication System")
- Sub-label — the specific product, model, or function (e.g., "Sectra IDS7", "CT Scanner", "Mirth Connect")
- Category — visual grouping by function (Imaging, Clinical, Lab, Integration, Infrastructure, External)
The six system categories that cover virtually every healthcare IT architecture are:
| Category | Systems | Typical Count |
|---|---|---|
| Imaging | PACS, VNA, DICOM Router, Viewers, Modalities, 3D Workstations | 5–15 |
| Clinical | HIS, RIS, EHR/EMR, Order Entry (CPOE), Dose Manager, AI/ML | 3–8 |
| Lab | LIS, POCT Middleware, Analyzers, Blood Bank | 2–6 |
| Integration | Interface Engine, Integration Hub, API Gateway, FHIR Server | 1–4 |
| Infrastructure | Servers, Storage/SAN, Cloud, Routers, Firewalls, Load Balancers | 3–10 |
| External | Vendor Cloud, HIE, Telehealth, Patient Portal | 1–5 |
For a typical 500-bed hospital, expect 20 to 40 systems on a comprehensive architecture diagram. Smaller facilities might have 10 to 15. Multi-site health systems can exceed 100.
Protocol Labeling
Every connection between systems should be labeled with the protocol it carries. Unlabeled connections are the single most common deficiency in healthcare IT architecture diagrams — and the single most common cause of confusion during troubleshooting.
The protocols you will encounter most frequently:
| Protocol | Typical Use | Direction |
|---|---|---|
| DICOM | Image transfer, storage, query/retrieve | Modality → PACS, PACS → Viewer |
| DICOM MWL | Modality Worklist queries | RIS → Modality (via PACS or direct) |
| DICOM Q/R | Query/Retrieve operations | Viewer ↔ PACS, PACS ↔ VNA |
| HL7 v2.x | ADT, orders, results, scheduling | HIS ↔ Interface Engine ↔ RIS/LIS/PACS |
| FHIR | Modern API-based data exchange | EHR ↔ FHIR Server ↔ Apps |
| WADO-RS / DICOMweb | Web-based image retrieval | PACS → Web Viewer, Cloud Archive |
| TCP/IP | Generic network connectivity | Infrastructure links |
| VPN | Encrypted site-to-site tunnels | Multi-site connections, vendor access |
For detailed HL7 message types and interface patterns, see the HL7 Integration Guide.
Data Flow Direction
Every connection should indicate whether data flows in one direction or both. This distinction matters enormously for troubleshooting and capacity planning:
- Unidirectional: Modality → PACS (images flow one way; the modality pushes, the PACS stores)
- Bidirectional: RIS ↔ Interface Engine (orders flow from RIS to downstream systems, acknowledgments flow back)
- Query/Response: Viewer → PACS (viewer queries, PACS responds with images — the data flows both ways, but the relationship is asymmetric)
Use arrow direction to show primary data flow. Use bidirectional arrows only when both systems genuinely initiate data exchange. A common mistake is marking all connections as bidirectional because "data goes both ways" — but the distinction between a push, a pull, and a bidirectional exchange matters for troubleshooting.
Network Zones and Security Boundaries
Healthcare networks are segmented into zones with different trust levels and access controls. Your diagram should show these boundaries, because they determine where firewalls, VLANs, and access control lists apply.
Common zones in healthcare IT:
- Clinical Network — where modalities, workstations, and clinical applications reside
- Server/Data Center — where PACS, RIS, HIS, and interface engines run
- DMZ — where web-facing services, patient portals, and vendor remote access terminate
- External — vendor cloud services, HIE connections, telehealth platforms
- Administrative — business systems separated from clinical data flows
Failover and Redundancy Paths
Production healthcare IT systems require redundancy. Your diagram should show both primary and failover paths, clearly distinguished by line style:
- Solid lines for primary/active connections
- Dashed lines for failover, backup, or standby connections
This distinction is critical during incident response. When the primary path fails, the on-call engineer needs to know immediately whether a failover path exists and how to activate it.
Port Numbers and Firewall Rules
For infrastructure-level diagrams (typically maintained separately from application-level diagrams), include port numbers on each connection. The most common ports in healthcare IT:
| Protocol | Default Port | Notes |
|---|---|---|
| DICOM | 104, 11112 | AE Title + port define a DICOM endpoint |
| HL7 MLLP | 2575 | Often customized per interface |
| HTTPS | 443 | DICOMweb, FHIR, web viewers |
| SSH | 22 | Server management |
| SQL | 1433, 5432, 3306 | Database connections (MS SQL, PostgreSQL, MySQL) |
| VPN | 500, 4500 | IPsec IKE/NAT-T |
Common Healthcare IT Architecture Patterns
Most healthcare IT architectures are variations on five fundamental patterns. Understanding these patterns helps you recognize what you are documenting and ensures you do not miss critical connections.
Pattern 1: Single-Site PACS Network
The most common imaging architecture. A single hospital with modalities sending images to a central PACS, which serves diagnostic and clinical viewers.
Systems involved:
| System | Role | Key Connections |
|---|---|---|
| Modalities (CT, MR, US, XR) | Acquire images | → PACS (DICOM Store) |
| PACS | Central storage and routing | ← Modalities, → Viewers, ↔ RIS |
| RIS | Scheduling and reporting | ↔ PACS (MWL, status updates), ↔ HIS |
| Diagnostic Viewer | Radiologist reading stations | ← PACS (DICOM Q/R) |
| Clinical Viewer | Clinician image access | ← PACS (WADO-RS or DICOM) |
| Interface Engine | HL7 message routing | ↔ HIS, ↔ RIS, ↔ PACS |
Critical data flows:
- RIS sends worklist to modalities (DICOM MWL) — ensures patient demographics match
- Modalities push images to PACS (DICOM Store)
- PACS notifies RIS of completed studies (HL7 ORM/ORU via Interface Engine)
- Radiologist opens study in diagnostic viewer (DICOM Q/R from PACS)
For a complete implementation walkthrough of this pattern, see the PACS Implementation Guide.
Pattern 2: Multi-Site VNA Consolidation
Health systems with multiple hospitals consolidate imaging into a Vendor Neutral Archive that serves as the single source of truth across sites.
Systems involved:
| System | Role | Key Connections |
|---|---|---|
| Site A PACS | Local imaging for Hospital A | → VNA (DICOM, scheduled or real-time) |
| Site B PACS | Local imaging for Hospital B | → VNA (DICOM, scheduled or real-time) |
| VNA | Central archive for all sites | ← All site PACS, → Enterprise Viewer |
| Enterprise Viewer | Cross-site image access | ← VNA (DICOMweb/WADO-RS) |
| Cloud Archive | Long-term off-site storage | ← VNA (DICOM or proprietary) |
Critical data flows:
- Each site PACS routes completed studies to VNA (DICOM Store, often nightly batch or real-time forward)
- VNA deduplicates, normalizes, and stores studies in vendor-neutral format
- Enterprise Viewer queries VNA for cross-site access (DICOMweb preferred over legacy DICOM Q/R)
- Cloud archive receives a copy for disaster recovery and long-term retention
Pattern 3: HL7 Hub-and-Spoke Integration
The interface engine sits at the center, routing HL7 messages between all clinical systems. This is the backbone of virtually every hospital's clinical data integration.
Systems involved:
| System | Role | Message Types |
|---|---|---|
| HIS/EHR | Master patient and encounter source | ADT (A01–A08, A40), ORM |
| Interface Engine | Central routing and transformation | All HL7 message types |
| RIS | Radiology scheduling and reporting | ORM, ORU, SIU |
| LIS | Lab orders and results | ORM, ORU |
| PACS | Image storage and routing | ORM (order awareness), ORU (report status) |
| Pharmacy | Medication orders | RDE, RAS |
Critical data flows:
- HIS sends ADT messages to Interface Engine (patient admit, discharge, transfer, merge)
- Interface Engine fans out ADT to all downstream systems (RIS, LIS, PACS, Pharmacy)
- Clinical systems send results back through Interface Engine to HIS (ORU messages)
- Interface Engine transforms message formats between systems that use different HL7 versions or field mappings
For detailed HL7 message structures and interface engine configuration patterns, see the HL7 Integration Guide.
Pattern 4: Lab Integration Chain
Laboratory systems form a linear chain from point-of-care devices and analyzers through middleware to the LIS and ultimately the HIS.
Systems involved:
| System | Role | Key Connections |
|---|---|---|
| Analyzers | Run clinical tests | → POCT Middleware or → LIS (serial, TCP/IP, or ASTM) |
| POCT Middleware | Aggregate point-of-care results | ← POCT devices, → LIS (HL7 ORU) |
| LIS | Central lab information system | ← Analyzers, ← POCT, ↔ HIS (via Interface Engine) |
| Blood Bank | Blood product management | ↔ LIS (HL7), ↔ HIS |
| HIS | Receives verified lab results | ← LIS (HL7 ORU via Interface Engine) |
Critical data flows:
- POCT devices transmit results to middleware (proprietary or POCT1-A protocol)
- Middleware validates, aggregates, and forwards to LIS (HL7 ORU)
- LIS verifies results and sends to HIS via Interface Engine (HL7 ORU)
- Blood Bank exchanges crossmatch and transfusion data with LIS
Pattern 5: Radiology Department Workflow
A detailed view of the complete radiology workflow, from order entry through image acquisition, reporting, and result distribution.
Systems involved:
| System | Role | Key Connections |
|---|---|---|
| HIS/EHR | Order entry (CPOE) | → Interface Engine (ORM) |
| RIS | Scheduling, tracking, reporting | ↔ Interface Engine, → Modalities (MWL) |
| Modalities | Image acquisition | ← RIS (MWL), → PACS (DICOM Store) |
| PACS | Image archive and distribution | ← Modalities, → Viewers |
| 3D Workstation | Advanced post-processing | ← PACS (DICOM Q/R) |
| Diagnostic Viewer | Primary reading | ← PACS (DICOM Q/R) |
| Reporting | Structured reporting tools | ↔ RIS, → HIS (HL7 ORU) |
| Dose Manager | Radiation dose tracking | ← Modalities (DICOM RDSR) |
Diagram Conventions and Standards
Consistent visual conventions make diagrams readable across teams and over time. The following conventions are widely used in healthcare IT and are built into the Healthcare IT Diagram Builder.
Node Categorization and Color Coding
Assign each system to one of six categories with a consistent color:
| Category | Color | Hex |
|---|---|---|
| Imaging | Teal | #00E5C3 |
| Clinical | Blue | #60A5FA |
| Lab | Purple | #A78BFA |
| Integration | Amber | #F5A623 |
| Infrastructure | Gray | #94A3B8 |
| External | Red | #F87171 |
These colors should be consistent across all diagrams in your organization. When someone sees a teal node, they should immediately know it is an imaging system without reading the label.
Protocol Color Coding
Match connection colors to protocols for instant visual identification:
| Protocol | Color | Hex |
|---|---|---|
| DICOM (all variants) | Teal | #00E5C3 |
| HL7 | Amber | #F5A623 |
| FHIR | Blue | #60A5FA |
| TCP/IP | Gray | #94A3B8 |
| VPN | Purple | #A78BFA |
Line Styles
- Solid lines — active, primary connections carrying production traffic
- Dashed lines — failover paths, backup connections, planned future connections, or management/monitoring links
- Thick lines — high-volume data paths (optional, for emphasis)
Arrow Direction
- Single arrow — data flows in one direction (source → destination)
- Bidirectional arrows — both systems initiate data exchange
- Use the arrow to show the primary initiator. For DICOM, the arrow points from the sender (SCU) to the receiver (SCP). For HL7, the arrow points from the message sender to the receiver.
Diagram Versioning
Architecture diagrams are living documents. Establish a versioning practice:
- Include a date and version number in the diagram title or subtitle (e.g., "v2.3 — April 2026")
- Save snapshots before and after major changes (the Diagram Builder's save feature stores timestamped copies)
- Export a JSON backup after each significant update — this allows you to restore any previous state
- Maintain separate diagrams for different views: application-level (protocols and data flows), infrastructure-level (servers, ports, VLANs), and security-level (zones, encryption, access controls)
Using Architecture Diagrams in Project Delivery
Architecture documentation serves different purposes at different project phases. Here is how to use diagrams effectively throughout the healthcare IT project lifecycle.
Go-Live Readiness
During the go-live readiness review, the architecture diagram becomes a verification checklist. Walk through every connection on the diagram and confirm:
- The source system is configured and tested
- The destination system is configured and tested
- The protocol and port are correct
- Data has been validated end-to-end (test patient, test order, test image)
- Failover paths have been tested
- Firewall rules are in place and verified
This systematic walkthrough catches configuration gaps that random testing misses. The PACS Go-Live Checklist includes architecture validation as a formal checkpoint.
Change Management
Before making any production change — adding a new modality, replacing an interface engine, migrating to a new PACS — create a "before" and "after" diagram. This serves three purposes:
- Impact analysis — the "before" diagram shows every system that connects to the component being changed, making it impossible to miss a downstream dependency
- Change approval — stakeholders can visually compare the current state and proposed state, making the change request concrete rather than abstract
- Rollback documentation — if the change needs to be reversed, the "before" diagram shows exactly what to restore
Vendor Handoff Packages
When engaging a new vendor or system integrator, provide them with:
- The current architecture diagram (exported as PDF or PNG)
- A JSON export of the diagram (so they can load it into the Diagram Builder and annotate it)
- A connection inventory table extracted from the diagram
- Network zone and firewall documentation
This package eliminates the back-and-forth discovery phase that typically consumes the first two to four weeks of a vendor engagement.
Training Materials
Architecture diagrams with animated dataflow are exceptionally effective for training new team members. Instead of describing how an HL7 order flows from the HIS through the interface engine to the RIS and back, you can show it — with animated connections highlighting the path in real time.
The Diagram Builder's Presentation Mode is designed for exactly this use case: fullscreen canvas, no editing UI, Play/Pause controls for dataflow animation, and a clean visual that projects well in meeting rooms.
Stakeholder Presentations
Healthcare IT projects involve stakeholders who range from deeply technical (network engineers, DBAs) to non-technical (hospital administrators, clinical leadership). Architecture diagrams bridge this gap when they use clear labels, consistent colors, and minimal jargon.
For executive presentations, simplify the diagram to show only major systems and primary data flows. For technical deep-dives, use the full diagram with protocol labels, port numbers, and failover paths. The Diagram Builder's template system lets you maintain both views from the same starting point.
Building Your First Healthcare IT Diagram
This section walks through building a complete healthcare IT architecture diagram using the free Healthcare IT Diagram Builder. The tool runs entirely in your browser — no installation, no account, no data uploaded to any server.
Step 1: Choose a Starting Point
Open the Diagram Builder and click Templates in the toolbar. You will see five pre-built starting points:
- Hospital PACS Network — modalities, PACS, VNA, viewers, RIS
- HL7 Integration Map — HIS, interface engine, RIS, LIS, PACS hub-and-spoke
- Lab Network — analyzers, POCT middleware, LIS, blood bank, HIS
- Radiology Department — complete radiology workflow from orders to reports
- Multi-Site PACS — two hospitals with central VNA and cloud archive
Select the template closest to your architecture, or choose Blank Canvas to start from scratch.
Step 2: Add and Arrange Systems
From the Node Library on the left sidebar, drag systems onto the canvas. The library is organized into six categories matching the conventions described earlier in this guide. Each node snaps to a 16-pixel grid for clean alignment.
Position nodes to reflect the logical data flow direction — typically left-to-right or top-to-bottom for the primary workflow. Group related systems spatially (all modalities in one area, all clinical systems in another).
When you have multiple nodes to align, select them all (drag a selection box or Shift+click) and use the Align buttons in the right panel to snap them to a common edge or distribute them evenly.
Step 3: Draw Connections and Label Protocols
Click and drag from any connection point on one node to any connection point on another node. A new connection appears with a default protocol label.
Select the connection to open the Connection Editor in the right panel, where you can:
- Change the protocol (DICOM, HL7, FHIR, WADO-RS, DICOMweb, TCP/IP, VPN, HTTP, API, DICOM MWL, DICOM Q/R, or Custom)
- Set line style (solid or dashed)
- Enable bidirectional arrows
- Toggle animation on or off
- Set animation speed (Slow, Normal, Fast)
Step 4: Enable Animated Dataflow
Click Play in the toolbar to start the dataflow animation. Every connection with animation enabled will show flowing indicators along the connection path, giving stakeholders an intuitive sense of how data moves through the system.
Animation is particularly effective for:
- Demonstrating the order-to-image workflow in radiology
- Showing the HL7 message fan-out from an interface engine
- Visualizing failover scenarios (disable primary connections, enable failover)
Step 5: Save and Export
The Diagram Builder supports multiple output formats:
| Action | How | Access |
|---|---|---|
| Save to browser | Click Save or press Ctrl+S | Free — up to 20 diagrams stored locally |
| Export JSON | My Diagrams → Download JSON per entry | Free |
| Import JSON | Toolbar upload icon or My Diagrams → Import | Free |
| Export PNG | Export → PNG (2x resolution) | Email unlock |
| Export SVG | Export → SVG (vector, editable) | Email unlock |
| Export PDF | Export → PDF (A4 or Letter, landscape) | Email unlock |
For team distribution, export as PDF (includes title, subtitle, date, and branding) or PNG (embeddable in other documents). For backup and version control, export as JSON — this preserves the full diagram state and can be re-imported later.
Step 6: Present
Click Present in the toolbar to enter Presentation Mode. The editing UI disappears, leaving only the full-canvas diagram and a floating control bar with Play/Pause and Exit. Press Escape to return to editing mode.
Summary and Documentation Checklist
Architecture documentation is not a one-time deliverable — it is a living artifact that should be updated whenever the system changes. The cost of maintaining documentation is trivial compared to the cost of operating undocumented systems.
Best Practices
- Document during implementation, not after. The architecture diagram should be built alongside the system, updated at each milestone, and finalized at go-live — not created retroactively from memory.
- Use consistent conventions. Standardize node categories, protocol colors, and line styles across all diagrams in your organization. The six-category color scheme described in this guide is a proven starting point.
- Maintain multiple views. Keep separate diagrams for application-level (protocols and data flows), infrastructure-level (servers, ports, VLANs), and security-level (zones, encryption, access controls). Each audience needs a different level of detail.
- Version and date every diagram. Include the version number and date in the title. Save snapshots before and after major changes.
- Export backups regularly. JSON exports preserve the full diagram state. Store them alongside other project documentation in your version control or document management system.
- Use animation for presentations. Static diagrams explain architecture; animated diagrams demonstrate workflow. Use Presentation Mode when training new staff or presenting to stakeholders.
- Review quarterly. Schedule a quarterly review to verify that the diagram matches the current production state. Systems get added, interfaces get modified, and failover paths get reconfigured — the diagram should reflect reality, not a historical snapshot.
Architecture Documentation Checklist
Use this checklist to verify completeness before any go-live, compliance audit, or vendor handoff.
| Item | Included? | Notes |
|---|---|---|
| All production systems shown as labeled nodes | Include name + product/model | |
| Systems categorized by function (6 categories) | Imaging, Clinical, Lab, Integration, Infrastructure, External | |
| Every connection labeled with protocol | DICOM, HL7, FHIR, TCP/IP, VPN, etc. | |
| Data flow direction indicated (arrows) | Unidirectional vs. bidirectional | |
| Failover/backup paths shown (dashed lines) | Distinguish from primary connections | |
| Network zones/security boundaries marked | Clinical, server, DMZ, external | |
| Port numbers documented (infrastructure view) | At minimum for DICOM, HL7, HTTPS | |
| Diagram title includes version and date | e.g., "v2.3 — April 2026" | |
| PDF or PNG export for distribution | Include in project documentation | |
| JSON backup for version history | Store alongside project files | |
| Animated version for presentations | Use Presentation Mode | |
| Reviewed and signed off by stakeholders | Part of go-live readiness |
Related resources: PACS Implementation Guide · HL7 Integration Guide · PACS Go-Live Checklist · Healthcare IT Diagram Builder
Referenced Product
Healthcare IT Diagram Builder
The engineering-grade implementation toolkit that accompanies this guide. Built from the same real-world deployment experience covered above.