By January 31, 2023, general acute care hospitals, clinical labs and certain physician organizations and medical groups in California are required to enter into the Single Data Sharing Agreement (DSA) to participate in the California Health and Human Services Agency (CalHHS) Data Exchange Framework (DxF).
California Health and Safety Code § 130290 (adopted as part of Assembly Bill 133 in July 2021) established the DxF and requires providers and other health care organizations participating in the DxF (Participants) to share Health and Social Services Information (HSSI). The DxF is intended to “accelerate and expand the exchange of health information among health care entities, government agencies, and social services programs” by January 31, 2024. The key requirements of the DxF are set forth in the DSA and policies and procedures (P&Ps) published by CalHHS. Providers should be aware of the following 10 issues when assessing how the DxF will impact their health information sharing activities and privacy and security practices.
1. Most Providers Are Required to Sign the DSA by January 1, 2023
The DSA is a legal agreement that sets forth a common set of terms, conditions and obligations to support secure, real-time access to, or exchange of, HSSI between and among Participants. The DSA incorporates by reference P&Ps that further detail Participants’ compliance responsibilities under the DxF.
On November 29, 2022, CalHHS launched a Signing Portal to allow health care providers, plans and other health care organizations to sign the DSA.
By January 31, 2023, the following health care provider types are required to sign the DSA:
General acute care hospitals
Physician organizations and medical groups
Skilled nursing facilities
Health care service plans and disability insurers that provide hospital, medical or surgical coverage
Acute psychiatric hospitals.
By January 31, 2026, the following providers must sign the DSA:
Physician practices with less than 25 physicians
Long-term acute care hospitals
Acute psychiatric hospitals
Critical access hospitals
Rural general acute care hospitals with less than 100 acute care beds
State-run acute psychiatric hospitals
Nonprofit clinics with less than 10 providers.
2. The DxF Does Not Take Full Effect until January 31, 2024, and Additional P&Ps Have Yet to Be Published or Finalized
While most providers are required to sign the DSA by January 31, 2023, the DxF does not take full effect until January 31, 2024, allowing providers time to develop the necessary technical and compliance infrastructure to implement the DxF.
Furthermore, in anticipation of the January 31, 2023, deadline to sign the DSA, CalHHS is in the process of finalizing several additional P&Ps. As of December 15, 2022, there are at least five P&Ps still under construction:
Monitoring and auditing
Required transaction patterns and technology requirements for exchange
Real-time data exchange
The qualified health information organization (QHIO) designation process.
CalHHS is currently accepting stakeholder comments on the information blocking and monitoring and auditing P&Ps and is considering the introduction of a P&P governing early exchange of data under the DxF.
3. The DxF Incorporates Federal Information Blocking Prohibition and Exceptions
The DSA contains a general prohibition against information blocking, stating that “Participants shall comply with any information-blocking provisions set forth in the [P&P].” The current publicly available draft of the information blocking P&P includes exceptions that mirror most of the information blocking exceptions included in the final rule (ONC Final Rule) adopted by the US Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) under the 21st Century Cures Act’s information blocking provisions, but excludes the ONC Final Rule’s Content and Manner Exception, Licensing Exception and Fees Exception. However, based on the DxF Data Sharing Agreement Policies & Procedures Subcommittee webinar on December 15, 2022, it appears the next draft of the P&P will include the ONC Final Rule’s Content and Manner and Licensing Exception but not the Fees Exception.
Specifically, CalHHS has suggested that Participants will not be able to use the Fees Exception in a manner that would result in withholding data requested for a required purpose outlined in P&P #4 (Permitted, Required and Prohibited Purposes). This may result in a situation where fees for data exchange permitted under the ONC Final Rule and HIPAA are effectively prohibited under the DxF—limiting Participants’ ability to cover their costs to share health data. Additionally, some stakeholders are advocating for the exclusion of the Licensing Exception in the final P&P. Since the ONC Final Rule’s Content and Manner Exception cross-references the Fees and Licensing Exceptions, it is not clear how CalHHS will modify the Content and Manner Exception to address their omission from the P&P.
Due to significant ongoing discussion, CalHHS has not finalized the information blocking P&P and is still accepting public comments. Stakeholders can submit comments to CalHHS to help shape the next draft of the information blocking P&P. California providers should consider advocating for CalHHS to align the DSA and P&Ps with the ONC Final Rule to avoid inconsistent, burdensome requirements. We expect CalHHS to publicly release a new draft on the DxF website soon.
4. The DSA Requires the Exchange of HSSI
The DSA requires providers to exchange HSSI, defined in the DSA as “any and all information received, stored, processed, generated, used, transferred, disclosed, made accessible, or shared pursuant to the DSA, including . . . : data elements as set forth in the P&P; information related to the provision of health care services, including . . . PHI; and information related to the provision of social services.” While the DSA does state that HSSI “may include” de-identified data, pseudonymized data, metadata, digital identities and schema, P&P #8 (Data Elements to Be Exchanged), which is intended “to define the [HSSI] to which access is to be provided or that is to be exchanged by Participants,” appears to take a narrower approach in line with current federal standards (and the DSA prioritizes P&P language when it conflicts with DSA language). For example, P&P #8 may effectively narrow the definition of HSSI and align it with the definition of electronic health information (EHI) under the ONC Final Rule.
5. The DxF Does Not Replace Existing or Future Agreements That Provide for a Broader Amount of Data Sharing
The DxF creates a data sharing floor for California providers, but providers remain free to create agreements among themselves that allow for more data sharing, in compliance with applicable state and federal law.
6. Providers Must Get Authorization from Patients to Disclose Certain Information in the DxF
Before disclosing a patient’s Protected Health Information (PHI) or personally identifiable information (PII) through the DxF, providers must obtain all required authorizations under state and/or federal law from the patient. Participants who disclose PHI and/or PII through the DxF expressly represent that all patient authorizations or other consents required under state and/or federal law have been obtained.
7. The DxF Requires Health Information Exchange Beyond HIPAA’s Permissive Data Sharing Rules
While HIPAA permits the exchange of health information for treatment, payment, health care operations and public health activity purposes, the DxF requires Participants to exchange and provide access to HSSI for those purposes. Participants can also exchange or provide access to data under the DxF for other non-specified purposes, including to facilitate the sale of data, as permitted by law and with the appropriate authorizations and legal agreements.
8. Participants Are Required to Exchange HSSI in Real Time through the Avenue of Their Choice
The DSA requires Participants to exchange HSSI in real time. However, CalHHS has yet to finalize what constitutes as real-time data exchange. In a recent webinar, CalHHS indicated that if a Participant receives a request for diagnostic, health or social services, the Participant must share HSSI associated with such request as soon as practicable and no more than 24 hours after the data is available or immediately upon receipt of the request in emergency or urgent care situations.
Participants may exchange HSSI either through: (1) a QHIO, which is a state-designated non-participant data exchange intermediary that facilitates HSSI exchanges and access between Participants; (2) another Participant’s technology; or (3) the Participant’s own technology.
9. Participants Can Seek Amendment of the DSA and Modifications to the P&Ps
While Participants cannot negotiate personalized changes to the DSA with CalHHS, under P&P #1 (Process for Amending the DSA), Participants and any other stakeholders can submit a written request for amendment to the DSA for all Participants. CalHHS will determine if the proposed amendment merits consideration, followed by a comment period and an objection period. A task force established by CalHHS, in consultation with local partners and a stakeholder advisory group, will determine whether to approve the request for amendment of the DSA.
In addition, under P&P #2 (Modifications to Policies and Procedures), any Participant or other stakeholder can submit a written request to amend, repeal or establish a new P&P. CalHHS will evaluate these requests similarly to requests to amend the DSA.
10. California’s DxF Is Separate and Distinct from the Federal Trusted Exchange Framework and Common Agreement
Before the California legislature established the DxF, Congress directed ONC to create the voluntary Trusted Exchange Framework and Common Agreement (TEFCA) to govern the exchange of EHI between health information networks across the United States. While DxF and TEFCA have similar expectations for health information interoperability, those who participate in both frameworks must comply with both data sharing agreements.
If your organization has questions about the DxF, including its potential impacts on your privacy, security or information blocking compliance plans, please reach out to your McDermott lawyer or one of the contacts listed below.