CA Health Care Providers Must Join Statewide Data Sharing Agreement by 2024

Thank you to co-author Danny Costandy, a summer associate in Foley’s San Diego office, for his contributions to this post.

Many California health care providers, including hospitals and physician groups, will soon be required to sign on to California’s first-ever statewide data sharing agreement governing the exchange of health and social services information.

The new requirement neatly illustrates the exacting compliance standards faced by today’s health care providers: confidentiality laws that have long limited permissible disclosures of health information must now be considered alongside a new regime of rules designed to prevent obstruction of legitimate access to health information. Achieving compliance requires the perfect balance of disclosing what is required and holding back what is protected.

The new California law directs the California Health and Human Services Agency (CalHHS) to establish a Data Exchange Framework designed “to enable and require real-time access to, or exchange of, health information among health care providers and payers through any health information exchange network, health information organization, or technology that adheres to specified standards and policies.” The Data Exchange Framework is not a health information exchange or repository of data. It is a technologically agnostic set of standards for sharing information.

On July 5, 2022, CalHHS released on a State website the single data sharing agreement and an initial set of policies and procedures to implement the new law. The policies and procedures developed in this first round address topics such as required exchange of information, the data elements to be exchanged, breach notification, privacy and security safeguards, processes for amending the data sharing agreements and its policies and procedures, and the individual right to access. Forthcoming policies and procedures will address topics including information blocking, monitoring and auditing, enforcement, and technical requirements for exchange.

Who must participate in the Data Exchange Framework?

Execution of the Data Exchange Framework agreement will be mandatory by January 31, 2023 for general acute care hospitals, physician organizations and medical groups, skilled nursing facilities, health plans and disability insurers, Medi-Cal managed care plans, clinical laboratories, and acute psychiatric hospitals.

Most health care providers that execute the agreement will be obligated to begin sharing information for treatment, payment, or health care operations by January 31, 2024. Physician practices with fewer than 25 physicians, nonprofit clinics with fewer than 10 health care providers, and specified hospitals will not be required to share information until January 31, 2026.

The Data Exchange Framework will also be open to a range of other entities, including government agencies and private organizations. By statute, CalHHS must work with the California State Association of Counties to encourage the inclusion of county health, public health, and social services. Under the July 5, 2022 single data sharing agreement, participants may also include health information networks, community information exchanges, laboratories, health systems, health IT developers, community-based organizations, payers, research institutes, and social services organizations. The inclusive scope is consistent with the legislative goal expressed in Cal. Health & Safety Code § 130290(e) to “assist both public and private entities to connect through uniform standards and policies.”

What happens if a participant is not ready to exchange information by the statutory deadline?

Policies and procedures require a participant that is not technologically ready to exchange information by the applicable deadline to use best efforts to contract with another entity that provides data exchange services.

How does the Data Exchange Framework incorporate the social determinants of health?

An express goal of the new California law is to identify ways to incorporate data related to social determinants of health, such as housing and food insecurity, into shared health information. The single data sharing agreement applies to “health and social services information,” which includes information related to the provision of social services even when it would not otherwise be protected health information subject to HIPAA. The definition of “health and social services information” also extends to de-identified data, anonymized data, pseudonymized data, metadata, digital identities, and schema.

Will participants have new breach reporting obligations?

As implemented through policies and procedures, the new Data Exchange Framework will expand breach-reporting obligations for health care providers beyond HIPAA and State law. Participants are required to notify CalHHS and all impacted participants of a breach as soon as reasonably practicable after discovery. Further, the notification must be followed by a written report including “sufficient information for the recipient of the notification to understand the nature of the Breach.” These requirement go beyond existing rules for covered entities under HIPAA regulations, which do not mandate reporting to a California agency or other covered entities that have been “impacted.”

While certain licensed clinics and facilities must already report breaches to the California Department of Public Health within fifteen business days, they will now also be required to report the access, disclosure, or use of information in a manner not permitted by the Data Exchange Framework or any other applicable law to CalHHS, as well as to all participants impacted by the breach. It is not clear how a participant is expected to determine whether other participants must be notified of a breach because they have been impacted.

Despite these enhanced obligations, the final version of the breach notification policy and procedure retreats from a stricter set of proposed rules floated in an early draft of the policy, which would have required notification within a 72-hour timeframe followed by a written report within 10 calendar days. Based on posted meeting materials, CalHHS removed specific timeframes after receiving comments from stakeholders requesting that the policies not impose timeframes for breach notification different than those under existing laws.

Compliance tightrope for health care providers

The underlying Data Exchange Framework statute compels participating health care providers to share health information for treatment, payment, and health care operations when permissible under the law. As implemented in the policy and procedure addressing the purposes for which participants are required or permitted to exchange information, the obligation on participants is even broader: they must share “health and social services information” for treatment, payment, health care operations, and public health activities, unless prohibited by law or specific policies and procedures.

The proliferation of legal mandates to share information underscores the balancing act faced by health care providers. On the one hand, state and federal privacy laws limit permissible sharing of information, sometimes in highly restrictive ways. On the other hand, federal information blocking rules obligate health care providers not to interfere with access, exchange, or use of electronic health information, and now California law obligates them to share information with participants in the Data Exchange Framework. Health care providers must carefully evaluate requests to share information under the full range of applicable state and federal laws to ensure they provide what is required and withhold what is protected.

Foley is here to help you address the short and long term impacts of regulatory changes. We have the resources to help you navigate these and other important legal considerations related to business operations and industry-specific issues. Please reach out to the authors, your Foley relationship partner, or to our Health Care Practice Group with any questions.

Disclaimer

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.