The California Data Exchange Framework: New Requirements for Sharing Health Information Between Hospitals, Physicians, and Other Providers | Arent Fox Schiff
The recently unveiled California Health and Human Services Data Exchange Framework (the Framework) creates a new regulatory and governance structure to promote the exchange of health information between healthcare providers in California. By January 31, 2023, hospitals, medical practices and certain other entities must sign a data sharing agreement governing participation in the Framework. Once the framework becomes fully effective on January 31, 2024, parties will be required to exchange health information with other framework participants in real time for processing and other specified purposes.
Data exchange framework aims to break down “information silos” between vendors
Over the past two decades, federal and state policies have prompted health care providers to adopt electronic health record (EHR) systems and other health information technologies (HIT), in the to promote better coordination of care and more informed clinical decision-making. Meanwhile, the federal Health Insurance Portability and Accountability Act (HIPAA) and other federal and state laws have imposed strict requirements on the use and disclosure of patient health information by providers. .
The result of these intersecting – and sometimes conflicting – policies and initiatives is a health care delivery system often characterized by “information silos”, where data sharing practices vary widely depending on factors such as type of organization and the type of data exchanged. Dismantling these silos can be difficult, as California attempted to do in 2009 by enacting legislation (Senate Bill 387) to create a statewide Health Information Exchange (HIE). Due to funding issues, a lack of consensus among stakeholders, and other challenges, the statewide HIE never materialized.
More than a decade later, California made another attempt to boost statewide health information sharing with the passage of Assembly Bill (AB) 133 in July 2021. This legislation (as codified in Health and Safety Code § 130290) provides that the framework “is not intended to be an information technology system or a single repository of data[.]Rather, it is envisioned as a “set of technology-independent organizations that are required to share health information using national standards and a common set of policies in order to improve health outcomes for people they they serve”.
Key Components of the Data Exchange Framework
Under AB 133, the Framework consists of two main elements: (1) a single data sharing agreement to be executed by Framework Participants and (2) a common set of policies and procedures that Framework Participants will follow. . The California Health and Human Services Agency (CalHHS) is responsible for implementing these elements through a stakeholder-driven consultative process.
On July 5, 2022, CalHHS released a final version of the Data Sharing Agreement (DSA). The agency also released the initial set of policies and procedures to govern the framework. These policies, which are incorporated into the DSA, address topics that include data elements to be exchanged between framework participants, privacy and security safeguards, and breach notification.
Together, the DSA and the policies and procedures establish certain defining characteristics of the framework:
- Exchange bond: Parties to the DSA are considered participants in the Framework. As such, they are required, at the request of another participant, to exchange “health and social services information” for certain purposes. These purposes include “treatment”, “payment”, and certain “health care operations” – concepts and terminology derived from HIPAA. While HIPAA is content permit information sharing for these purposes, the Framework now makes such exchanges obligatory.
- Social determinants of health: A key premise of the framework is that data exchange should be more robust than traditional clinical information; it should also include relevant information on the social determinants of health, such as access to housing and food. Starting January 31, 2026, social service organizations, such as health and social service agencies and nonprofits, are expected to participate in the framework. Traditionally, these organizations are not recognized as healthcare providers or “covered entities” under HIPAA. So, for many vendors, engaging in significant information exchange with these organizations will mark a major paradigm shift.
- Governance : The DSA refers to a “governance entity” responsible for overseeing the framework, whose responsibilities include developing policies and procedures and verifying compliance with the DSA. For now, CalHHS operates in this capacity with the support of a stakeholder advisory committee. CalHHS is developing a legislative proposal for a dedicated HHS data exchange board that would begin oversight of the framework in 2023.
As the Framework’s yet-to-be-determined governing body points out, many implementation details are still unclear. Funding opportunities are an unknown critical area. Many participants will need to procure new HITs or modify existing HITs to facilitate the exchange of information within the framework. These technology upgrades will require financial investments that some participants – especially smaller providers who are not accustomed to intensive information sharing with other providers – might find it difficult to afford. Although AB 133 calls on the stakeholder group advising CalHHS to “[i]identify federal, state, private, or philanthropic funding sources that could support data access and exchange,” the legislation does not directly fund vendor costs associated with the framework. With limited sources of financial support, some Framework Participants may look to other Participants for subsidized or discounted access to the latter’s HIT infrastructure.
By January 31, 2023, all general acute care hospitals, physician organizations and medical groups, skilled nursing facilities, health service plans and disability insurers, Medi- Cal, Clinical Laboratories, and California Acute Psychiatric Hospitals must perform the DSA. However, the terms of the DSA, including its mandate to exchange information with other framework participants, will not come into effect until January 31, 2024. Certain smaller providers, including medical practices under 25 physicians and some specialty hospitals, will not be required to share information under the Framework until January 31, 2026.
The consequences of not execution of the DSA or participation in the Framework is currently unclear. While AB 133 does not include a mechanism for vendors to opt out of the framework, it also does not address how participation in the framework or compliance with the DSA will be enforced. The DSA states that participants “grant to the Governing Entity the authority to enforce any part of this Agreement through actions set forth in the Policies and Procedures”, potentially including “the suspension or termination of the right to ‘a Participant to Exchange’ information under the DSA. CalHHS’s outline for governance of the framework suggests that other future enforcement mechanisms could include remediation plans and civil penalties.
Providers should be aware that failure to comply with the framework’s requirements could potentially affect a provider’s compliance with federal information blocking regulations that came into effect in April 2021. Driven by similar concerns as AB 133 To eliminate information silos in the health care delivery system, these regulations prohibit providers from engaging in unreasonable practices that are “likely to interfere with the access, exchange, or use of ‘electronic health information’. A provider that does not participate in the mandatory exchange in accordance with the requirements of the framework could be accused of engaging in the blocking of prohibited information.
Preparing for the Data Exchange Framework
As the implementation timeline rolls out through 2026, CalHHS will actively create a long-term governance structure and promulgate additional framework policies and procedures. Upcoming policies are expected on topics such as information blocking, monitoring and auditing, and enforcement. Health care providers should monitor the publication of these policy proposals, as they will have the opportunity to comment on them and shape the drafting.
Providers should also assess the impact that the framework’s policy development process will have on their own policies, procedures, and practices in critical areas, including EHR systems, privacy and compliance, and information security. Many providers may find it necessary to convene interdisciplinary working groups of stakeholders from their information technology, compliance, legal and records management teams to navigate the multi-level technical, clinical and privacy issues that participation in the frame raises.