Thank you to co-author Danny Costandy, a summer associate in Foley’s San Diego office, for his contributions to this post.
Many California health care providers, including hospitals and physician groups, will soon be required to sign on to California’s first-ever statewide data sharing agreement governing the exchange of health and social services information.
The new requirement neatly illustrates the exacting compliance standards faced by today’s health care providers: confidentiality laws that have long limited permissible disclosures of health information must now be considered alongside a new regime of rules designed to prevent obstruction of legitimate access to health information. Achieving compliance requires the perfect balance of disclosing what is required and holding back what is protected.
The new California law directs the California Health and Human Services Agency (CalHHS) to establish a Data Exchange Framework designed “to enable and require real-time access to, or exchange of, health information among health care providers and payers through any health information exchange network, health information organization, or technology that adheres to specified standards and policies.” The Data Exchange Framework is not a health information exchange or repository of data. It is a technologically agnostic set of standards for sharing information.
On July 5, 2022, CalHHS released on a State website the single data sharing agreement and an initial set of policies and procedures to implement the new law. The policies and procedures developed in this first round address topics such as required exchange of information, the data elements to be exchanged, breach notification, privacy and security safeguards, processes for amending the data sharing agreements and its policies and procedures, and the individual right to access. Forthcoming policies and procedures will address topics including information blocking, monitoring and auditing, enforcement, and technical requirements for exchange.
Who must participate in the Data Exchange Framework?
Execution of the Data Exchange Framework agreement will be mandatory by January 31, 2023 for general acute care hospitals, physician organizations and medical groups, skilled nursing facilities, health plans and disability insurers, Medi-Cal managed care plans, clinical laboratories, and acute psychiatric hospitals.
Most health care providers that execute the agreement will be obligated to begin sharing information for treatment, payment, or health care operations by January 31, 2024. Physician practices with fewer than 25 physicians, nonprofit clinics with fewer than 10 health care providers, and specified hospitals will not be required to share information until January 31, 2026.
The Data Exchange Framework will also be open to a range of other entities, including government agencies and private organizations. By statute, CalHHS must work with the California State Association of Counties to encourage the inclusion of county health, public health, and social services. Under the July 5, 2022 single data sharing agreement, participants may also include health information networks, community information exchanges, laboratories, health systems, health IT developers, community-based organizations, payers, research institutes, and social services organizations. The inclusive scope is consistent with the legislative goal expressed in Cal. Health & Safety Code § 130290(e) to “assist both public and private entities to connect through uniform standards and policies.”
What happens if a participant is not ready to exchange information by the statutory deadline?
Policies and procedures require a participant that is not technologically ready to exchange information by the applicable deadline to use best efforts to contract with another entity that provides data exchange services.
How does the Data Exchange Framework incorporate the social determinants of health?
An express goal of the new California law is to identify ways to incorporate data related to social determinants of health, such as housing and food insecurity, into shared health information. The single data sharing agreement applies to “health and social services information,” which includes information related to the provision of social services even when it would not otherwise be protected health information subject to HIPAA. The definition of “health and social services information” also extends to de-identified data, anonymized data, pseudonymized data, metadata, digital identities, and schema.
Will participants have new breach reporting obligations?
As implemented through policies and procedures, the new Data Exchange Framework will expand breach-reporting obligations for health care providers beyond HIPAA and State law. Participants are required to notify CalHHS and all impacted participants of a breach as soon as reasonably practicable after discovery. Further, the notification must be followed by a written report including “sufficient information for the recipient of the notification to understand the nature of the Breach.” These requirement go beyond existing rules for covered entities under HIPAA regulations, which do not mandate reporting to a California agency or other covered entities that have been “impacted.”
While certain licensed clinics and facilities must already report breaches to the California Department of Public Health within fifteen business days, they will now also be required to report the access, disclosure, or use of information in a manner not permitted by the Data Exchange Framework or any other applicable law to CalHHS, as well as to all participants impacted by the breach. It is not clear how a participant is expected to determine whether other participants must be notified of a breach because they have been impacted.
Despite these enhanced obligations, the final version of the breach notification policy and procedure retreats from a stricter set of proposed rules floated in an early draft of the policy, which would have required notification within a 72-hour timeframe followed by a written report within 10 calendar days. Based on posted meeting materials, CalHHS removed specific timeframes after receiving comments from stakeholders requesting that the policies not impose timeframes for breach notification different than those under existing laws.
Compliance tightrope for health care providers
The underlying Data Exchange Framework statute compels participating health care providers to share health information for treatment, payment, and health care operations when permissible under the law. As implemented in the policy and procedure addressing the purposes for which participants are required or permitted to exchange information, the obligation on participants is even broader: they must share “health and social services information” for treatment, payment, health care operations, and public health activities, unless prohibited by law or specific policies and procedures.
The proliferation of legal mandates to share information underscores the balancing act faced by health care providers. On the one hand, state and federal privacy laws limit permissible sharing of information, sometimes in highly restrictive ways. On the other hand, federal information blocking rules obligate health care providers not to interfere with access, exchange, or use of electronic health information, and now California law obligates them to share information with participants in the Data Exchange Framework. Health care providers must carefully evaluate requests to share information under the full range of applicable state and federal laws to ensure they provide what is required and withhold what is protected.