The recently unveiled California Health and Human Services Data Exchange Framework (the Framework) creates a new regulatory and governance structure to promote the exchange of health information between health care providers in California. By January 31, 2023, hospitals, physician practices, and certain other entities must sign a data sharing agreement governing participation in the Framework. Once the Framework takes full effect on January 31, 2024, parties must exchange health information with other Framework participants in real time for treatment and other specified purposes.
Data Exchange Framework Aims to Break Down “Information Siloes” Among Providers
Over the past two decades, federal and state policies have incentivized health care providers to adopt electronic health record (EHR) systems and other health information technology (HIT), with the goal of fostering greater care coordination and more informed clinical decision-making. Meanwhile, the federal Health Insurance Portability and Accountability Act (HIPAA) and other federal and state laws have imposed strict requirements on providers’ use and disclosure of patients’ health information.
The result of these intersecting – and sometimes conflicting – policies and initiatives is a health delivery system often characterized by “information siloes,” where data exchange practices vary significantly based on factors including type of organization and type of data being exchanged. Dismantling these siloes can be difficult, as California attempted to do in 2009 by enacting legislation (Senate Bill 387) to create a statewide health information exchange (HIE). Because of funding issues, lack of consensus among stakeholders, and other challenges, the statewide HIE never materialized.
More than a decade later, California attempted again to spur statewide exchange of health information with the passage of Assembly Bill (AB) 133 in July of 2021. That legislation (as codified in Health and Safety Code § 130290) provides that the Framework “is not intended to be an information technology system or single repository of data[.]” Rather, it is envisioned as a technology-agnostic “collection of organizations that are required to share health information using national standards and a common set of policies in order to improve the health outcomes of the individuals they serve.”
Key Components of the Data Exchange Framework
Under AB 133, the Framework comprises two main components: (1) a single data sharing agreement to be executed by Framework participants and (2) a common set of policies and procedures that Framework participants will follow. The California Health and Human Services Agency (CalHHS) is charged with implementing these elements through a stakeholder-driven consultative process.
On July 5, 2022, CalHHS released a final version of the data sharing agreement (DSA). The agency also published the initial set of policies and procedures to govern the Framework. These policies, which are incorporated into the DSA, address topics that include the data elements to be exchanged among Framework participants, privacy and security safeguards, and breach notification.
Together, the DSA and policies and procedures establish some defining features of the Framework:
-
Duty to Exchange: Parties to the DSA are deemed Framework participants. As such, they are required, when requested by another participant, to exchange “health and social services information” for certain purposes. Those purposes include “treatment,” “payment,” and certain “health care operations” – concepts and terminology that come from HIPAA. Whereas HIPAA merely permits sharing information for these purposes, the Framework now makes these exchanges mandatory.
-
Social Determinants of Health: A key premise of the Framework is that data exchange must be more robust than traditional clinical information; it must also include information relevant to the social determinants of health, such as access to housing and food. Beginning January 31, 2026, social service organizations, such as health and human service agencies and nonprofits, are expected to participate in the Framework. Traditionally, these organizations are not recognized as health care providers or “covered entities” under HIPAA. Thus, for many providers, engaging in significant information exchange with these organizations will mark a major paradigm shift.
-
Governance: The DSA references a “governance entity” with oversight of the Framework whose responsibilities include developing policies and procedures and auditing compliance with the DSA. For now, CalHHS is functioning in this capacity with support from a stakeholder-member advisory committee. CalHHS is developing a legislative proposal for a dedicated HHS Data Exchange Board that would commence oversight of the Framework in 2023.
As the Framework’s to-be-determined governing body underscores, many implementation details are still uncertain. Funding opportunities are one unknown critical area. Many participants will have to procure new HIT or modify existing HIT to facilitate the exchange of information within the Framework. These technological upgrades will necessitate financial investments that some participants – particularly smaller providers not accustomed to extensive information-sharing with other providers – may struggle to afford. Although AB 133 calls on the stakeholder group advising CalHHS to “[i]dentify federal, state, private, or philanthropic sources of funding that could support data access and exchange,” the legislation does not directly finance providers’ costs associated with the Framework. With limited sources of financial support, some Framework participants may look to other participants for subsidized or discounted access to the latter’s HIT infrastructure.
What’s Next
By January 31, 2023, all general acute care hospitals, physician organizations and medical groups, skilled nursing facilities, health service plans and disability insurers, Medi-Cal managed care plans, clinical laboratories, and acute psychiatric hospitals in California must execute the DSA. However, the terms of the DSA, including its mandate to exchange information with other Framework participants, will not take effect until January 31, 2024. Certain smaller providers, including physician practices of fewer than 25 physicians and select specialty hospitals, will not be required to exchange information under the Framework until January 31, 2026.
The consequences of not executing the DSA or participating in the Framework are presently unclear. Although AB 133 does not include a mechanism for providers to opt out of the Framework, it also does not address how participation in the Framework or compliance with the DSA will be enforced. The DSA states that participants “grant to the Governance Entity the power to enforce any portion of this Agreement through measures set forth in the Policies and Procedures,” potentially including “suspension or termination of a Participant’s right to exchange” information under the DSA. CalHHS’s outline for Framework governance suggests other future enforcement mechanisms could include remediation plans and civil penalties.
Providers should be aware that noncompliance with Framework requirements could potentially affect a provider’s compliance with federal information blocking regulations that took effect in April of 2021. Animated by similar concerns as AB 133 to eliminate information siloes in the health delivery system, those regulations prohibit providers from engaging in unreasonable practices that are “likely to interfere with access, exchange, or use of electronic health information.” A provider that does not participate in mandatory exchange in accordance with Framework requirements could be accused of engaging in prohibited information blocking.
Getting Ready for the Data Exchange Framework
As the implementation timeline unfolds through 2026, CalHHS will actively create a long-term governing structure and promulgate additional Framework policies and procedures. Forthcoming policies are expected on topics that include information blocking, monitoring and auditing, and enforcement. Health care providers should monitor the release of these policy proposals, as they will have the opportunity to comment on them and shape their drafting.
Providers should also assess the impact the Framework policy development process will have on their own policies, procedures, and practices in critical areas, including EHR systems, privacy and compliance, and information security. Many providers may find it necessary to convene interdisciplinary work groups of stakeholders from their information technology, compliance, legal, and records management teams to navigate the multilayered technical, clinical, and privacy issues that Framework participation raises.