Thanks to co-author Danny Costandy, summer associate in Foley’s San Diego office, for his contributions to this post.
Many California healthcare providers, including hospitals and physician groups, will soon be required to sign California’s first-ever statewide data-sharing agreement governing the exchange of health information. and social services.
The new requirement epitomizes the rigorous compliance standards faced by today’s healthcare providers: privacy laws that have long limited authorized disclosures of health information must now be considered alongside a new regime of rules designed to prevent the obstruction of legitimate access to health information. Compliance requires a fine balance between disclosing what is required and withholding what is protected.
The new california law directs the California Health and Human Services Agency (CalHHS) to establish a data exchange framework designed “to enable and require real-time access or exchange of health information between health care providers and payers through any health information exchange network, health information organization, or technology that meets the specified standards and policies. The data exchange framework is not a health information exchange or data repository. It is a set of technology-agnostic standards for sharing information.
On July 5, 2022, CalHHS posted on a State website the unique data sharing agreement and an initial set of policies and procedures to implement the new law. The policies and procedures developed during this first cycle address topics such as required information exchange, data elements to be exchanged, breach notification, privacy and security safeguards, processes modification of data sharing agreements and its policies and procedures, and individual right of access. Upcoming policies and procedures will address topics such as information blocking, monitoring and auditing, enforcement, and technical requirements for the exchange.
Who should participate in the Data Exchange Framework?
Execution of the Master Data Sharing Agreement will be binding by January 31, 2023 for general acute care hospitals, physician organizations and medical groups, skilled nursing facilities, health and disability insurers, Medi-Cal managed care plans, clinical laboratories and acute psychiatric care. hospitals.
Most health care providers who sign the agreement will be required to start sharing information for treatment, payment, or health care operations by January 31, 2024. Medical practices with fewer than 25 physicians , nonprofit clinics with fewer than 10 healthcare providers, and hospitals will not be required to share information until January 31, 2026.
The data exchange framework will also be open to a range of other entities, including government agencies and private organizations. By law, CalHHS must work with the California State Counties Association to encourage inclusion of county health, public health, and human services. As part of July 5, 2022 unique data sharing agreement, participants may also include health information networks, community information exchanges, laboratories, health systems, health informatics developers, community organizations, payers, research institutes and social service organizations. The inclusive scope is consistent with the legislative objective expressed in Cal. Health and Safety Code § 130290(e) to “help public and private entities connect through uniform standards and policies.”
What happens if a participant is not ready to exchange information within the legal deadline?
Policies and Procedures require a participant that is not technologically ready to exchange information within the applicable timeframe to use its best efforts to contract with another entity that provides data exchange services.
How does the data exchange framework incorporate social determinants of health?
An explicit goal of the new California law is to identify ways to integrate data related to social determinants of health, such as housing and food insecurity, into shared health information. The unique data sharing agreement applies to “health and social services information”, which includes information relating to the provision of social services, even if it would not otherwise be protected health information subject to HIPAA. The definition of “health and social services information” also extends to anonymized data, anonymized data, pseudonymised data, metadata, digital identities and schema.
Will participants have new obligations to report violations?
As implementation through policies and procedures, the new data exchange framework will expand breach reporting obligations for healthcare providers beyond HIPAA and the state. Entrants are required to notify CalHHS and all affected Entrants of a violation as soon as reasonably possible after discovery. In addition, the notification must be followed by a written report including “sufficient information for the recipient of the notification to understand the nature of the violation”. These requirements go beyond existing rules for covered entities under HIPAA regulationsthat do not require reporting to a California agency or other covered entities that have been “assigned”.
Although some licensed clinics and facilities must already report violations to the California Department of Public Health within fifteen business days, they will now also be required to report any access, disclosure, or use of information in a manner not authorized by the Data Exchange Framework or any other law applicable to CalHHS, and to all participants affected by the breach. It is not clear how a participant is supposed to determine whether other participants should be notified of a violation because they have been affected.
Despite these enhanced obligations, the final version of the Breach Notification Policy and Procedure opts out of a stricter set of proposed rules. a first draft of the policy, which would have required notification within 72 hours followed by a written report within 10 calendar days. Based on posted meeting materialsCalHHS removed specific timelines after receiving feedback from stakeholders requesting that the policies not impose breach notification timelines different from those provided by existing laws.
Compliance on a Tightrope for Healthcare Providers
The underlying Data Sharing Framework Act requires participating healthcare providers to share health information for healthcare treatment, payment and operations where permitted by law. As implemented in policy and procedure Regarding the purposes for which participants are required or permitted to share information, participants’ obligation is even broader: they must share “health and social services information” for processing, payment, healthcare and public health activities, except where prohibited by law or specific policies and procedures.
The proliferation of legal mandates to share information underscores the balancing act faced by healthcare providers. For one thing, state and federal privacy laws limit the permitted sharing of information, sometimes quite restrictively. On the other hand, federal information blocking rules require health care providers not to interfere with the access, exchange, or use of electronic health information, and now California law requires them to share information with data exchange framework participants . Healthcare providers should carefully evaluate requests to share information under all applicable state and federal laws to ensure they are providing what is required and withholding what is protected.
Foley is here to help you deal with the short and long term impacts of regulatory changes. We have the resources to help you navigate these important legal considerations related to business operations and industry-specific issues. Please contact the authors, your Foley relationship partner, or our healthcare practice group with any questions.