California Health and Human Services Data Exchange Framework.

Senator Menjivar, with Assembly Member Bauer-Kahan as a principal coauthor, anchors a plan to move the governance and day-to-day responsibilities for California’s Health and Human Services Data Exchange Framework to the Department of Health Care Access and Information, consolidating oversight of the data sharing agreement and its policies and procedures. The bill’s authors describe the framework as technology-agnostic rather than a single information technology system, envisioned as a network of organizations required to share health information under common policies and standards to support real-time access and exchange among health care entities and state agencies, while aligning with federal and state privacy laws and aiming to reduce reporting burden. It also expands the set of entities required to execute the data sharing agreement with the framework.

Key mechanisms include a 2026 transfer of responsibilities to the department, shifting establishment, implementation, and ongoing administration of the data exchange framework away from the current agency. By July 1, 2026, the department must establish a process to designate qualified health information organizations as data-sharing intermediaries that can participate in the framework, with “qualified health information organization” defined to mean entities that have applied for and met the designation criteria. The framework contemplates real-time data exchange among specified health care entities as of calendar year 2024 for most signatories, subject to exemptions for smaller practices and certain facility types, and it prohibits the exchange of abortion-related data, gender-affirming care, immigration or citizenship status, or place of birth. Signatories required to execute a data sharing agreement include hospitals, physician organizations and medical groups, skilled nursing facilities with electronic records, health care service plans and other insurers, clinical laboratories, acute psychiatric hospitals, and emergency medical services, among others; some categories have extended deadlines or carve-outs until 2026 or 2029.

Governance and oversight are addressed through an expanded stakeholder advisory group, with a specified cap of 17 voting members and a balance of perspectives that includes representation from state departments, health care providers and plans, physicians and hospitals, clinics and long-term care facilities, consumer and labor representatives, privacy and security professionals, health information technology experts, community organizations, and county health and social services offices. The director appoints the chair and the group is expected to provide information and advice on issues related to health and social services information technology, including data beyond health information, data life cycle gaps, social determinants of health, and equity considerations; the group is required to hold public meetings and operate under open meeting standards, with members serving without compensation but eligible for expense reimbursement. The department must publish updates to the framework after a 45-day public review and make approved changes widely accessible 180 days before their effective date; enforcement actions related to noncompliance would follow once funding is available, subject to the Administrative Procedure Act, and companion reporting requirements to the Legislature are due by mid-2027, detailing signatories’ status, compliance pathways, and the need for governance enhancements.

In context, the authors frame the framework as an instrument to harmonize health and social services data exchange with national standards and privacy protections, incorporating data requirements for both providers and payers while supporting real-time access across participating entities. The bill emphasizes alignment with federal standards and privacy laws, including HIPAA-related obligations, and seeks to incorporate data on social determinants of health and underserved populations, with careful attention to privacy, security, consent, and equity risks as data exchange expands. It also envisions ongoing oversight and evaluation, including a plan to assess the need for an independent governing board and possible funding mechanisms, and it contemplates public reporting on compliance and enforcement pathways, as well as program notices to communicate requirements to participants.