California Data Sharing Agreement and Policies and Procedures

On July 5, 2022, the California Health and Human Services Agency (CalHHS) Center for Data Insights and Innovation (CDII) released the final Data Exchange Framework (DxF) and associated Data Sharing Agreement (DSA) and Policies and Procedures (P&Ps), as required under A.B. 133 (2022).1 (For more information on A.B. 133, please see our fact sheet.2) CalHHS developed these policies with input from a Stakeholder Advisory Group and DSA Subcommittee. All policies will go into effect on January 31, 2024.

In collaboration with its Stakeholder Advisory Group, CDII developed several guiding principles as part of the DxF to guide design and implementation, support deliberations, and build trust among data exchange partners.3 These principles include:

  • Advance health equity
  • Make data available to drive decisions and outcomes
  • Support whole person care
  • Promote individual data access
  • Reinforce individual data privacy and security
  • Establish clear and transparent terms and conditions for data collection, exchange, and use
  • Adhere to data exchange standards; and
  • Ensure accountability

Key provisions of the Data Sharing Agreement and Policies and Procedures

A.B. 133 requires certain entities to “exchange health information or provide access to health information to and from” other specified entities in “real-time” by January 31, 2024, including but not limited to general acute care and psychiatric hospitals, physician organizations and medical groups, skilled nursing facilities (SNFs), clinical labs, and health care service plans and Medi-Cal Managed Care Plans. Other entities, such as physician practices with fewer than 25 physicians, will not need to comply with the mandate until January 31, 2026.

All such entities must agree to participate in a single data sharing agreement and common policies and procedures that govern the exchange of health information among participating entities and that are intended to “leverage and advance national standards for information exchange and data content.” Other entities can sign the DSA to become a participant but are not required to under state law.

The DSA defines “Health and Social Services Information” as “any and all information received, stored, processed, generated, used, transferred, disclosed, made accessible, or shared pursuant to this Agreement, including but not limited to: (a) Data Elements as set forth in the applicable Policy and Procedure; (b) information related to the provision of health care services, including but not limited to PHI; and (c) information related to the provision of social services. Health and Social Services Information may include PHI, PII, deidentified data (as defined in the HIPAA Regulations at 45 C.F.R. § 164.514), anonymized data, pseudonymized data, metadata, digital identities, and schema.”4

Below are several topics and associated provisions addressed by both the final DSA and P&Ps released by CDII on July 5, 2022:

Requirement to exchange health and social services information

(P&P OPP-5)5
Participants that sign the DSA have an obligation to share certain data with all other participants, unless they do not have the data requested or cannot share it under law.

“All Participants shall respond to requests for Health and Social Services Information made by other Participants and shall share Health and Social Services Information when required under the Required, Permitted and Prohibited Purposes Policy. A Participant shall fulfill its duty to respond by either (i) providing the requested Health and Social Services Information in accordance with the Data Sharing Agreement (the “DSA”) and Applicable Law, or (ii) providing a clear written response that states the Health and Social Services Information is not available, cannot be exchanged under Applicable Law, or is not required to be shared under the DSA.”
Data elements to be Exchanged

(P&P OPP-8)6
Participants that are health care providers are required to share clinical data, while those that are health plans are required to share claims, encounter, and clinical data.

Providers: “Health Care Providers…shall provide access to or exchange at a minimum: a. Until October 6, 2022, data elements in the United States Core Data for Interoperability (USCDI) Version 1 if maintained by the entity. b. After October 6, 2022, all Electronic Health Information (EHI) as defined under federal regulation in Section 171.102 of Title 45 of the Code of Federal Regulations, including data elements in the United States Core Data for Interoperability (USCDI) Version 2, if maintained by the entity.”

Plans: “Health Plans, including but not limited to health care service plans and disability insurers that provide hospital, medical, or surgical coverage that are regulated by the Department of Managed Health Care or the Department of Insurance, Medi-Cal managed care plans, shall provide access to or exchange, at a minimum, the data required to be shared under the Centers for Medicare and Medicaid Services Interoperability and Patient Access regulations for public programs as contained in United States Department of Health and Human Services final rule CMS-9115-F, 85 FR 25510 including, but not limited to, adjudicated claims, encounter data and clinical data as defined in the USCDI if maintained by the entity.”
Methods to exchange data

(P&P OPP-5)7
Participants may use various technology solutions to support the exchange of Health and Social Services Information, including Qualified Health Information Organizations (HIOs)

“The Data Exchange Framework is intended to be technology agnostic, meaning that no particular technology or method to exchange data is preferred. Participants may use various technology solutions, applications, interfaces, software, platforms, clearinghouses and other information technology resources.”
Permitted, required, and prohibited uses

(P&P OPP-4)8
Participants are required to share data related to Treatment, Payment, and some Health Care Operations activities (as such terms are defined under HIPAA) that do not require patient authorization and are permitted to share data where allowed by law and subject to patient authorization. Participants cannot access information through the DSA with the intention of selling that data, and participants cannot charge fees to other participants for any exchange under the DSA.

Required purposes: “…Participants are required to exchange Health and Social Services Information and/or provide access to Health and Social Services Information pursuant to the Data Exchange Framework for Treatment, Payment, Health Care Operations and Public Health Activities as those terms are defined herein.”

Permitted purposes: “Participants are permitted to exchange or provide access to Health and Social Services Information, including information subject to 42 C.F.R. Part 2, for any purpose not set forth in Section 3 below, provided appropriate Authorizations are made, if necessary, and the disclosure or use of Health and Social Services Information is permissible under Applicable Law. Such purposes include but are not limited to Social Services Activities and Research activities.”

Prohibited purposes: “Unless otherwise permitted by Applicable Law or a legally valid agreement, Participants shall not access Health and Social Services Information through the DSA in order to sell such information.”

Fees: “Participants are prohibited from charging fees to other Participants for any exchange of Health and Social Services Information under the DSA; provided that the foregoing shall not prohibit a Qualified HIO from charging fees to Participants who engage in data-sharing activities through the Qualified HIO.”
Breach notification

(P&P OPP-3)9
Participants must notify the Governance Entity (once it is established) and any affected participants of any breach, in addition to complying with all other applicable breach notification laws.

“As soon as reasonably practicable after discovering a Breach has occurred, and within any timeframes required by Applicable Law, a Participant shall notify the Governance Entity and all Participants impacted by the Breach.”

*It should be noted that the DSA and P&P definition of “breach” is broader than both the HIPAA and CMIA definitions. For example, a breach notification is not required under HIPAA or the California Health and Safety Code if a risk analysis concludes that there is a low probability that data has been compromised.
Individual access services

(P&P OPP-7)10
Individuals have the right of access to inspect and copy their data maintained by any Participant, except where the Participant has sufficient grounds to deny such right of access under applicable law.

“To the extent permitted by Applicable Law, an Individual User or anIndividual User’s Personal Representative has a right of access to inspect and obtain a copy of PHI or PII about the Individual User, for as long as the PHI or PII is maintained by a Participant. Notwithstanding the foregoing, if permitted under Applicable Law, a Participant shall have the authority to deny right of access to inspect or obtain a copy of PHI or PII.”

Remaining policy issues

CDII is currently developing additional P&Ps through its interim stakeholder process, which includes the following topics:

  • California information blocking prohibitions: Expanding the federal information blocking rules to apply under the DSA to all signatories, not just those subject to the federal law.11
  • Technical requirements for exchange: Describing the ways in which signatories must share requests for information, and how to respond to such requests.12
  • Real-time exchange: Defining the timeframe in which signatories must respond to requests for information.13
  • Early exchange: Allowing signatories to be able to mutually agree to have the DSA take legal effect before January 31, 2024.14
  • Privacy standards and security safeguards: Clarifying how signatories must handle inappropriately received information.15

CDII is also developing a qualification process for health information organizations. These qualified health information organizations (QHIOs), as defined in the DSA, can serve as data sharing intermediaries, similar in concept to the qualification process developed for the California HIE Onboarding Program (Cal-HOP).16

CDII has also indicated that it will work in 2023 to receive statutory authority for governance and enforcement. The DSA and P&Ps reference a governance entity that will oversee the DxF and develop subsequent policies related to data exchange and enforcement of the DSA.

Other needs identified by stakeholders include:

  • Funding for onboarding and infrastructure: Many health information organizations, providers, and plans will require funding for infrastructure, workflow development, and technology adoption to support their data sharing obligations under the DSA.
  • Development of policies pertaining to social services organizations: Social services organizations capture and share a wide variety of data related to demographics– care plans and social needs, for example–that are not usually captured using the same standards as health care organizations outlined in the DSA P&Ps.
  • Refinement of the DSA and P&Ps to ensure consistency with existing legal obligations under state and federal law: The DSA and P&Ps will need to be updated to ensure they align with other laws. For example, the current definition of “minimum necessary” under the DSA and P&Ps allows an exception where compliance is “not feasible,” which diverges from the exceptions under HIPAA and requires further guidance on what constitutes feasibility. Other issues include resolving ambiguities in AB 133; for example, clarifying what is meant by the requirement for “skilled nursing facilities maintaining electronic records” (emphasis added) to sign the DSA.

What’s next?

As previously mentioned, certain health plans and provider entities must execute the DSA on or before January 31, 2023, while other health and social services organizations will be encouraged to execute the DSA. Most mandatory signatories must then begin sharing data with other participants on or before January 31, 2024.

In the meantime, CalHHS CDII established an interim Implementation Advisory Committee and DSA P&P Subcommittee in July 2022, along with a legislative proposal to establish a permanent Health and Human Services Data Exchange Board.17 By 2023, CDII plans to establish the Data Exchange Board to oversee implementation of the DxF and divide the governance functions between the agency and the Data Exchange Board.18

Standards and regulations referenced within the DSA and P&Ps

United States Core Data for Interoperability (USCDI) versions 1 through 419The USCDI version 1 created a set of 16 standardized data classes to facilitate the aggregation of data elements, easing interoperability for providers across the country (The Office of the National Coordinator for Health Information Technology, 2020). Version 2 was released in 2021, expanded the data classes from 16 to 19, and included more detailed data elements within each class. (Note that version 3, not mentioned in the DSA or P&Ps, was released in July 2022, and a draft of version 4, also not mentioned in the DSA, was released on January 14, 2023.)
HIPAA regulations under Title 45 of the Code of Federal Regulations (C.F.R.)20Title 45 of the Code of Federal Regulations encompasses the federal rules and regulations that apply to public welfare. A few of the more frequently referenced within the DSA are summarized here.45 C.F.R. § 164.501 contains the definitions for correctional institution, data aggregation, designated record set, direct treatment regulation, health care operations, health oversight agency, indirect treatment relationship, inmate, marketing, payment, psychotherapy notes, public health authority, research, and treatment, as they relate to health information privacy and security.
45 C.F.R. § 164.502 includes the general rules for uses and disclosures of protected health information.
45 C.F.R. § 164.504 outlines the organizational requirements for uses and disclosures.
CFR § 164.508 contains the uses and disclosures that require authorization.
45 C.F.R. § 164.512 outlines what uses and disclosures do not require authorization.
45 C.F.R. § 164.514 specifies other requirements related to the use and disclosure of protected health information, including standards and implementation of de-identification, minimum necessary, and verification requirements.
45 C.F.R. § 164.524 is in reference to the right of individuals to access their protected health information.
45 C.F.R. part 164, subpart C refers to the security standards for the protection of electronic health information.
45 C.F.R. part 164, subpart E refers to the privacy of individually identifiable health information.
Confidentiality regulations for substance use disorder records at 42 C.F.R. Part 221 and for mental health under the Lanterman- Petris-Short Act22Title 42 of the Code of Federal Regulations sets out the federal rules and regulations that govern the disclosure and use of patient records related to substance use disorders. It includes relevant definitions, safeguards, and procedures, which are significantly more stringent than HIPAA for any subject “Part 2 Programs.”

Lanterman-Petris-Short Act confidentiality provisions refer to California Welfare and Institutions Code §§ 5328-5328.9. It provides more stringent protections than HIPAA for information related to mental health treatment delivered in certain institutional and outpatient settings.
HL7 data formats23Health Level 7 (HL7) is an organization that creates standards for electronic health data exchange, integration, and aggregation.

HL7 Messaging Standard Version 2.5.1 refers to the messaging standards for electronic health data exchange, with emphasis on the inpatient acute care setting.
HL7 Clinical Document Architecture (CDA®) Release 2 contains the standards for clinical documents between healthcare providers and patients.
HL7 Companion Guide to Consolidated Clinical Document Architecture (C- CDA®) 2 is meant to provide additional tools, resources, and guidance to assist implementers in improving interoperability.
HL7 Fast Health Interoperability Resources (FHIR®) Release 4.0.1 is the standard for interoperability between all players of the healthcare ecosystem and contains applicable resources and regulations.
US Core Implementation Guide 4.0.0 STU4 contains the standards and FHIR resources necessary to create the United States Core Profiles.
U.S. Department of Health and Human Services Interoperability and Patient Access Final Rule 24This final rule implements certain provisions of the 21st Century Cures Act granting the Centers for Medicare and Medicaid Services (CMS) to create a set of policies to advance interoperability and patient access to health information. This rule’s key points include the enabling of patients to electronically access their health information and ensuring providers and payers can attain access to all relevant patient health information.
U.S. Office of the National Coordinator for Health IT Cures Act Final Rule25This final rule implements certain provisions of the 21st Century Cures Act related to HIT developer certification requirements, information blocking, and patient access.

About Connecting for Better Health (C4BH): Founded in 2021, C4BH is a coalition of providers, caregivers, health plans, patient advocates, innovators, and community based organizations. We strive to improve the state’s data sharing infrastructure with a goal of transforming health and social outcomes for all Californians. For more information, contact

1 Cal. Assem. Bill 133, 2021-2022 Reg. Sess. (2022) (hereinafter “A.B. 133”).

2 Connecting for Better Health, State Policy Update: AB 133: health Omnibus Trailer Bill (2021), Google-Docs.pdf.

3 Center for Data Insights and Innovation (hereinafter “CDII”), Data Exchange Framework Guiding Principles (2022), Principles_Final_v1_07-01-2022.pdf.

4 CDII, California Health and Human Services Data Exchange Framework: Single Data Sharing Agreement (last updated November 3, 2022), CalHHS_DSA_Final_v1_7.1.22-11.8.22.pdf.

5 CDII, OPP-5: Requirement to Exchange Health and Social Services Information (last updated July 5, 2022), and-Social-Services-Info-PP_Final_v1_7.1.22.pdf.

6 CDII, OPP-8: Data Elements to Be Exchanged (last updated July 5, 2022), content/uploads/2022/12/4_CHHS_DSA-Data-Elements-to-Be-Exchanged-PP_Final_v1_11.16.22_For- Posting.pdf.

7 See supra note iv.

8 CDII, OPP-4: Permitted, Required and Prohibited Purposes (last updated July 5, 2022), Purposes-PP_Final_v1_7.1.22.pdf.

9 CDII, OPP-3: Breach Notification (last updated July 5, 2022), content/uploads/2022/07/5.-CHHS_DSA-Breach-Notification-PP_Final_v1_7.1.22.pdf.

10 CDII, OPP-7: Individual Access Services (last updated July 5, 2022), content/uploads/2022/07/9.-CHHS_DSA-Individual-Access-Services-PP_Final_v1_7.1.22.pdf.

11 CDII, Draft OPP-[X]: California Information Blocking Prohibitions (2023), content/uploads/2023/01/CalHHS_CA-Information-Blocking-Prohibitions-PP_Draft_Jan-2023_For-Public- Comment.pdf.

12 CDII, Draft OPP-[X]: Technical Requirements for Exchange (2023), content/uploads/2023/01/CalHHS_Tech-Reqs-for-Exchange-PP_Draft_Jan-2023_For-Public-Comment.pdf. 13 CDII, Draft OPP-[X]: Real-Time Exchange (2023), content/uploads/2023/01/CalHHS_Real-Time-Exchange-PP_Draft_Jan-2023_For-Public-Comment.pdf.

14 CDII, Draft OPP-[X]: Early Exchange (2023), content/uploads/2023/01/CalHHS_Early-Exchange-PP_Draft_Jan-2023_For-Public-Comment.pdf.

15 CDII, Draft OPP-6: Privacy Standards and Security Safeguards (2023), content/uploads/2023/01/CalHHS_Privacy-and-Security-Safeguards-PP_Draft_Jan-2023_For-Public- Comment.pdf.

16 CDII, Draft California Data Exchange Framework: Qualified Health Information Organization (QHIO) Application 2023 (January 10, 2023), Application-Parts-A-and-B-for-IAC-01.10.2023-1.pdf.

17 CDII, Data Exchange Framework Stakeholder Advisory Group Meeting #9, June 23, 2022, Group_Meeting-9_June-23-2022_Deck_Final_v1.pdf.

18 Id.

19 See U.S. Dep’t of Health and Human Servs. Office of the Nat’l Coord. for Health Info. Tech., United States Core Data for Interoperability (last updated 2023), interoperability-uscdi#draft-uscdi-v4. This page includes access to all versions of the USCDI.

20 45 C.F.R. part 164 (2023).

21 42 C.F.R. part 2 (2023).

22 Cal. Welf. And Inst. Code § § 5328-5328.9 (2019).

23 HL7 International, Introduction to HL7 Standards, (last updated 2023),

24 42 C.F.R. parts 406, 407, 422, 423, 431, 438, 457, 482 and 485 (2020); 45 C.F.R. part 156 (2020).

25 45 C.F.R. parts 190 and 171 (2020).


Sign Up for the C4BH Newsletter.

Yes! I want to receive the Weekly Round-Up newsletter, which curates news and events relevant to health data exchange in California and beyond.