- This Single Data Sharing Agreement is made between the Participants (defined below) who are required to or elect to exchange Health and Social Services Information (defined below) within the State of California in accordance with this Agreement (defined below).
- PURPOSE AND INTENT
- California Health and Safety Code § 130290 was enacted in 2021 and establishes the creation of the California Health and Human Services Data Exchange Framework and requires certain data sharing among entities as set forth in California Health and Safety Code § 130290(f) on or before January 31, 2024. California Health and Safety Code § 130290 also provides for the California Health and Human Services Agency to encourage the inclusion of county health, public benefit, and social services as part of the Data Exchange Framework. The framework includes this single data sharing agreement and a set of common policies and procedures.
- This Agreement is intended to facilitate data exchange between the Participants in compliance with all applicable federal, state, and local laws, regulations, and policies. This Agreement sets forth a common set of terms, conditions, and obligations to support secure real-time access to, or exchange of, Health and Social Services Information (as defined below) between and among the Participants. Nothing in this Agreement is intended to replace or supersede any existing or future agreement between or among two or more Participants that provides for more extensive data exchange than that required under this Agreement.
- This Agreement is not intended nor designed to: (i) mandate or require a specific technology; (ii) create a single entity that exchanges Health and Social Services Information; or (iii) create a single repository of data.
“Agreement” shall mean this Data Sharing Agreement, the Policies and Procedures and the Specifications.
“Applicable Law” shall mean all federal, state, local, or tribal laws and regulations then in effect and applicable to the subject matter herein. For the avoidance of doubt, federal government entities are only subject to federal law.
“Authorization” shall have the meaning and include the requirements set forth at 45 CFR § 164.508 of the HIPAA Regulations and at Cal. Civ. Code § 56.05. The term shall include all requirements for obtaining consent to disclose confidential substance abuse disorder treatment records as set forth in 42 C.F.R. Part 2, when applicable, and shall include any additional requirements under Applicable Law to disclose PHI or PII.
“Breach” shall mean the unauthorized acquisition, access, disclosure, or use of Health and Social Services Information as set forth in the Policies and Procedures.
“Confidential Participant Information” shall mean proprietary or confidential materials or information of a Participant in any medium or format that a Participant labels as such upon disclosure or that given the nature of the information or the circumstances surrounding its disclosure, reasonably should be considered confidential. Notwithstanding any label to the contrary, Confidential Participant Information does not
include any information which is or becomes known publicly through no fault of the party to which such information is disclosed (a “Receiving Party”); is learned of by a Receiving Party from a third party entitled to disclose it; is already known to a Receiving Party before receipt from the disclosing Participant as documented by the Receiving Party’s written records; or is independently developed by a Receiving Party without reference to, reliance on, or use of the disclosing Participant’s Confidential Participant Information.
“Covered Entity” shall have the meaning set forth at 45 C.F.R. § 160.103 and shall also include the following as these terms are defined in California Civil Code § 56.05: “provider of health care,” “health care service plan,” and “licensed health care professional.”
“Effective Date” shall mean January 31, 2023.
“Governance Entity” shall mean the entity within the California Health and Human Services Agency established to oversee the California Data Exchange Framework, the Framework’s Data Sharing Agreement and its Policies and Procedures.
“Governmental Participants” shall mean those Participants that are local (e.g. municipalities, counties), state, tribal, or federal entities.
“Health and Social Services Information” shall mean any and all information received, stored, processed, generated, used, transferred, disclosed, made accessible, or shared pursuant to this Agreement, including but not limited to: (a) Data Elements as set forth in the applicable Policy and Procedure; (b) information related to the provision of health care services, including but not limited to PHI; and (c) information related to the provision of social services. Health and Social Services Information may include PHI, PII, de- identified data (as defined in the HIPAA Regulations at 45 C.F.R. § 164.514), anonymized data, pseudonymized data, metadata, digital identities, and schema.
“HIPAA Regulations” shall mean the standards for privacy of individually identifiable health information, the security standards for the protection of electronic protected health information and the breach notification rule (45 C.F.R. §§ 160 and 164) promulgated by the U.S. Department of Health and Human Services under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, as in effect on the Effective Date and as may be amended, modified, or renumbered.
“Individual User” shall mean the person who is the subject of PHI or PII.
“Participant(s)” shall mean each health care organization as set forth in California Health and Safety Code
§ 130290(f) and any other person or organization that is a signatory to this Agreement. Participants may include, but are not limited to, a health information network, a community information exchange, a laboratory, a health system, a health IT developer, a community-based organization, a payer, a government agency, a research institute, or a Social Services Organization.
“Personally Identifiable Information” or “PII” shall have the same meaning as “Personal Information” set forth in Section 1798.140(o) of the California Civil Code, but shall be limited to PII exchanged pursuant to this Agreement.
“Personal Representative” shall refer to a person who, under Applicable Law, has authority to act on behalf of an individual as set forth in 45 C.F.R. § 164.502(g).
“Policies and Procedures” shall mean the policies and procedures adopted by the Governance Entity
pursuant to this Agreement.
“Protected Health Information” or “PHI” shall refer to “protected health information” as set forth at 45
C.F.R. § 160.103 of the HIPAA Regulations and “medical information” as set forth at Civil Code § 56.05.
“Qualified Health Information Organization” or “Qualified HIO” shall mean a state-designated data exchange intermediary that facilitates the exchange of Health and Social Services Information between Participants.
“Recipient” shall mean a Participant that receives Health and Social Services Information from a Submitter. For purposes of illustration only, Recipients include, but are not limited to, Participants who receive queries, responses, subscriptions, publications or unsolicited messages.
“Social Services” shall mean the delivery of items, resources, and/or services to address social determinants of health and social drivers of health, including but not limited to housing, foster care, nutrition, access to food, transportation, employment, and other social needs.
“Social Services Organization” shall mean a person or entity whose primary business purpose is to provide Social Services to individuals. Social Services Organizations can include but are not limited to government entities (including multi-department health and human services agencies), community-based organizations, nonprofits, and private entities.
“Specifications” shall mean the specifications adopted by the Governance Entity pursuant to this Agreement to establish (i) minimum data content required for particular data exchange use cases and (ii) technical and security requirements to enable the Participants to exchange Health and Social Services Information. Specifications may include, but are not limited to, specific network standards, services, and policies.
“Submitter” shall mean a Participant that submits Health and Social Services Information to a Recipient.
“System” shall mean software, portal, platform, or other electronic medium controlled by a Participant through which the Participant conducts Health and Social Services Information exchange-related activities. For purposes of this definition, it shall not matter whether the Participant controls the software, portal, platform, or medium through ownership, lease, license, or otherwise.
“Treatment” shall have the same meaning as set forth at 45 C.F.R. § 164.501 of the HIPAA Regulations.
- USE OF HEALTH AND SOCIAL SERVICES INFORMATION
- Required, Permitted and Prohibited Purposes. The purposes for which the Participants shall or may acquire, access, use, and disclose Health and Social Services Information pursuant to this Agreement, and the purposes for which the Participants may not acquire, access, use or disclose Health and Social Services Information pursuant to this Agreement, shall be set forth in the Policies and Procedures.
- POLICIES AND PROCEDURES AND SPECIFICATIONS
- Compliance with Terms of this Agreement. Participants shall at all times abide by this Agreement, including the Policies and Procedures and Specifications.
- Incorporation; Modifications. The Policies and Procedures, the Specifications, and any future updates to either of them are hereby incorporated by reference into this Agreement. The Policies and Procedures and Specifications are intended to be flexible to address changing needs and standards and may be modified from time to time through the process outlined in the Policies and Procedures without a need to modify or re-execute this Agreement.
- Health Equity. In order to reduce healthcare disparities, the Specifications shall set forth standards that advance health equity.
- To the extent required by Applicable Law, Participants shall not disclose PHI or PII to another Participant unless a legally valid Authorization has been obtained. For the avoidance of doubt, Participants shall not be required to obtain an Authorization prior to disclosing PHI or PII pursuant to this Agreement unless an Authorization is required under Applicable Law. Any disclosure of Health and Social Services Information by a Submitter shall be deemed an express representation that the Submitter has complied with this Section and unless the Recipient has actual knowledge to the contrary, the Recipient may reasonably and justifiably rely upon such representation.
- REQUIREMENT TO EXCHANGE HEALTH AND SOCIAL SERVICES INFORMATION
- Each Participant shall engage in the exchange of Health and Social Services Information as set forth in the Policies and Procedures, either through execution of an agreement with a Qualified HIO, through execution of an agreement with another entity that provides data exchange, or through use of the Participant’s own technology. If a Participant elects not to execute an agreement with a Qualified HIO and instead elects to use its own technology or to execute an agreement with another entity that provides data exchange, the Participant must comply with or obtain reasonable assurances that the other entity enables the Participant to comply with, the minimum requirements for data exchange set forth in the Policies and Procedures or Specifications.
- Participants shall engage in the real-time exchange of Health and Social Services Information in accordance with the timeframes set forth in the Policies and Procedures.
- PRIVACY AND SECURITY
- General. Each Participant shall at all times fully comply with all Applicable Law relating to this Agreement and the use of Health and Social Services Information.
- Safeguards. Each Participant shall be responsible for maintaining a secure environment that supports the exchange of PHI or PII as set forth in the Policies and Procedures.
- Individual User Education. Participants shall use tools, resources, and technical assistance made available by the California Health and Human Services Agency to help Individual Users and/or their Personal Representatives understand the benefits of information sharing and for obtaining informed consent.
- MINIMUM NECESSARY
- Any use or disclosure of PHI or PII pursuant to this Agreement will be limited to the minimum PHI or PII necessary to achieve the purpose for which the information is shared, except where limiting such use or disclosure to the minimum necessary (i) is not feasible, (ii) is not required under the HIPAA Regulations (such as for Treatment) or any other Applicable Law, (iii) is a disclosure to an Individual User or Individual User’s Personal Representative, (iv) is a disclosure pursuant to an Individual User’s Authorization, or (v) is a disclosure required by Applicable Law.
- INDIVIDUAL ACCESS SERVICES
- Bidirectional Access to Health Information. An Individual User or an Individual User’s Personal Representative shall have the right to inspect, obtain a copy of, and have bidirectional electronic access to, PHI or PII about the Individual User as set forth in the Policies and Procedures and to the extent consistent with Applicable Law.
- COOPERATION AND NON-DISCRIMINATION
- Each Participant shall
- Cooperate in good faith with the Governance Entity and all other Participants to implement the provisions of this Agreement;
- Provide such non-privileged information to the Governance Entity and any other Participant as they may reasonably request for purposes of performing activities related to this Agreement;
- Actively engage in the bilateral or multilateral exchange of information with other Participants as both a Submitter and Recipient of information to the extent permitted or required under this Agreement and Applicable Law;
- Devote such time as may reasonably be requested by the Governance Entity to review information, meet with, respond to, and advise the Governance Entity or other Participants with respect to activities as they relate to this Agreement;
- Provide such reasonable assistance as may be requested by the Governance Entity when performing activities as they relate to this Agreement; and
- Provide any requested information and assistance to the Governance Entity or other Participants in the investigation of breaches and disputes, subject to a Participant’s right to restrict or condition its cooperation or disclosure of information in the interest of (A) preserving privileges in any foreseeable dispute or litigation or (B) protecting its Confidential Participant Information. In no case shall a Participant be required to disclose PHI or PII in violation of Applicable Law.
- In seeking another Participant’s cooperation, each Participant shall make all reasonable efforts to accommodate the other Participant’s schedules and reasonable operational concerns. A Participant shall promptly report, in writing, to any other Participant and the Governance Entity, any problems or issues that arise in working with the other Participant’s employees, agents, or subcontractors that threaten to delay or otherwise adversely impact a Participant’s ability to fulfill its responsibilities under this Agreement. This writing shall set forth in detail and with clarity the problems that the Participant has identified.
- Prohibition on Exclusivity. A Participant may not require exclusivity or otherwise prohibit (or attempt to prohibit) any other Participant, entity, or individual from joining or exchanging Health and Social Services Information under this Agreement.
- No Discriminatory Limits on Exchange of Health and Social Services Information. A Participant shall not unfairly or unreasonably limit exchange or interoperability with any other Participant or Individual User, such as by means of burdensome testing requirements that are applied in a discriminatory manner or other means that limit the ability of a Participant to send or receive Health and Social Services Information with another Participant or Individual User or slows down the rate at which such Health and Social Services Information is sent or received if such limitation or slower rate would have an anti-competitive effect.
- INFORMATION BLOCKING
- Participants shall comply with any information-blocking provisions set forth in the Policies and Procedures.
- LEGAL REQUIREMENTS
- Monitoring and Auditing. The Governance Entity, acting through its agents and independent contractors, shall have the right, but not the obligation, to monitor and audit Participants’ compliance with their obligations under this Agreement. Unless prohibited by Applicable Law, Participants shall cooperate with the Governance Entity in these monitoring and auditing activities and shall provide, upon the reasonable request of the Governance Entity, complete and accurate information in the furtherance of its monitoring and auditing activities. To the extent that any information provided by Participants to the Governance Entity in connection with such monitoring and auditing activities constitutes Confidential Participant Information, the Governance Entity shall hold such information in confidence and shall not redisclose such information to any person or entity except as required by Applicable Law.
- Individual User Opt Out. Nothing in this Agreement shall prohibit an Individual User or an Individual User’s Personal Representative from opting out of having the Individual User’s PHI or PII exchanged pursuant to this Agreement.
- REPRESENTATIONS AND WARRANTIES
Each Participant hereby represents and warrants the following:
- Execution of the Agreement. Each Participant has full power and authority to enter into and perform this Agreement and has taken whatever measures necessary to obtain all required approvals or consents in order for it to execute this Agreement. The representatives signing this Agreement on behalf of the Participants affirm that they have been properly authorized and empowered to enter into this Agreement on behalf of the Participant.
- Compliance with this Agreement. Except to the extent prohibited by Applicable Law, each Participant shall comply fully with all provisions of this Agreement. To the extent that a Participant delegates its duties under this Agreement to a third party (by contract or otherwise) and such third party will have access to Health and Social Services Information, that delegation shall be in writing and require the third party, prior to exchanging Health and Social Services Information with any Participants, to agree to the same restrictions and conditions that apply through this Agreement to a Participant. If a Governmental
Participant determines, after reasonable diligence, that any action or inaction relative to an obligation, including conformance to changes in the Specifications or Policies and Procedures, will cause it to violate Applicable Law, the Governmental Participant may terminate this Agreement immediately upon sending written notice to the Governance Entity.
- Accuracy of Health and Social Services Information. When acting as a Submitter, each Participant represents that at the time of transmission, the Health and Social Services Information it provides is an accurate representation of the data contained in, or available through, its System and is (i) sent from a System that employs security controls that meet industry standards so that the Health and Social Services Information being transmitted is intended to be free from malicious software, and (ii) provided in a timely manner and in accordance with the Policies and Procedures. Other than those representations elsewhere in this Agreement, the Submitter makes no other representation, express or implied, about the Health and Social Services Information.
- Express Warranty of Authority to Exchange Health and Social Services Information. To the extent each Participant discloses Health and Social Services Information to another Participant, the Participant represents and warrants that it has sufficient authority to disclose such Health and Social Services Information.
- Third-Party Technology. All Participants acknowledge that other Participants use technology solutions, applications, interfaces, software, platforms, clearinghouses, and other IT resources to support exchange of Health and Social Services Information that may be provided by third parties (“Third-Party Technology”). Each Participant shall have agreements in place that require Third-Party Technology vendors (i) to provide reliable, stable, and secure services to the Participant and (ii) to adhere to the same or similar privacy and security standards applicable to the Participant pursuant to this Agreement. However, all Participants acknowledge that Third-Party Technology may be interrupted or not available at times and that this could prevent a Participant from transmitting Health and Social Services Information. Participants do not make any representations or warranties as to their Third-Party Technology.
- TERM, SUSPENSION, AND TERMINATION
- Term. This Agreement shall commence on the Effective Date and shall continue until terminated in accordance with this Section or the Policies and Procedures.
- Termination by a Participant. A Participant that is not legally required to sign this Agreement by California Health and Safety Code § 130290 may terminate this Agreement, with or without cause, by giving the Governance Entity at least ten (10) business days’ prior written notice.
- Effect of Termination. Upon any termination of this Agreement for any reason, the terminated party shall cease to be a Participant and thereupon and thereafter that party shall have no rights under this Agreement to exchange data with other Participants. In the event that any Participant(s) is terminated, this Agreement will remain in full force and effect with respect to all other Participants. Termination of this Agreement shall not affect any rights or obligations which by their terms should survive termination or expiration.
- Enforcement Action. The Participants hereby grant to the Governance Entity the power to enforce any portion of this Agreement through measures set forth in the Policies and Procedures. Such measures may include, but are not limited to, suspension or termination of a Participant’s right to exchange Health and Social Services Information under this Agreement.
- PARTICIPANT LIABILITY
- Participant Liability. Each Participant shall be responsible for its acts and omissions and not for the acts or omissions of any other Participant. Notwithstanding any provision in this Agreement to the contrary, Participant shall not be liable for any act or omission if a cause of action for such act or omission is otherwise prohibited by Applicable Law. This Section shall not be construed as a hold harmless or indemnification provision.
- MISCELLANEOUS/GENERAL PROVISIONS
- Governing Law. The construction, interpretation and performance of this Agreement shall be governed and enforced pursuant to the laws of the State of California, without giving effect to its conflicts of laws provisions, except to the extent California law is preempted by any provision of federal law.
- Jurisdiction and Venue. Each Participant hereby submits to the exclusive jurisdiction of any state or federal court sitting in the state of California within twenty-five (25) miles of Sacramento, California in any legal proceeding arising out of or relating to this Agreement unless otherwise required by Applicable Law. Each Participant hereby agrees that all claims and matters arising out of this Agreement may be heard and determined by such court, and each Party hereby waives any right to object to such filing on grounds of improper venue, forum non-conveniens, or other venue-related grounds.
- Assignment. No party shall assign or transfer this Agreement, or any part thereof, without the express written consent of the Governance Entity, which shall not be unreasonably delayed or denied. Any assignment that does not comply with the requirements of this Section 17(c) shall be void and have no binding effect.
- Survival. All Sections which by their nature are meant to survive this Agreement shall survive expiration or termination of this Agreement.
- Waiver. No failure or delay by any party in exercising its rights under this Agreement shall operate as a waiver of such rights, and no waiver of any right shall constitute a waiver of any prior, concurrent, or subsequent right.
- Captions. Captions appearing in this Agreement are for convenience only and shall not be deemed to explain, limit or amplify the provisions of this Agreement.
- Entire Agreement. This Agreement sets forth the entire agreement among the parties relative to the subject matter hereof. Any representation, promise, or condition, whether oral or written, not incorporated herein shall not be binding upon any party. This Agreement may only be modified in the manner provided in the Policies and Procedures.
- Validity of Provisions. In the event that a court of competent jurisdiction shall hold any Section or any part or portion of any Section of this Agreement invalid, void, or otherwise unenforceable, each and every remaining Section or part or portion thereof shall remain in full force and effect.
- Priority. In the event of any conflict or inconsistency between a provision in the body of this Agreement and the Policies and Procedures or the Specifications, the terms contained in the Policies and Procedures or the Specifications shall prevail, except to the extent they conflict with Applicable Law.
- Counterparts. This Agreement may be executed in one or more counterparts, each of which shall be considered an original counterpart, and shall become a binding agreement when each party shall have executed one counterpart.
- Third-Party Beneficiaries. With the exception of the parties to this Agreement, there shall exist no right of any person to claim a beneficial interest in this Agreement or any rights occurring by virtue of this Agreement.
- Force Majeure. No party shall be responsible for any delays or failures in performance caused by the occurrence of events or other circumstances that are beyond its reasonable control after the exercise of commercially reasonable efforts to either prevent or mitigate the effect of any such occurrence or event.
Time Periods. Any of the time periods specified in this Agreement may be changed pursuant to the mutual written consent of the Governance Entity and the affected Participant(s).