AB 1926 establishes a statewide Health Care Payments Data Program that directs a state department to build a centralized repository of payer-submitted health care payments and related data. The statute gives the department authority to require data submissions, set technical and timing standards, and accept voluntary data, with the stated goal of supporting analysis of prices, utilization, nonclaims payment practices, and public‑health research.
This changes how California collects and links payer information: the bill pulls together fee‑for‑service and alternative payment data, pricing and nonclaims payment details, pharmacy rebate data, enrollment and provider files, and — notably — personally identifiable and personal health information when already collected by submitters. For compliance officers and data stewards at plans, insurers, and large employers, the statute creates a new, potentially costly data pipeline and raises privacy, governance, and operational questions that the implementing regulations must resolve.
At a Glance
What It Does
The bill requires the department to develop guidance and adopt regulations to collect, validate, refine, analyze, and maintain health care payments data from mandatory and voluntary submitters. It specifies core submissions—claims/encounters, enrollment, provider files, pricing (contracted rates, allowed amounts, fee schedules), nonclaims payments (deductibles, copays, coinsurance), and pharmacy rebates—and allows the department to set file formats, frequencies, and thresholds.
Who It Affects
Mandatory submitters include licensed health care service plans, health insurers (including dental‑only), certain self‑insured plans and public employers, and the State Department of Health Care Services for Medi‑Cal enrollee data; a broader class (self‑insured employers not subject to Section 1349.2, multiemployer plans, providers, hospitals, and certain suppliers) may submit voluntarily. The department itself and research/public‑health users will be primary internal stakeholders.
Why It Matters
By combining payments, pricing, enrollment, and nonclaims payment data in one system, the program aims to enable detailed cost-of-care and equity analyses that existing fragmented datasets cannot deliver. For payers and plan administrators, the bill creates a centralized reporting obligation; for analysts and policymakers, it promises more granular evidence on prices, payment methods, and population coverage—if the data are high quality and accessible.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
AB 1926 directs “the department” to design and implement a Health Care Payments Data Program that centralizes payer-submitted data to support analyses of utilization, costs, and public health. The department must produce guidance that lays out a methodology for collecting, validating, refining, comparing, and improving the data it receives.
Those processes are intended to cover traditional payment flows (fee‑for‑service) and newer arrangements (capitation, integrated delivery systems, value‑based payments and other nonclaims payment mechanisms).
The statute lists broad categories of data to be collected: utilization (from payments or encounter records where payments are not used), pricing and payment details (contracted rates, allowed amounts, fee schedules, and nonclaims-based components needed to calculate total cost), enrollment and eligibility, provider and supplier files, pharmacy rebate data, and both personally identifiable information (PII) and personal health information (PHI) that mandatory submitters are already required to collect. The text makes PII and PHI eligible for submission so long as they are subject to the chapter’s privacy protections and not publicly disclosed unless the statute permits it.Who must submit is spelled out: licensed health care service plans and insurers (including dental-only), self‑insured plans covered by Section 1349.2 and certain public and multiemployer plans, and the State Department of Health Care Services for Medi‑Cal enrollees.
The department may also accept voluntary submissions from other self‑insured employers, multiemployer plans, hospital or clinic providers, and certain suppliers. The law directs the department to consider national APCD (all‑payer claims database) standards when establishing file formats, content and submission timelines, and to set plan‑size thresholds that take implementation cost into account.Operationally, the bill requires the department to adopt emergency regulations (the text cites an adoption deadline) to implement thresholds, exempted lines of business, coordination where third‑party administrators handle benefits, content and file formats, and submission frequency for core data and for nonclaims payment files.
It also requires the department to seek a three‑year historical data window at initial implementation and to maintain, at minimum, a rolling three‑year dataset in ongoing operation. The department is directed to incorporate existing departmental data sources—hospital discharge, emergency care, and ambulatory surgery records—where possible, and may accept additional information that furthers program goals.The statute contains specific governance and reporting hooks: the department must report to the Legislature with a snapshot of claims, voluntary and mandatory data coverage, completeness by geographic region, counts of covered lives and submitters, an estimate of costs if providers and suppliers become mandatory submitters, and the number and uses of data requests.
The text also creates a narrow statutory carve‑out: entities regulated under Insurance Code Article 4.7 are exempt, the program is designated to perform public health activities consistent with 45 C.F.R. §164.512(b), and a California Civil Code privacy provision (Article 8, Section 1798.30) does not apply to system records collected under this chapter.
The Five Things You Need to Know
The bill permits the department to collect personally identifiable information (name, address, date of birth, Social Security or ITIN) when submitters already collect it, explicitly to enable longitudinal and social‑determinants analyses; that PII is not made public but is subject to the chapter’s privacy protections.
Mandatory submitters are specifically defined and include health care service plans (including specialized plans), insurers licensed under Insurance Code Section 106 (including dental‑only), self‑insured plans subject to Section 1349.2 and certain public employers or joint labor trusts, and the State Department of Health Care Services for Medi‑Cal enrollments.
The department must seek a three‑year lookback at initial implementation and must maintain at least three years of data going forward, while also having authority to request longer histories where needed.
The statute deems initial implementing regulations to be emergency rules (and requires later formal promulgation), and it directs the department to set plan‑size thresholds that may exclude small plans but explicitly do not apply to qualified health plans offered through the Exchange or to submitters covering more than 50,000 Californians across Medicare Advantage and specified private plans.
Entities regulated under Article 4.7 of the Insurance Code are exempt from the chapter, and the law identifies the program’s activities as public‑health work under 45 C.F.R. §164.512(b), affecting how HIPAA considerations apply.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Department must build methodology and guidance for the program
This provision requires the department to create guidance covering the full lifecycle of the data—collection, validation, refinement, analysis, comparison, review, and improvement. Practically, that means the department must decide the technical standards, validation rules, deduplication/linkage approach, and quality metrics it will use. Those methodological choices will determine how usable the dataset is for cost‑of‑care analyses and for linking claims across payers and time periods.
Defines required data categories (claims/encounters, pricing, PII, PHI, nonclaims payments)
The statute explicitly lists what the department may and must collect: utilization (claims or encounter data consistent with APCD core elements), pricing and payment detail (contracted rates, allowed amounts, fee schedules), enrollment, provider/supplier lists, nonclaims payment components (deductibles, copays, coinsurance), and pharmacy rebates. It also permits submission of PII and PHI that submitters already collect. That breadth aims to capture total cost of care but raises practical questions about harmonizing multiple payment models and protecting sensitive data.
Who must and may submit data
The bill names mandatory submitters—health care service plans, licensed insurers (including dental), certain self‑insured plans and public employers, and the State Department of Health Care Services (Medi‑Cal). It separately lists voluntary submitters (other self‑insured employers, multiemployer plans, provider hospitals and clinics, certain suppliers). The division into mandatory and voluntary streams lets the department prioritize coverage of the largest payers while leaving room to bring in other sources, but it also creates a two‑tier data quality picture.
Regulatory framework, thresholds, and emergency regulation mechanics
The department must adopt regulations addressing plan size thresholds (with cost considerations), required and exempted lines of business, coordination where TPAs administer benefits, file content and formats, and submission frequency for core and nonclaims data. The bill treats the initial regulations as emergency rules (with a stated deadline) and requires later formal promulgation under California’s administrative procedures—meaning the department may start collecting under emergency authority but must follow up with permanent rulemaking within the statutory timetable.
Operational timing, data horizon, and legislative reporting
The text requires the department to attempt to collect three years of historical data at startup and to maintain at least a rolling three‑year set thereafter. It also assigns the department a detailed reporting duty back to the Legislature (claims reported by mandatory and voluntary submitters, coverage measures, regional completeness, provider capture, frequency of submissions, a cost estimate for making providers mandatory, and counts/uses of data requests). The department may seek help from the data release committee named elsewhere in statute, creating a governance channel for research access and oversight.
Exemptions, public‑health designation, and civil‑code exception
Entities regulated under Insurance Code Article 4.7 are carved out of the program. The bill declares the program performs public health activities per 45 C.F.R. §164.512(b), which affects how HIPAA privacy rules apply and signals an intent to use data for surveillance and public‑health projects. Finally, the statute specifies that a particular California Civil Code privacy provision (Article 8, Section 1798.30) does not apply to records collected under this chapter, narrowing some consumer privacy remedies in favor of program operations.
This bill is one of many.
Codify tracks hundreds of bills on Healthcare across all five countries.
Explore Healthcare in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- State policymakers and analysts — they gain a consolidated dataset that supports price, utilization, and equity analyses across payers and payment methods, improving evidence for rate‑setting, benefit design, and budget decisions.
- Public health researchers and academic institutions — access to linked claims, enrollment, and PII (subject to protections) enables longitudinal studies, population health monitoring, and social‑determinants analyses that fragmented datasets currently impede.
- Medi‑Cal program managers — because DHCS must submit Medi‑Cal data, the program creates a clearer view of Medi‑Cal utilization and payments across delivery models, useful for program evaluation and cost containment.
Who Bears the Cost
- Health plans and insurers (mandatory submitters) — they must build or adapt extract, transform, and load (ETL) processes to deliver standardized files, produce nonclaims payment reports, and potentially disclose detailed contract rates, all of which involve one‑time and ongoing compliance costs.
- Self‑insured employers and multiemployer plans — voluntary submitters may face choices about whether to participate; if later made mandatory, they could incur material reporting and data‑preparation expenses, with the bill explicitly directing the department to estimate those costs.
- The department administering the program — it will need staffing, technical infrastructure, and security investment to receive, match, store, and control access to large volumes of sensitive data; the statute imposes implementation tasks (methodology, regs, reporting) without attaching a funding mechanism in the text.
- Providers and suppliers if later designated mandatory — while currently listed as voluntary in many cases, the bill contemplates the department estimating costs and potentially expanding mandatory reporting to providers, which would shift substantial reporting burdens to hospitals, clinics, and other suppliers.
Key Issues
The Core Tension
The central dilemma is data utility versus data risk: collecting PII and detailed pricing yields the linkage and granularity needed for credible cost, equity, and longitudinal public‑health research, but it also concentrates highly sensitive information and expands the attack surface for misuse or breaches; the statute gives the department broad collection authority but pushes privacy and enforcement specifics into later regulation, forcing a trade‑off between rapid data availability and the time required to build robust safeguards.
The bill pushes for a highly granular dataset—pricing by contracted rate, allowed amount, nonclaims payments, rebates, and even PII to enable longitudinal linkage. That design maximizes analytic value but creates immediate privacy and security obligations.
The statute answers partially by limiting public disclosure and invoking the chapter’s privacy protections, declaring public‑health activity under HIPAA’s public‑health exception, and excluding a specific Civil Code privacy provision, but it leaves many operational protections to implementing regulations (encryption standards, deidentification protocols, access controls, breach notification, and audit trails). Those rulemaking choices will determine whether the program meaningfully protects individuals while allowing researchers usable data.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.