This bill creates the California Health and Human Services Data Exchange Framework: a technology‑agnostic system of rules, a single data‑sharing agreement, and common policies that require many California health care organizations and public agencies to exchange electronic health information in real time using national standards. The Department of Health Care Access and Information (DHCAI) administers the framework, with a stakeholder advisory group to shape standards, policy, and demographic and social‑needs data collection.
The law matters because it moves California from a patchwork of interfaces and contracts toward a unified interoperability baseline enforced through contracting and public disclosure, while also exempting specified sensitive topics and narrowing administrative rulemaking. That mix creates both operational pressure on providers and plans to meet technical and governance requirements and legal questions about privacy, implementation timelines, and enforcement mechanisms.
At a Glance
What It Does
The bill requires covered hospitals, medical groups, insurers, labs, and other named entities to execute a single data‑sharing agreement and to exchange or provide access to electronic health information in real time under national standards; DHCAI manages the framework and publishes updates. It aligns required content with federal rules (45 C.F.R. §171.102 and CMS interoperability rules) and excludes certain sensitive categories from mandatory exchange.
Who It Affects
General acute care hospitals, physician organizations and medical groups, skilled nursing facilities with EHRs, health plans and disability insurers regulated by DMHC or DOI (and certain Medi‑Cal plans), clinical labs, acute psychiatric hospitals, and EMS — plus state and county agencies that participate in health and social services data exchange.
Why It Matters
By making execution of the framework a condition of major state contracts and by publicly naming noncompliant entities, the law creates carrots and sticks that can rapidly raise interoperability across the state. It also centralizes governance at DHCAI and shapes what demographic and social‑needs data California will standardize and collect for care coordination and policy.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The statute builds a statewide interoperability framework that is not a single database but a set of binding policies, one data‑sharing agreement, and technical expectations that let participating organizations exchange information over any compliant network. DHCAI (the Department of Health Care Access and Information) is given operational responsibility to adopt, publish, and update the framework, and to manage compliance activities and technical assistance.
The framework must align with federal privacy and interoperability rules while reducing duplicate reporting across programs.
Timing and thresholds are granular. Most named provider and payer categories must exchange or provide access to health information in real time by the deadlines set in the law, but the bill phases in compliance for smaller practices, certain hospital types, and other facilities on later dates.
The law explicitly excludes sharing information about abortion, gender‑affirming care, immigration or citizenship status, and place of birth from the mandatory exchange requirements. It also sets minimum data content expectations for providers (aligned to 45 C.F.R. §171.102 as of April 15, 2025) and for payers (aligned to CMS interoperability requirements as of the same date).Governance is split between DHCAI and a capped stakeholder advisory group that the director appoints.
The advisory group — limited to 17 voting members and balanced so signatories cannot hold more than half the votes — advises on policy, standards, data elements (including social determinants of health and demographic detail), identity management, and equity considerations. DHCAI must publish proposed updates with public review windows and post lists of entities deemed noncompliant; it may develop enforcement processes and will deliver a multi‑part report to the Legislature assessing signatory status, governance options, technical assistance needs, and consumer experience.The statute also allows the department to contract for implementation work with procurement exemptions and forbids contracted individuals or firms from holding a financial interest in the framework or being affiliated with a required participant.
Finally, the law exempts most implementation actions from the Administrative Procedure Act, directing notice through programmatic releases rather than full formal rulemaking.
The Five Things You Need to Know
The law requires most listed provider and payer categories to exchange or provide real‑time access to electronic health information, generally effective January 31, 2024, with specific later compliance dates for certain provider types.
It exempts mandatory exchange for physician practices with fewer than 25 physicians, certain small and rural hospitals and clinics, and delays requirements for some facilities until 2026 or 2029 as specified.
The statute prohibits mandatory exchange of information related to abortion, abortion‑related services, gender‑affirming care, immigration or citizenship status, and place of birth.
Data content obligations are tied to federal standards: hospital/clinic data must meet 45 C.F.R. §171.102 (as of April 15, 2025) and payer data to CMS interoperability rules (CMS‑9115‑F) as of the same date.
DHCAI must publish noncompliance lists beginning January 1, 2027, may develop enforcement mechanisms after appropriation, and must deliver a comprehensive legislative report by July 1, 2027.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Creates the statewide framework and defines scope
This provision establishes the California Health and Human Services Data Exchange Framework as a policy and contractual construct rather than a centralized database. It mandates a single data‑sharing agreement and a common set of policies and procedures, requires alignment with federal privacy laws (HIPAA, CMIA) and specified Welfare and Institutions Code sections, and sets the Department of Health Care Access and Information as the operational lead beginning January 1, 2026. Practically, this means DHCAI will be the clearinghouse for version control, publication, and governance decisions about what counts as required data and acceptable exchange methods.
Minimum data content thresholds tied to federal rules
The statute sets the minimum scope of ‘health information’ for different classes of entities by referencing federal definitions: hospitals and clinical providers must share at least the electronic health information described in 45 C.F.R. §171.102 as of April 15, 2025, while insurers must meet CMS interoperability requirements from the same date. That approach pins California’s baseline to specific federal artifacts and creates an explicit update cadence anchored to those external standards rather than to bespoke state lists.
Mandatory exchange obligations, timelines, and carve‑outs
This section spells out who must exchange data and by when, with phased compliance windows and explicit carve‑outs. The general obligation is real‑time exchange by January 31, 2024, but the law delays requirements for small physician practices and certain rural or specialty facilities until later dates, and postpones obligations for entities covered by Section 1180.2 until 2029. Crucially, it exempts certain sensitive categories of information (abortion, gender‑affirming care, immigration status, place of birth) from mandatory exchange, creating both operational boundaries and privacy protections that implementers must respect in their consent and access controls.
Stakeholder advisory group — composition, role, and limits
The director must convene a stakeholder advisory group capped at 17 voting members with a balance requirement so that signatories to the data‑sharing agreement cannot hold a majority. The group advises on standards, additional data elements (including social determinants and demographic categories), identity management, privacy/security/equity risks, governance models, and funding sources. The law authorizes the group to vote on recommendations for updates, but DHCAI retains discretion to adopt changes — the group is advisory, not authoritative.
Who must sign and how compliance ties to state contracts
The bill lists specific entity types (general acute care hospitals, physician organizations and medical groups, skilled nursing facilities with EHRs, DMHC/DOI‑regulated plans and certain Medi‑Cal plans, clinical labs, acute psych hospitals, EMS) that must execute the data‑sharing agreement. Beginning July 1, 2026, DHCS, CalPERS, and Covered California must require compliance as a condition of contracting for or providing health care coverage — a contractual enforcement lever intended to bring payers and providers into the framework without creating new licensing sanctions.
Identity strategy and contracting authorities
The department must produce a strategy for unique, secure digital identities and master person indices, and it may hire contractors, hire staff, and run programs with specified procurement exemptions. Contracts are exempt from several state procurement and DGS review provisions, but contractors and hires are barred from having financial interests or affiliations with required participants. This accelerates procurement flexibility while attempting to guard against conflicts of interest; implementers will have to manage those ethical and legal boundaries during vendor selection.
Oversight, transparency, exemptions from rulemaking, and reporting
DHCAI administers and enforces the framework, must provide a minimum public review window for updates, and is required to publish approved updates well before their effective dates (with limited exceptions). The department must publish names of known noncompliant entities starting January 1, 2027, and, after appropriation, may pursue formal enforcement under the Administrative Procedure Act. Despite that, most implementation actions (data sharing agreement, requirements, policies, guidelines) are exempted from APA rulemaking, with the department using program notices instead; DHCAI must also deliver a detailed report to the Legislature by July 1, 2027, evaluating signatory status, governance options, technical assistance needs, enforcement frameworks, and consumer experience.
This bill is one of many.
Codify tracks hundreds of bills on Healthcare across all five countries.
Explore Healthcare in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Patients with frequent interaction across systems — they gain more comprehensive, real‑time data availability to support coordinated care, transitions, and potentially faster social‑needs referrals because the framework standardizes what data flows and how.
- County public health and social services agencies — alignment to state standards and prioritized inclusion in the framework reduces technical barriers for counties that previously struggled to connect with multiple health systems and enables broader population‑level surveillance and care coordination.
- Community health information organizations and health IT vendors that adhere to national standards — they stand to expand business by providing compliant exchange services, identity linkage, translation/mapping, and technical assistance under the framework.
- Consumer advocates focused on equity and SDOH — the advisory group mandate to standardize demographic and health‑related social needs data creates an explicit pathway to better measure and address disparities.
- Large payers and integrated delivery systems that can absorb interoperability costs more easily — they will benefit operationally from fewer custom integrations and clearer contractual expectations.
Who Bears the Cost
- Small and medium‑size physician practices and clinics — even where phased in, many will need new interfaces, identity matching, and workflows to comply, creating capital and staffing costs.
- Health plans and providers contracting with state purchasers (DHCS, CalPERS, Covered CA) — they face contractual pressure to conform by July 2026 and may need legal and technical work to meet data content and exchange standards.
- The Department of Health Care Access and Information — DHCAI inherits design, operational, and enforcement responsibilities and will need appropriations and staffing to run the advisory process, publish updates, provide technical assistance, and manage compliance transparency.
- Vendors and contractors selected under procurement exemptions — while they gain business, they must rapidly meet conflict‑of‑interest constraints and secure sensitive identity and clinical data, increasing compliance and liability burdens.
- Behavioral health and specialty providers — the exclusion of specific sensitive categories narrows mandated exchange but raises operational complexity because systems will need fine‑grained access controls and decision rules to segregate or withhold certain records.
Key Issues
The Core Tension
The bill forces a trade‑off between faster, statewide interoperability to improve care coordination and the need to preserve patient privacy for sensitive services: accelerating mandatory, real‑time exchange reduces fragmentation and administrative burden, but doing so risks over‑sharing or functional exclusion of critical data unless systems, governance, and consent controls are highly sophisticated and well‑resourced.
The bill tries to square broad, real‑time interoperability with privacy protections by excluding specified sensitive categories from mandatory exchange. That carve‑out protects certain clinical domains but raises implementation complexity: systems must be able to tag, filter, and withhold discrete data elements for some uses but not others, and existing EHRs and HIE networks may lack the metadata or consent mechanisms to do this reliably.
The law’s tie to federal standards simplifies content decisions but also imports dependency: if federal rules change, California will inherit those shifts and must reconcile timing and scope for state participants.
Two statutory design choices create practical tensions. First, DHCAI can move quickly because many implementation actions are exempt from the Administrative Procedure Act and procurement review, but that speed reduces formal procedural safeguards and could compress stakeholder input into advisory processes rather than rulemaking.
Second, the use of contracting and public naming as enforcement levers avoids new licensing sanctions but may produce uneven compliance: entities without state contracts or with limited public visibility might lag, and public naming could create reputational pressure without established appeal procedures. Finally, the push to collect individual‑level demographic and social‑needs data aims to improve equity measurement, yet it raises privacy, consent, and secondary‑use risks — especially where sensitive services intersect with demographic fields and identity matching across systems.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.