Today's Law As Amended


Bill PDF |Add To My Favorites | print page

SB-582 Health information.(2023-2024)



As Amends the Law Today


SECTION 1.

 Section 1374.196 of the Health and Safety Code is amended to read:

1374.196.
 (a) Commencing January 1, 2024, to facilitate patient and provider access to health information, a health care service plan shall establish and maintain the following application programming interfaces (API) for the benefit of enrollees and contracted providers, as applicable:
(1) Patient access API, as described in Section 422.119 (a) to (e), inclusive, of Title 42 of the Code of Federal Regulations.
(2) Provider directory API, as described in Section 422.120 of Title 42 of the Code of Federal Regulations.
(3) Payer-to-payer exchange API, as described in Section 422.119(f) of Title 42 of the Code of Federal Regulations.
(b) (a)  In addition to the API described in subdivision (a), the department may The department shall  require a health care service plan to establish and maintain the following API  application programming interfaces (API)  if and when final rules are published by the federal government:
(1) Patient access API.
(2) Payer-to-payer exchange API.
(1) (3)  Provider access API.
(2) (4)  Prior authorization support  requirements, documentation, and decision  API.
(c) (b)  API described in subdivision (b) (a)  shall be in accordance with standards published in a final rule issued by the federal Centers for Medicare and Medicaid Services and published in the Federal Register, and shall align with federal effective dates, including enforcement delays and suspensions, issued by the federal Centers for Medicare and Medicaid Services.
(d) (c)  This section does not limit existing requirements under this chapter, including, but not limited to, Section 1367.27.
(d) Dental or vision benefits offered by a health care service plan or specialized health care service plan are excluded from the requirements of this section.

SEC. 2.

 Section 123148 of the Health and Safety Code is amended to read:

123148.
 (a) Notwithstanding any other law, a health care professional at whose request a test is performed shall provide or arrange for the provision of the results of a test to the patient who is the subject of the test if so requested by the patient, in oral or written form. The results shall be disclosed in plain language and in oral or written form, except the results may be disclosed in electronic form if requested by the patient unless deemed inappropriate by the health care professional who requested the test. The telephone shall not be considered an electronic form of disclosing test results subject to the limits on electronic disclosure of test results for the purpose of this section.
(b) (1) Consent of the patient to receive their test results by internet posting or other electronic means shall be obtained in a manner consistent with the requirements of Section 56.10 or 56.11 of the Civil Code. In the event that a health care professional arranges for the provision of test results by internet posting or other electronic manner, the results shall be disclosed to a patient in a reasonable time period. Access to test results shall be restricted by the use of a secure personal identification number when the results are disclosed to a patient by internet posting or other electronic manner.
(2) Paragraph (1) shall not prohibit direct communication by internet posting or the use of other electronic means to disclose test results by a treating health care professional who ordered the test for their patient or by a health care professional acting on behalf of, or with the authorization of, the treating health care professional who ordered the test.
(c) When a patient requests access to their test results by internet posting, the health care professional shall advise the patient of any charges that may be assessed directly to the patient or insurer for the service and that the patient may call the health care professional for a more detailed explanation of the laboratory test results when delivered.
(d) The electronic disclosure of test results under this section shall be in accordance with any applicable federal law governing privacy and security of electronic personal health records. However, any state statute that governs privacy and security of electronic personal health records, shall apply to test results under this section and shall prevail over federal law if federal law permits.
(e) The test results to be reported to the patient pursuant to this section shall be recorded in the patient’s medical record, and shall be reported to the patient within a reasonable time period after the test results are received by the health care professional who requested the test.
(f) Notwithstanding subdivision (a), unless the patient requests the disclosure, the health care professional deems this disclosure as an appropriate means, and a health care professional has first discussed in person, by telephone, or by any other means of oral communication, the test results with the patient, in compliance with any other applicable laws, or the patient and health care professional have discussed the potential impact of the results and the patient elects to receive them without delay,  none of the following test results and any other related results shall be disclosed to a patient by internet posting or other electronic means:
(1) (A) A positive HIV test, unless an HIV test subject is anonymously tested and the test result is posted on a secure internet website and can only be viewed with the use of a secure code that can access only a single set of test results and that is provided to the patient at the time of testing. The test result shall be posted only if there is no link to any information that identifies or refers to the subject of the test and the information required pursuant to subdivision (h) of Section 120990 is provided.
(B) Subparagraph (A) does not prevent the disclosure of HIV test results, including viral load and CD4 count test results, to a patient living with HIV by secure internet website or other electronic means if the patient has previously been informed about the results of a positive HIV test pursuant to the requirements of this section.
(2) Presence of antigens indicating a hepatitis infection.
(3) Abusing the use of drugs.
(4) Test results related to routinely processed tissues  and imaging scans that reveal a new or recurrent malignancy.
(g) Patient identifiable test results and health information that have been provided under this section shall not be used for any commercial purpose without the consent of the patient, obtained in a manner consistent with the requirements of Section 56.11 of the Civil Code. In no event shall patient identifiable HIV-related test results and health information disclosed in this section be used in violation of subdivision (f) of Section 120980.
(h) A third party to whom test results are disclosed pursuant to this section shall be deemed a provider of administrative services, as that term is used in paragraph (3) of subdivision (c) of Section 56.10 of the Civil Code, and shall be subject to all limitations and penalties applicable to that section.
(i) A patient may not be required to pay a cost, or be charged a fee, for electing to receive their test results in a manner other than by internet posting or other electronic form.
(j) A patient or their physician may revoke consent provided under this section at any time and without penalty, except to the extent that action has been taken in reliance on that consent.
(k) As used in this section, “test” applies to both clinical laboratory tests and imaging scans, such as x-rays, magnetic resonance imaging, ultrasound, or other similar technologies.
(l) As used in this section, “internet posting” includes posting to an online patient portal.

SEC. 3.

 Section 130290 of the Health and Safety Code is amended to read:

130290.
 (a) (1)  On or before July 1, 2022, and subject to an appropriation in the annual Budget Act, the California Health and Human Services Agency, along with its departments and offices and in consultation with stakeholders and local partners, shall establish the California Health and Human Services Data Exchange Framework that shall include a single data sharing agreement and common set of policies and procedures that will leverage and advance national standards for information exchange and data content, and that will govern and require the exchange of health information among health care entities and government agencies in California.
(1) (2)  The California Health and Human Services Data Exchange Framework is not intended to be an information technology system or single repository of data, rather it is technology agnostic and is a collection of organizations that are required to share health information using national standards and a common set of policies in order to improve the health outcomes of the individuals they serve.
(2) (3)  The California Health and Human Services Data Exchange Framework will be designed to enable and require real-time access to, or exchange of, health information among health care providers and payers through any health information exchange network, health information organization, or technology that adheres to specified standards and policies.
(3) (4)  The California Health and Human Services Data Exchange Framework shall align with state and federal data requirements, including the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1 of the Civil Code), the information blocking provisions of the federal 21st Century Cures Act (Public Law 114-255),  and other applicable state and federal privacy laws related to the sharing of data among and between providers, payers, and the government, while also streamlining and reducing reporting burden.
(4) (5)  For the purposes of this section, “health information” means:
(A) For hospitals, clinics, and physician practices, at a minimum, the United States Core Data for Interoperability Version 1, until October 6, 2022. After that date, it shall include all electronic health information as defined under federal regulation in Section 171.102 of Title 45 of the Code of Federal Regulations and held by the entity.
(B) For health insurers and health care service plans, at a minimum, the data required to be shared under the federal  Centers for Medicare and Medicaid Services Interoperability and Patient Access regulations for public programs as contained in United States Department of Health and Human Services final rule CMS-9115-F, 85 FR 25510.
(6) For purposes of this section, “EHR vendor” means a company, other than a health care provider that self-develops health information technology for its own use, that sells electronic health records, as defined in Section 17921 of Title 42 of the United States Code.
(b) (1)   On or before January 31, 2024, and except as provided in paragraphs (2) and (3),  the entities listed in subdivision (f)  (f), except those identified in paragraph (2),  shall exchange health information or provide access to health information to and from every other entity in subdivision (f) in real time as specified by the California Health and Human Services Agency pursuant to the California Health and Human Services Data Exchange Framework data sharing agreement for treatment, payment, or health care operations.
(2) The requirement in paragraph (1) shall not apply to physician practices of fewer than 25 physicians, rehabilitation hospitals, long-term acute care hospitals, acute psychiatric hospitals, critical access hospitals, and rural general acute care hospitals with fewer than 100 acute care beds, state-run acute psychiatric hospitals, and any nonprofit clinic with fewer than 10 health care providers until January 31, 2026.
(3) The requirement in paragraph (1) shall not apply to the exchange of health information related to abortion and abortion-related services.
(c) (1)  The California Health and Human Services Agency shall convene a stakeholder advisory group no later than September 1, 2021, to advise on the development and implementation of the California Health and Human Services Data Exchange Framework.
(1) (2)  The members of the stakeholder advisory group shall be appointed by the Secretary of California Health and Human Services and shall not have a financial interest, individually or through a family member, related to issues the stakeholder advisory group will advise on.
(2) (3)  The stakeholder advisory group shall be composed of health care stakeholders and experts, including representatives of all the following:
(A) The State Department of Health Care Services.
(B) The State Department of Social Services.
(C) The Department of Managed Health Care.
(D) The Department of Health Care Access and Information.
(E) The State Department of Public Health.
(F) The Department of Insurance.
(G) The Public Employees’ Retirement System.
(H) The California Health Benefit Exchange.
(I) Health care service plans and health insurers.
(J) Physicians, including those with small practices.
(K) Hospitals, including public, private, rural, and critical access hospitals.
(L) Clinics, long-term care facilities, behavioral health facilities, or substance use disorder facilities.
(M) Consumers.
(N) Organized labor.
(O) Privacy and security professionals.
(P) Health information technology professionals.
(Q) Community health information organizations.
(R) County health, social services, and public health.
(S) Community-based organizations providing social services.
(3) (4)  The stakeholder advisory group shall provide information and advice to the California Health and Human Services Agency on health information technology issues, including all of the following:
(A) (i)  Identify which data beyond health information as defined in paragraph (4) (5)  of subdivision (a), at minimum, should be shared for specified purposes between the entities outlined in this subdivision and subdivision (f).
(ii) In discussing data elements that are required to be exchanged, the stakeholder advisory group shall consider data needed for administrative functions of a medical practice, including intake forms and questionnaires, patient scheduling, insurance card upload and verification, invoicing and payment data, and patient-to-provider messaging.
(B) Identify gaps, and propose solutions to gaps, in the life cycle of health information, including gaps in any of the following:
(i) Health information creation, including the use of national standards in clinical documentation, health plan records, and social services data.
(ii) Translation, mapping, controlled vocabularies, coding, and data classification.
(iii) Storage, maintenance, and management of health information.
(iv) Linking, sharing, exchanging, and providing access to health information.
(C) Identify ways to incorporate data related to social determinants of health, such as housing and food insecurity, into shared health information.
(D) Identify ways to incorporate data related to underserved or underrepresented populations, including, but not limited to, data regarding sexual orientation and gender identity and racial and ethnic minorities.
(E) Identify ways to incorporate relevant data on behavioral health and substance use disorder conditions.
(F) Address the privacy, security, and equity risks of expanding care coordination, health information exchange, access, and telehealth in a dynamic technological, and entrepreneurial environment, where data and network security are under constant threat of attack.
(G) Develop policies and procedures consistent with national standards and federally adopted standards in the exchange of health information and ensure that health information sharing broadly implements national frameworks and agreements consistent with federal rules and programs.
(H) Develop definitions of complete clinical, administrative, and claims data consistent with federal policies and national standards.
(I) Identify how all payers will be required to provide enrollees with electronic access to their health information, consistent with rules applicable to federal payer programs.
(J) Assess governance structures to help guide policy decisions and general oversight.
(K) Identify federal, state, private, or philanthropic sources of funding that could support data access and exchange.
(L) Consider whether standards for including EHR vendors in the California Health and Human Services Data Exchange Framework would be appropriate, and, if determined to be appropriate, develop those standards.
(4) (5)  The stakeholder advisory group shall hold public meetings with stakeholders, solicit input, and set its own meeting agendas. Meetings of the stakeholder advisory group are subject to the Bagley-Keene Open Meeting Act (Article 9 (commencing with Section 11120) of Chapter 1 of Part 1 of Division 3 of Title 2 of the Government Code).
(5) (6)  The members of the stakeholder advisory group shall serve without compensation, but shall be reimbursed for any actual and necessary expenses incurred in connection with their duties as members of the group.
(d) No later than April 1, 2022, the California Health and Human Services Agency shall submit an update, including written recommendations, to the Legislature based on input from the stakeholder advisory group on the issues identified in paragraph (3) (4)  of subdivision (c).
(e) On or before January 31, 2023, the California Health and Human Services Agency shall work with the California State Association of Counties to encourage the inclusion of county health, public health, and social services, to the extent possible, as part of the California Health and Human Services Data Exchange Framework in order to assist both public and private entities to connect through uniform standards and policies. It is the intent of the Legislature that all state and local public health agencies will exchange electronic health information in real time with participating health care entities to protect and improve the health and well-being of Californians.
(f) (1)  On or before January 31, 2023, and in alignment with existing federal standards and policies, the following health care organizations shall execute the California Health and Human Services Data Exchange Framework data sharing agreement pursuant to subdivision (a):
(1) (A)  General acute care hospitals, as defined by Section 1250.
(2) (B)  Physician organizations and medical groups.
(3) (C)  Skilled nursing facilities, as defined by Section 1250, that currently maintain electronic records.
(4) (D)  Health care service plans and disability insurers that provide hospital, medical, or surgical coverage that are regulated by the Department of Managed Health Care or the Department of Insurance. This section shall also apply to a Medi-Cal managed care plan under a comprehensive risk contract with the State Department of Health Care Services pursuant to Chapter 7 (commencing with Section 14000) or Chapter 8 (commencing with Section 14200) of Part 3 of Division 9 of the Welfare and Institutions Code that is not regulated by the Department of Managed Health Care or the Department of Insurance.
(5) (E)  Clinical laboratories, as that term is used in Section 1265 of the Business and Professions Code, and that are regulated by the State Department of Public Health.
(6) (F)  Acute psychiatric hospitals, as defined by Section 1250.
(2) If the stakeholder advisory group develops standards for including EHR vendors in the California Health and Human Services Data Exchange Framework, EHR vendors shall execute the California Health and Human Services Data Exchange Framework data sharing agreement no later than 12 months after the completion of the standards, and in alignment with existing federal standards and policies pursuant to subdivision (a).
(g) The California Health and Human Services Agency shall work with experienced nonprofit organizations and entities represented in the stakeholder advisory group in subdivision (c) to provide technical assistance to the entities outlined in subdivisions (e) and (f).
(h) On or before July 31, 2022, the California Health and Human Services Agency shall develop in consultation with the stakeholder advisory group in subdivision (c) a strategy for unique, secure digital identities capable of supporting master patient indices to be implemented by both private and public organizations in California.
(i) For purposes of implementing this section, including, but not limited to, hiring staff and consultants, facilitating and conducting meetings, conducting research and analysis, and developing the required reports, the California Health and Human Services Agency may enter into exclusive or nonexclusive contracts on a bid or negotiated basis. Contracts entered into or amended pursuant to this section shall be exempt from Chapter 6 (commencing with Section 14825) of Part 5.5 of Division 3 of Title 2 of the Government Code, Section 19130 of the Government Code, and Part 2 (commencing with Section 10100) of Division 2 of the Public Contract Code, and shall be exempt from the review or approval of any division of the Department of General Services. No person hired or otherwise retained pursuant to this subdivision shall be permitted to have any financial interest in the California Health and Human Services Data Exchange Framework or shall be, or be affiliated with, any health care organization required to participate in the California Health and Human Services Data Exchange Framework pursuant to subdivisions (b) and (f). The term “person,” as used in this subdivision, means any individual, partnership, joint venture, association, corporation, or any other organization or any combination thereof.
(j) (1) Any fees charged by an EHR vendor to enable compliance with the California Health and Human Services Data Exchange Framework shall be reasonable, consistent with Sections 171.302(a) and 171.303 of Title 45 of the Code of Federal Regulations.
(2) Reasonable fees shall be sufficient to include the cost of enabling the collection and sharing of all data required to be exchanged under this section, as specified in the California Health and Human Services Data Sharing Agreement.
(k) As part of any other oversight activities authorized and developed with respect to this section, the California Health and Human Services Agency, in consultation with the stakeholder advisory group or subsequent governing board, may establish administrative oversight and enforcement authority to monitor fees charged by EHR vendors to entities described in paragraph (2) of subdivision (b) for compliance with the federal standards required under subdivision (j). The oversight and enforcement authority may include the imposition of fines and penalties against an EHR vendor that is found not in compliance with the federal standards required under subdivision (j).
(j) (l)  All actions to implement the California Health and Human Services Data Exchange Framework, including the adoption or development of any data sharing agreement, requirements, policies and procedures, guidelines, subgrantee contract provisions, or reporting requirements, shall be exempt from the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code). The California Health and Human Services Agency, or a designee department or office under its jurisdiction, shall release program notices that detail the requirements of the California Health and Human Services Data Exchange Framework.

SEC. 3.5.

 Section 130290 of the Health and Safety Code is amended to read:

130290.
 (a) (1)  On or before July 1, 2022, and subject to an appropriation in the annual Budget Act, the California Health and Human Services Agency, along with its departments and offices and in consultation with stakeholders and local partners, shall establish the California Health and Human Services Data Exchange Framework that shall include a single data sharing agreement and common set of policies and procedures that will leverage and advance national standards for information exchange and data content, and that will govern and require the exchange of health information among health care entities and government agencies in California.
(1) (2)  The California Health and Human Services Data Exchange Framework is not intended to be an information technology system or single repository of data, rather it is technology agnostic and is a collection of organizations that are required to share health information using national standards and a common set of policies in order to improve the health outcomes of the individuals they serve.
(2) (3)  The California Health and Human Services Data Exchange Framework will be designed to enable and require real-time access to, or exchange of, health information among health care providers and payers through any health information exchange network, health information organization, or technology that adheres to specified standards and policies.
(3) (4)  The California Health and Human Services Data Exchange Framework shall align with state and federal data requirements, including the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1 of the Civil Code), the information blocking provisions of the federal 21st Century Cures Act (Public Law 114-255),  and other applicable state and federal privacy laws related to the sharing of data among and between providers, payers, and the government, while also streamlining and reducing reporting burden.
(4) (5)  For the purposes of this section, “health information” means:
(A) For hospitals, clinics, and physician practices, at a minimum, the United States Core Data for Interoperability Version 1, until October 6, 2022. After that date, it shall include all electronic health information as defined under federal regulation in Section 171.102 of Title 45 of the Code of Federal Regulations and held by the entity.
(B) For health insurers and health care service plans, at a minimum, the data required to be shared under the federal Centers for Medicare and Medicaid Services Interoperability and Patient Access regulations for public programs as contained in United States Department of Health and Human Services final rule CMS-9115-F, 85 FR 25510.
(6) For purposes of this section, “EHR vendor” means a company, other than a health care provider that self-develops health information technology for its own use, that sells electronic health records, as defined in Section 17921 of Title 42 of the United States Code.
(b) (1) On or before January 31, 2024, and except as provided in paragraphs (2) and (3), the entities listed in subdivision (f) shall exchange health information or provide access to health information to and from every other entity in subdivision (f) in real time as specified by the California Health and Human Services Agency pursuant to the California Health and Human Services Data Exchange Framework data sharing agreement for treatment, payment, or health care operations.
(2) The requirement in paragraph (1) shall not apply to physician practices of fewer than 25 physicians, rehabilitation hospitals, long-term acute care hospitals, acute psychiatric hospitals, critical access hospitals, and rural general acute care hospitals with fewer than 100 acute care beds, state-run acute psychiatric hospitals, and any nonprofit clinic with fewer than 10 health care providers until January 31, 2026.
(3) The requirement in paragraph (1) shall not apply to the exchange of health information related to abortion and abortion-related services.
(c) (1)  The California Health and Human Services Agency shall convene a stakeholder advisory group no later than September 1, 2021, to advise on the development and implementation of the California Health and Human Services Data Exchange Framework.
(1) (2)  The members of the stakeholder advisory group shall be appointed by the Secretary of California Health and Human Services and shall not have a financial interest, individually or through a family member, related to issues the stakeholder advisory group will advise on.
(2) (3)  The stakeholder advisory group shall be composed of health care stakeholders and experts, including representatives of all the following:
(A) The State Department of Health Care Services.
(B) The State Department of Social Services.
(C) The Department of Managed Health Care.
(D) The Department of Health Care Access and Information.
(E) The State Department of Public Health.
(F) The Department of Insurance.
(G) The Public Employees’ Retirement System.
(H) The California Health Benefit Exchange.
(I) Health care service plans and health insurers.
(J) Physicians, including those with small practices.
(K) Hospitals, including public, private, rural, and critical access hospitals.
(L) Clinics, long-term care facilities, behavioral health facilities, or substance use disorder facilities.
(M) Consumers.
(N) Organized labor.
(O) Privacy and security professionals.
(P) Health information technology professionals.
(Q) Community health information organizations.
(R) County health, social services, and public health.
(S) Community-based organizations providing social services.
(3) (4)  The stakeholder advisory group shall provide information and advice to the California Health and Human Services Agency on health information technology issues, including all of the following:
(A) (i)  Identify which data beyond health information as defined in paragraph (4) of subdivision (a), at minimum, should be shared for specified purposes between the entities outlined in this subdivision and subdivision (f).
(ii) In discussing data elements that are required to be exchanged, the stakeholder advisory group shall consider data needed for administrative functions of a medical practice, including intake forms and questionnaires, patient scheduling, insurance card upload and verification, invoicing and payment data, and patient-to-provider messaging.
(B) Identify gaps, and propose solutions to gaps, in the life cycle of health information, including gaps in any of the following:
(i) Health information creation, including the use of national standards in clinical documentation, health plan records, and social services data.
(ii) Translation, mapping, controlled vocabularies, coding, and data classification.
(iii) Storage, maintenance, and management of health information.
(iv) Linking, sharing, exchanging, and providing access to health information.
(C) Identify ways to incorporate data related to social determinants of health, such as housing and food insecurity, into shared health information.
(D) Identify ways to incorporate data related to underserved or underrepresented populations, including, but not limited to, data regarding sexual orientation and gender identity and racial and ethnic minorities.
(E) Identify ways to incorporate relevant data on behavioral health and substance use disorder conditions.
(F) Address the privacy, security, and equity risks of expanding care coordination, health information exchange, access, and telehealth in a dynamic technological, and entrepreneurial environment, where data and network security are under constant threat of attack.
(G) Develop policies and procedures consistent with national standards and federally adopted standards in the exchange of health information and ensure that health information sharing broadly implements national frameworks and agreements consistent with federal rules and programs.
(H) Develop definitions of complete clinical, administrative, and claims data consistent with federal policies and national standards.
(I) Identify how all payers will be required to provide enrollees with electronic access to their health information, consistent with rules applicable to federal payer programs.
(J) Assess governance structures to help guide policy decisions and general oversight.
(K) Identify federal, state, private, or philanthropic sources of funding that could support data access and exchange.
(L) Consider whether standards for including EHR vendors in the California Health and Human Services Data Exchange Framework would be appropriate, and, if determined to be appropriate, develop those standards.
(4) (5)  The stakeholder advisory group shall hold public meetings with stakeholders, solicit input, and set its own meeting agendas. Meetings of the stakeholder advisory group are subject to the Bagley-Keene Open Meeting Act (Article 9 (commencing with Section 11120) of Chapter 1 of Part 1 of Division 3 of Title 2 of the Government Code).
(5) (6)  The members of the stakeholder advisory group shall serve without compensation, but shall be reimbursed for any actual and necessary expenses incurred in connection with their duties as members of the group.
(d) No later than April 1, 2022, the California Health and Human Services Agency shall submit an update, including written recommendations, to the Legislature based on input from the stakeholder advisory group on the issues identified in paragraph (3) (4)  of subdivision (c).
(e) On or before January 31, 2023, the California Health and Human Services Agency shall work with the California State Association of Counties to encourage the inclusion of county health, public health, and social services, to the extent possible, as part of the California Health and Human Services Data Exchange Framework in order to assist both public and private entities to connect through uniform standards and policies. It is the intent of the Legislature that all state and local public health agencies will exchange electronic health information in real time with participating health care entities to protect and improve the health and well-being of Californians.
(f) (1)  On or before January 31, 2023, and in alignment with existing federal standards and policies, the following health care organizations shall execute the California Health and Human Services Data Exchange Framework data sharing agreement pursuant to subdivision (a):
(1) (A)  General acute care hospitals, as defined by Section 1250.
(2) (B)  Physician organizations and medical groups.
(3) (C)  Skilled nursing facilities, as defined by Section 1250, that currently maintain electronic records.
(4) (D)  Health care service plans and disability insurers that provide hospital, medical, or surgical coverage that are regulated by the Department of Managed Health Care or the Department of Insurance. This section shall also apply to a Medi-Cal managed care plan under a comprehensive risk contract with the State Department of Health Care Services pursuant to Chapter 7 (commencing with Section 14000) or Chapter 8 (commencing with Section 14200) of Part 3 of Division 9 of the Welfare and Institutions Code that is not regulated by the Department of Managed Health Care or the Department of Insurance.
(5) (E)  Clinical laboratories, as that term is used in Section 1265 of the Business and Professions Code, and that are regulated by the State Department of Public Health.
(6) (F)  Acute psychiatric hospitals, as defined by Section 1250.
(2) If the stakeholder advisory group develops standards for including EHR vendors in the California Health and Human Services Data Exchange Framework, EHR vendors shall execute the California Health and Human Services Data Exchange Framework data sharing agreement no later than 12 months after the completion of the standards, and in alignment with existing federal standards and policies pursuant to subdivision (a).
(g) The California Health and Human Services Agency shall work with experienced nonprofit organizations and entities represented in the stakeholder advisory group in subdivision (c) to provide technical assistance to the entities outlined in subdivisions (e) and (f).
(h) On or before July 31, 2022, the California Health and Human Services Agency shall develop in consultation with the stakeholder advisory group in subdivision (c) a strategy for unique, secure digital identities capable of supporting master patient indices to be implemented by both private and public organizations in California.
(i) For purposes of implementing this section, including, but not limited to, hiring staff and consultants, facilitating and conducting meetings, conducting research and analysis, and developing the required reports, the California Health and Human Services Agency may enter into exclusive or nonexclusive contracts on a bid or negotiated basis. Contracts entered into or amended pursuant to this section shall be exempt from Chapter 6 (commencing with Section 14825) of Part 5.5 of Division 3 of Title 2 of the Government Code, Section 19130 of the Government Code, and Part 2 (commencing with Section 10100) of Division 2 of the Public Contract Code, and shall be exempt from the review or approval of any division of the Department of General Services. No person hired or otherwise retained pursuant to this subdivision shall be permitted to have any financial interest in the California Health and Human Services Data Exchange Framework or shall be, or be affiliated with, any health care organization required to participate in the California Health and Human Services Data Exchange Framework pursuant to subdivisions (b) and (f). The term “person,” as used in this subdivision, means any individual, partnership, joint venture, association, corporation, or any other organization or any combination thereof.
(j) (1) Any fees charged by an EHR vendor to enable compliance with the California Health and Human Services Data Exchange Framework shall be reasonable, consistent with Sections 171.302(a) and 171.303 of Title 45 of the Code of Federal Regulations.
(2) Reasonable fees shall be sufficient to include the cost of enabling the collection and sharing of all data required to be exchanged under this section, as specified in the California Health and Human Services Data Sharing Agreement.
(k) As part of any other oversight activities authorized and developed with respect to this section, the California Health and Human Services Agency, in consultation with the stakeholder advisory group or subsequent governing board, may establish administrative oversight and enforcement authority to monitor fees charged by EHR vendors to entities described in paragraph (2) of subdivision (b) for compliance with the federal standards required under subdivision (j). The oversight and enforcement authority may include the imposition of fines and penalties against an EHR vendor that is found not in compliance with the federal standards required under subdivision (j).
(j) (l)  All actions to implement the California Health and Human Services Data Exchange Framework, including the adoption or development of any data sharing agreement, requirements, policies and procedures, guidelines, subgrantee contract provisions, or reporting requirements, shall be exempt from the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code). The California Health and Human Services Agency, or a designee department or office under its jurisdiction, shall release program notices that detail the requirements of the California Health and Human Services Data Exchange Framework.

SEC. 4.

 Section 10133.12 of the Insurance Code is amended to read:

10133.12.
 (a) Commencing January 1, 2024, to facilitate patient and provider access to health information, a health insurer shall establish and maintain the following application programming interfaces (API) for the benefit of all insureds and contracted providers, as applicable:
(1) Patient access API, as described in Section 422.119 (a) to (e), inclusive, of Title 42 of the Code of Federal Regulations.
(2) Provider directory API, as described in Section 422.120 of the Code of Federal Regulations.
(3) Payer-to-payer exchange API, as described in Section 422.119(f) of the Code of Federal Regulations.
(b) (a)  In addition to the API described in subdivision (a), the department may The department shall  require a health insurer to establish and maintain the following API  application programming interfaces (API)  if and when final rules are published by the federal government:
(1) Patient access API.
(2) Payer-to-payer exchange API.
(1) (3)  Provider access API.
(2) (4)  Prior authorization support API.
(c) (b)  API described in subdivision (b) (a)  shall be in accordance with standards published in a final rule issued by the federal Centers for Medicare and Medicaid Services and published in the Federal Register, and shall align with federal effective dates, including enforcement delays and suspensions, issued by the federal Centers for Medicare and Medicaid Services.
(d) (c)  This section does not limit existing requirements under this chapter, including, but not limited to, Section 10133.15.
(d) Dental or vision benefits offered by a health insurer or specialized health insurer are excluded from the requirements of this section.
SEC. 5.
 Section 3.5 of this bill incorporates amendments to Section 130290 of the Health and Safety Code proposed by both this bill and Assembly Bill 352. That section shall only become operative if (1) both bills are enacted and become effective on or before January 1, 2024, (2) each bill amends Section 130290 of the Health and Safety Code, and (3) this bill is enacted after Assembly Bill 352, in which case Section 3 of this bill shall not become operative.
SEC. 6.
 No reimbursement is required by this act pursuant to Section 6 of Article XIII B of the California Constitution because the only costs that may be incurred by a local agency or school district will be incurred because this act creates a new crime or infraction, eliminates a crime or infraction, or changes the penalty for a crime or infraction, within the meaning of Section 17556 of the Government Code, or changes the definition of a crime within the meaning of Section 6 of Article XIII B of the California Constitution.