Bill Text

Bill Information


Bill PDF |Add To My Favorites |Track Bill | print page

AB-352 Health information.(2023-2024)

SHARE THIS: share this bill in Facebook share this bill in Twitter
Date Published: 09/28/2023 10:00 AM
AB352:v94#DOCUMENT

Assembly Bill No. 352
CHAPTER 255

An act to amend Sections 56.101 and 56.108 of, and to add Section 56.110 to, the Civil Code, and to amend Section 130290 of the Health and Safety Code, relating to health information.

[ Approved by Governor  September 27, 2023. Filed with Secretary of State  September 27, 2023. ]

LEGISLATIVE COUNSEL'S DIGEST


AB 352, Bauer-Kahan. Health information.
Existing law, the Reproductive Privacy Act, provides that every individual possesses a fundamental right of privacy with respect to their personal reproductive decisions. Existing law prohibits the state from denying or interfering with a person’s right to choose or obtain an abortion prior to viability of the fetus, or when the abortion is necessary to protect the life or health of the person.
Existing law, the Confidentiality of Medical Information Act (CMIA), generally prohibits a provider of health care, a health care service plan, or a contractor from disclosing medical information regarding a patient, enrollee, or subscriber without first obtaining an authorization, unless a specified exception applies. The CMIA requires every provider of health care, health care service plan, pharmaceutical company, or contractor who, among other things, maintains or stores medical information to do so in a manner that preserves the confidentiality of the information contained therein. The CMIA also prohibits a provider of health care, a health care service plan, a contractor, or an employer from releasing medical information that would identify an individual or related to an individual seeking or obtaining an abortion in response to a subpoena or a request or to law enforcement if that subpoena, request, or the purpose of law enforcement for the medical information is based on, or for the purpose of enforcement of, either another state’s laws that interfere with a person’s rights to choose or obtain an abortion or a foreign penal civil action. Existing law makes a violation of the CMIA that results in economic loss or personal injury to a patient punishable as a misdemeanor.
This bill would require specified businesses that electronically store or maintain medical information on the provision of sensitive services on behalf of a provider of health care, health care service plan, pharmaceutical company, contractor, or employer to develop capabilities, policies, and procedures, on or before July 1, 2024, to enable certain security features, including limiting user access privileges and segregating medical information related to gender affirming care, abortion and abortion-related services, and contraception, as specified. The bill would additionally prohibit a provider of health care, health care service plan, contractor, or employer from cooperating with any inquiry or investigation by, or from providing medical information to, an individual, agency, or department from another state or, to the extent permitted by federal law, to a federal law enforcement agency that would identify an individual or that is related to an individual seeking or obtaining an abortion or abortion-related services that are lawful under the laws of this state, unless the request for medical information is authorized in accordance with specified existing provisions of law. The bill would exempt a provider of health care from liability for damages or from civil or enforcement actions relating to cooperating with, or providing medical information to, another state or a federal law enforcement agency before January 31, 2026, if the provider of health care is working diligently and in good faith to comply with the prohibition. Because the bill would expand the scope of an existing crime, it would impose a state-mandated local program.
Existing law requires the California Health and Human Services Agency, in consultation with stakeholders and local partners, to establish the California Health and Human Services Data Exchange Framework that includes a single data sharing agreement and common set of policies and procedures that govern and require the exchange of health information among health care entities and government agencies in California. Existing law requires, on or before January 31, 2024, that specified entities, including general acute care hospitals and skilled nursing facilities, exchange health information, as defined, in real time.
This bill would exclude the exchange of health information related to abortion and abortion-related services from automatically being shared on the California Health and Human Services Data Exchange Framework.
This bill would incorporate additional changes to Section 130290 of the Health and Safety Code proposed by SB 582 to be operative only if this bill and SB 582 are enacted and this bill is enacted last.
The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.
This bill would provide that no reimbursement is required by this act for a specified reason.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: YES   Local Program: YES  

The people of the State of California do enact as follows:


SECTION 1.

 Section 56.101 of the Civil Code is amended to read:

56.101.
 (a) Every provider of health care, health care service plan, pharmaceutical company, or contractor who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall do so in a manner that preserves the confidentiality of the information contained therein. Any provider of health care, health care service plan, pharmaceutical company, or contractor who negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall be subject to the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36.
(b) (1) An electronic health record system or electronic medical record system shall do all of the following:
(A) Protect and preserve the integrity of electronic medical information.
(B) Automatically record and preserve any change or deletion of any electronically stored medical information. The record of any change or deletion shall include the identity of the person who accessed and changed the medical information, the date and time the medical information was accessed, and the change that was made to the medical information.
(2) A patient’s right to access or receive a copy of the patient’s electronic medical records upon request shall be consistent with applicable state and federal laws governing patient access to, and the use and disclosures of, medical information.
(c) (1) A business, as described in Section 56.06, that electronically stores or maintains medical information on the provision of sensitive services, including, but not limited to, on an electronic health record system or electronic medical record system, on behalf of a provider of health care, health care service plan, pharmaceutical company, contractor, or employer, shall develop capabilities, policies, and procedures, on or before July 1, 2024, to enable all of the following:
(A) Limit user access privileges to information systems that contain medical information related to gender affirming care, abortion and abortion-related services, and contraception only to those persons who are authorized to access specified medical information.
(B) Prevent the disclosure, access, transfer, transmission, or processing of medical information related to gender affirming care, abortion and abortion-related services, and contraception to persons and entities outside of this state in accordance to this part.
(C) Segregate medical information related to gender affirming care, abortion and abortion-related services, and contraception from the rest of the patient’s record.
(D) Provide the ability to automatically disable access to segregated medical information related to gender affirming care, abortion and abortion-related services, and contraception by individuals and entities in another state.
(2) Any fees charged to providers of health care, health care service plans, pharmaceutical company, contractors, employers, or patients to comply with this subdivision shall be consistent with Section 171.302 of Title 45 of the Code of Federal Regulations.
(3) For the purposes of this subdivision, “gender affirming care” means gender affirming health care and gender affirming mental health care as defined in subdivision (b) of Section 16010.2 of the Welfare and Institutions Code.
(4) This subdivision does not apply to a provider of health care, as defined in Section 56.05.
(d) This section shall apply to an “electronic medical record” or “electronic health record” that meets the definition of “electronic health record,” as that term is defined in Section 17921(5) of Title 42 of the United States Code.

SEC. 2.

 Section 56.108 of the Civil Code is amended to read:

56.108.
 (a) Notwithstanding subdivisions (b) and (c) of Section 56.10 or subdivision (c) of Section 56.20, a provider of health care, health care service plan, contractor, or employer shall not release medical information related to an individual seeking or obtaining an abortion in response to a subpoena or request if that subpoena or request is based on either another state’s laws that interfere with a person’s rights under the Reproductive Privacy Act (Article 2.5 (commencing with Section 123460) of Chapter 2 of Part 2 of Division 106 of the Health and Safety Code) or a foreign penal civil action, as defined in Section 2029.200 of the Code of Civil Procedure.
(b) A provider of health care, health care service plan, contractor, or employer shall not release medical information that would identify an individual or that is related to an individual seeking or obtaining an abortion to law enforcement for either of the following purposes, unless that release is pursuant to a subpoena not otherwise prohibited by subdivision (a):
(1) Enforcement of another state’s law that would interfere with a person’s rights under the Reproductive Privacy Act (Article 2.5 (commencing with Section 123460) of Chapter 2 of Part 2 of Division 106 of the Health and Safety Code).
(2) Enforcement of a foreign penal civil action, as defined in Section 2029.200 of the Code of Civil Procedure.
(c) Notwithstanding subdivisions (b) and (c) of Section 56.10 or subdivision (c) of Section 56.20, a provider of health care, health care service plan, contractor, or employer shall not cooperate with any inquiry or investigation by, or provide medical information to, any individual, agency, or department from another state or, to the extent permitted by federal law, to a federal law enforcement agency that would identify an individual and that is related to an individual seeking or obtaining an abortion or abortion-related services that are lawful under the laws of this state, unless the request for medical information is authorized under Section 56.110.
(d) This section does not prohibit compliance with the investigation of activity that is punishable as a crime under the laws of this state.

SEC. 3.

 Section 56.110 is added to the Civil Code, to read:

56.110.
 (a) Notwithstanding subdivision (c) of Section 56.10, a provider of health care, health care service plan, pharmaceutical company, contractor, or employer shall not knowingly disclose, transmit, transfer, share, or grant access to medical information in an electronic health records system or through a health information exchange that would identify an individual and that is related to an individual seeking, obtaining, providing, supporting, or aiding in the performance of an abortion that is lawful under the laws of this state to any individual or entity from another state, unless the disclosure, transmittal, transfer, sharing, or granting of access is authorized under any of the following conditions:
(1) In accordance with a valid, written authorization pursuant to Section 56.11 that clearly states that medical information on abortion or abortion-related services may be disclosed, and only to the extent and for the purposes expressly stated in the authorization.
(2) In accordance with paragraphs (2) and (3) of subdivision (c) of Section 56.10, to the extent necessary to allow responsibility for payment to be determined and payment to be made or to the extent that it is not further disclosed by the recipient in a way that would violate this part.
(3) In accordance with paragraphs (4) and (5) of subdivision (c) of Section 56.10 for the purpose of accreditation, in reviewing the competence or qualifications of health care professionals, or in reviewing health care services with respect to medical necessity, level of care, quality of care, or justification of charges.
(4) In accordance with paragraph (7) of subdivision (c) of Section 56.10, for the purpose of bona fide research. Institutional Review Boards shall consider the potential harm to the patient and the patient’s privacy when the research uses data that contains information related to abortion or abortion-related services and the research is performed out of state.
(b) Notwithstanding subdivision (a), the content of the health records containing medical information described in subdivision (a) shall be disclosed to any of the following:
(1) A patient, or their personal representative, consistent with the Patient Access to Health Records Act (Chapter 1 (commencing with Section 123100) of Part 1 of Division 106 of the Health and Safety Code).
(2) In response to an order of a California or federal court, but only to the extent clearly stated in the order and consistent with Section 1543 of the Penal Code, if applicable, and only if all information about the patient’s identity and records are protected from public scrutiny through mechanisms, including, but not limited to, a sealed proceeding or court record.
(3) When expressly required by federal law that preempts California law, but only to the extent expressly required.
(c) Nothing in this section shall prohibit a provider of health care, health care service plan, pharmaceutical company, contractor, or employer from cooperating or complying with the investigation of activity that is punishable as a crime under the laws of California, and that took place in California.
(d) A provider of health care, as defined in Section 56.05, shall not be subject to liability for damages or to civil or enforcement actions, including disciplinary actions, fines, or penalties, for failure to meet the requirements of this section before January 31, 2026, if the provider of health care is working diligently and in good faith to come into compliance with this section.

SEC. 4.

 Section 130290 of the Health and Safety Code is amended to read:

130290.
 (a) On or before July 1, 2022, and subject to an appropriation in the annual Budget Act, the California Health and Human Services Agency, along with its departments and offices and in consultation with stakeholders and local partners, shall establish the California Health and Human Services Data Exchange Framework that shall include a single data sharing agreement and common set of policies and procedures that will leverage and advance national standards for information exchange and data content, and that will govern and require the exchange of health information among health care entities and government agencies in California.
(1) The California Health and Human Services Data Exchange Framework is not intended to be an information technology system or single repository of data, rather it is technology agnostic and is a collection of organizations that are required to share health information using national standards and a common set of policies in order to improve the health outcomes of the individuals they serve.
(2) The California Health and Human Services Data Exchange Framework will be designed to enable and require real-time access to, or exchange of, health information among health care providers and payers through any health information exchange network, health information organization, or technology that adheres to specified standards and policies.
(3) The California Health and Human Services Data Exchange Framework shall align with state and federal data requirements, including the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1 of the Civil Code), and other applicable state and federal privacy laws related to the sharing of data among and between providers, payers, and the government, while also streamlining and reducing reporting burden.
(4) For the purposes of this section, “health information” means:
(A) For hospitals, clinics, and physician practices, at a minimum, the United States Core Data for Interoperability Version 1, until October 6, 2022. After that date, it shall include all electronic health information as defined under federal regulation in Section 171.102 of Title 45 of the Code of Federal Regulations and held by the entity.
(B) For health insurers and health care service plans, at a minimum, the data required to be shared under the federal Centers for Medicare and Medicaid Services Interoperability and Patient Access regulations for public programs as contained in United States Department of Health and Human Services final rule CMS-9115-F, 85 FR 25510.
(b) (1) On or before January 31, 2024, and except as provided in paragraphs (2) and (3), the entities listed in subdivision (f) shall exchange health information or provide access to health information to and from every other entity in subdivision (f) in real time as specified by the California Health and Human Services Agency pursuant to the California Health and Human Services Data Exchange Framework data sharing agreement for treatment, payment, or health care operations.
(2) The requirement in paragraph (1) shall not apply to physician practices of fewer than 25 physicians, rehabilitation hospitals, long-term acute care hospitals, acute psychiatric hospitals, critical access hospitals, and rural general acute care hospitals with fewer than 100 acute care beds, state-run acute psychiatric hospitals, and any nonprofit clinic with fewer than 10 health care providers until January 31, 2026.
(3) The requirement in paragraph (1) shall not apply to the exchange of health information related to abortion and abortion-related services.
(c) The California Health and Human Services Agency shall convene a stakeholder advisory group no later than September 1, 2021, to advise on the development and implementation of the California Health and Human Services Data Exchange Framework.
(1) The members of the stakeholder advisory group shall be appointed by the Secretary of California Health and Human Services and shall not have a financial interest, individually or through a family member, related to issues the stakeholder advisory group will advise on.
(2) The stakeholder advisory group shall be composed of health care stakeholders and experts, including representatives of all the following:
(A) The State Department of Health Care Services.
(B) The State Department of Social Services.
(C) The Department of Managed Health Care.
(D) The Department of Health Care Access and Information.
(E) The State Department of Public Health.
(F) The Department of Insurance.
(G) The Public Employees’ Retirement System.
(H) The California Health Benefit Exchange.
(I) Health care service plans and health insurers.
(J) Physicians, including those with small practices.
(K) Hospitals, including public, private, rural, and critical access hospitals.
(L) Clinics, long-term care facilities, behavioral health facilities, or substance use disorder facilities.
(M) Consumers.
(N) Organized labor.
(O) Privacy and security professionals.
(P) Health information technology professionals.
(Q) Community health information organizations.
(R) County health, social services, and public health.
(S) Community-based organizations providing social services.
(3) The stakeholder advisory group shall provide information and advice to the California Health and Human Services Agency on health information technology issues, including all of the following:
(A) Identify which data beyond health information as defined in paragraph (4) of subdivision (a), at minimum, should be shared for specified purposes between the entities outlined in this subdivision and subdivision (f).
(B) Identify gaps, and propose solutions to gaps, in the life cycle of health information, including gaps in any of the following:
(i) Health information creation, including the use of national standards in clinical documentation, health plan records, and social services data.
(ii) Translation, mapping, controlled vocabularies, coding, and data classification.
(iii) Storage, maintenance, and management of health information.
(iv) Linking, sharing, exchanging, and providing access to health information.
(C) Identify ways to incorporate data related to social determinants of health, such as housing and food insecurity, into shared health information.
(D) Identify ways to incorporate data related to underserved or underrepresented populations, including, but not limited to, data regarding sexual orientation and gender identity and racial and ethnic minorities.
(E) Identify ways to incorporate relevant data on behavioral health and substance use disorder conditions.
(F) Address the privacy, security, and equity risks of expanding care coordination, health information exchange, access, and telehealth in a dynamic technological, and entrepreneurial environment, where data and network security are under constant threat of attack.
(G) Develop policies and procedures consistent with national standards and federally adopted standards in the exchange of health information and ensure that health information sharing broadly implements national frameworks and agreements consistent with federal rules and programs.
(H) Develop definitions of complete clinical, administrative, and claims data consistent with federal policies and national standards.
(I) Identify how all payers will be required to provide enrollees with electronic access to their health information, consistent with rules applicable to federal payer programs.
(J) Assess governance structures to help guide policy decisions and general oversight.
(K) Identify federal, state, private, or philanthropic sources of funding that could support data access and exchange.
(4) The stakeholder advisory group shall hold public meetings with stakeholders, solicit input, and set its own meeting agendas. Meetings of the stakeholder advisory group are subject to the Bagley-Keene Open Meeting Act (Article 9 (commencing with Section 11120) of Chapter 1 of Part 1 of Division 3 of Title 2 of the Government Code).
(5) The members of the stakeholder advisory group shall serve without compensation, but shall be reimbursed for any actual and necessary expenses incurred in connection with their duties as members of the group.
(d) No later than April 1, 2022, the California Health and Human Services Agency shall submit an update, including written recommendations, to the Legislature based on input from the stakeholder advisory group on the issues identified in paragraph (3) of subdivision (c).
(e) On or before January 31, 2023, the California Health and Human Services Agency shall work with the California State Association of Counties to encourage the inclusion of county health, public health, and social services, to the extent possible, as part of the California Health and Human Services Data Exchange Framework in order to assist both public and private entities to connect through uniform standards and policies. It is the intent of the Legislature that all state and local public health agencies will exchange electronic health information in real time with participating health care entities to protect and improve the health and well-being of Californians.
(f) On or before January 31, 2023, and in alignment with existing federal standards and policies, the following health care organizations shall execute the California Health and Human Services Data Exchange Framework data sharing agreement pursuant to subdivision (a):
(1) General acute care hospitals, as defined by Section 1250.
(2) Physician organizations and medical groups.
(3) Skilled nursing facilities, as defined by Section 1250, that currently maintain electronic records.
(4) Health care service plans and disability insurers that provide hospital, medical, or surgical coverage that are regulated by the Department of Managed Health Care or the Department of Insurance. This section shall also apply to a Medi-Cal managed care plan under a comprehensive risk contract with the State Department of Health Care Services pursuant to Chapter 7 (commencing with Section 14000) or Chapter 8 (commencing with Section 14200) of Part 3 of Division 9 of the Welfare and Institutions Code that is not regulated by the Department of Managed Health Care or the Department of Insurance.
(5) Clinical laboratories, as that term is used in Section 1265 of the Business and Professions Code, and that are regulated by the State Department of Public Health.
(6) Acute psychiatric hospitals, as defined by Section 1250.
(g) The California Health and Human Services Agency shall work with experienced nonprofit organizations and entities represented in the stakeholder advisory group in subdivision (c) to provide technical assistance to the entities outlined in subdivisions (e) and (f).
(h) On or before July 31, 2022, the California Health and Human Services Agency shall develop in consultation with the stakeholder advisory group in subdivision (c) a strategy for unique, secure digital identities capable of supporting master patient indices to be implemented by both private and public organizations in California.
(i) For purposes of implementing this section, including, but not limited to, hiring staff and consultants, facilitating and conducting meetings, conducting research and analysis, and developing the required reports, the California Health and Human Services Agency may enter into exclusive or nonexclusive contracts on a bid or negotiated basis. Contracts entered into or amended pursuant to this section shall be exempt from Chapter 6 (commencing with Section 14825) of Part 5.5 of Division 3 of Title 2 of the Government Code, Section 19130 of the Government Code, and Part 2 (commencing with Section 10100) of Division 2 of the Public Contract Code, and shall be exempt from the review or approval of any division of the Department of General Services. No person hired or otherwise retained pursuant to this subdivision shall be permitted to have any financial interest in the California Health and Human Services Data Exchange Framework or shall be, or be affiliated with, any health care organization required to participate in the California Health and Human Services Data Exchange Framework pursuant to subdivisions (b) and (f). The term “person,” as used in this subdivision, means any individual, partnership, joint venture, association, corporation, or any other organization or any combination thereof.
(j) All actions to implement the California Health and Human Services Data Exchange Framework, including the adoption or development of any data sharing agreement, requirements, policies and procedures, guidelines, subgrantee contract provisions, or reporting requirements, shall be exempt from the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code). The California Health and Human Services Agency, or a designee department or office under its jurisdiction, shall release program notices that detail the requirements of the California Health and Human Services Data Exchange Framework.

SEC. 4.5.

 Section 130290 of the Health and Safety Code is amended to read:

130290.
 (a) (1) On or before July 1, 2022, and subject to an appropriation in the annual Budget Act, the California Health and Human Services Agency, along with its departments and offices and in consultation with stakeholders and local partners, shall establish the California Health and Human Services Data Exchange Framework that shall include a single data sharing agreement and common set of policies and procedures that will leverage and advance national standards for information exchange and data content, and that will govern and require the exchange of health information among health care entities and government agencies in California.
(2) The California Health and Human Services Data Exchange Framework is not intended to be an information technology system or single repository of data, rather it is technology agnostic and is a collection of organizations that are required to share health information using national standards and a common set of policies in order to improve the health outcomes of the individuals they serve.
(3) The California Health and Human Services Data Exchange Framework will be designed to enable and require real-time access to, or exchange of, health information among health care providers and payers through any health information exchange network, health information organization, or technology that adheres to specified standards and policies.
(4) The California Health and Human Services Data Exchange Framework shall align with state and federal data requirements, including the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1 of the Civil Code), the information blocking provisions of the federal 21st Century Cures Act (Public Law 114-255), and other applicable state and federal privacy laws related to the sharing of data among and between providers, payers, and the government, while also streamlining and reducing reporting burden.
(5) For the purposes of this section, “health information” means:
(A) For hospitals, clinics, and physician practices, at a minimum, the United States Core Data for Interoperability Version 1, until October 6, 2022. After that date, it shall include all electronic health information as defined under federal regulation in Section 171.102 of Title 45 of the Code of Federal Regulations and held by the entity.
(B) For health insurers and health care service plans, at a minimum, the data required to be shared under the federal Centers for Medicare and Medicaid Services Interoperability and Patient Access regulations for public programs as contained in United States Department of Health and Human Services final rule CMS-9115-F, 85 FR 25510.
(6) For purposes of this section, “EHR vendor” means a company, other than a health care provider that self-develops health information technology for its own use, that sells electronic health records, as defined in Section 17921 of Title 42 of the United States Code.
(b) (1) On or before January 31, 2024, and except as provided in paragraphs (2) and (3), the entities listed in subdivision (f) shall exchange health information or provide access to health information to and from every other entity in subdivision (f) in real time as specified by the California Health and Human Services Agency pursuant to the California Health and Human Services Data Exchange Framework data sharing agreement for treatment, payment, or health care operations.
(2) The requirement in paragraph (1) shall not apply to physician practices of fewer than 25 physicians, rehabilitation hospitals, long-term acute care hospitals, acute psychiatric hospitals, critical access hospitals, and rural general acute care hospitals with fewer than 100 acute care beds, state-run acute psychiatric hospitals, and any nonprofit clinic with fewer than 10 health care providers until January 31, 2026.
(3) The requirement in paragraph (1) shall not apply to the exchange of health information related to abortion and abortion-related services.
(c) (1) The California Health and Human Services Agency shall convene a stakeholder advisory group no later than September 1, 2021, to advise on the development and implementation of the California Health and Human Services Data Exchange Framework.
(2) The members of the stakeholder advisory group shall be appointed by the Secretary of California Health and Human Services and shall not have a financial interest, individually or through a family member, related to issues the stakeholder advisory group will advise on.
(3) The stakeholder advisory group shall be composed of health care stakeholders and experts, including representatives of all the following:
(A) The State Department of Health Care Services.
(B) The State Department of Social Services.
(C) The Department of Managed Health Care.
(D) The Department of Health Care Access and Information.
(E) The State Department of Public Health.
(F) The Department of Insurance.
(G) The Public Employees’ Retirement System.
(H) The California Health Benefit Exchange.
(I) Health care service plans and health insurers.
(J) Physicians, including those with small practices.
(K) Hospitals, including public, private, rural, and critical access hospitals.
(L) Clinics, long-term care facilities, behavioral health facilities, or substance use disorder facilities.
(M) Consumers.
(N) Organized labor.
(O) Privacy and security professionals.
(P) Health information technology professionals.
(Q) Community health information organizations.
(R) County health, social services, and public health.
(S) Community-based organizations providing social services.
(4) The stakeholder advisory group shall provide information and advice to the California Health and Human Services Agency on health information technology issues, including all of the following:
(A) (i) Identify which data beyond health information as defined in paragraph (5) of subdivision (a), at minimum, should be shared for specified purposes between the entities outlined in this subdivision and subdivision (f).
(ii) In discussing data elements that are required to be exchanged, the stakeholder advisory group shall consider data needed for administrative functions of a medical practice, including intake forms and questionnaires, patient scheduling, insurance card upload and verification, invoicing and payment data, and patient-to-provider messaging.
(B) Identify gaps, and propose solutions to gaps, in the life cycle of health information, including gaps in any of the following:
(i) Health information creation, including the use of national standards in clinical documentation, health plan records, and social services data.
(ii) Translation, mapping, controlled vocabularies, coding, and data classification.
(iii) Storage, maintenance, and management of health information.
(iv) Linking, sharing, exchanging, and providing access to health information.
(C) Identify ways to incorporate data related to social determinants of health, such as housing and food insecurity, into shared health information.
(D) Identify ways to incorporate data related to underserved or underrepresented populations, including, but not limited to, data regarding sexual orientation and gender identity and racial and ethnic minorities.
(E) Identify ways to incorporate relevant data on behavioral health and substance use disorder conditions.
(F) Address the privacy, security, and equity risks of expanding care coordination, health information exchange, access, and telehealth in a dynamic technological, and entrepreneurial environment, where data and network security are under constant threat of attack.
(G) Develop policies and procedures consistent with national standards and federally adopted standards in the exchange of health information and ensure that health information sharing broadly implements national frameworks and agreements consistent with federal rules and programs.
(H) Develop definitions of complete clinical, administrative, and claims data consistent with federal policies and national standards.
(I) Identify how all payers will be required to provide enrollees with electronic access to their health information, consistent with rules applicable to federal payer programs.
(J) Assess governance structures to help guide policy decisions and general oversight.
(K) Identify federal, state, private, or philanthropic sources of funding that could support data access and exchange.
(L) Consider whether standards for including EHR vendors in the California Health and Human Services Data Exchange Framework would be appropriate, and, if determined to be appropriate, develop those standards.
(5) The stakeholder advisory group shall hold public meetings with stakeholders, solicit input, and set its own meeting agendas. Meetings of the stakeholder advisory group are subject to the Bagley-Keene Open Meeting Act (Article 9 (commencing with Section 11120) of Chapter 1 of Part 1 of Division 3 of Title 2 of the Government Code).
(6) The members of the stakeholder advisory group shall serve without compensation, but shall be reimbursed for any actual and necessary expenses incurred in connection with their duties as members of the group.
(d) No later than April 1, 2022, the California Health and Human Services Agency shall submit an update, including written recommendations, to the Legislature based on input from the stakeholder advisory group on the issues identified in paragraph (4) of subdivision (c).
(e) On or before January 31, 2023, the California Health and Human Services Agency shall work with the California State Association of Counties to encourage the inclusion of county health, public health, and social services, to the extent possible, as part of the California Health and Human Services Data Exchange Framework in order to assist both public and private entities to connect through uniform standards and policies. It is the intent of the Legislature that all state and local public health agencies will exchange electronic health information in real time with participating health care entities to protect and improve the health and well-being of Californians.
(f) (1) On or before January 31, 2023, and in alignment with existing federal standards and policies, the following health care organizations shall execute the California Health and Human Services Data Exchange Framework data sharing agreement pursuant to subdivision (a):
(A) General acute care hospitals, as defined by Section 1250.
(B) Physician organizations and medical groups.
(C) Skilled nursing facilities, as defined by Section 1250, that currently maintain electronic records.
(D) Health care service plans and disability insurers that provide hospital, medical, or surgical coverage that are regulated by the Department of Managed Health Care or the Department of Insurance. This section shall also apply to a Medi-Cal managed care plan under a comprehensive risk contract with the State Department of Health Care Services pursuant to Chapter 7 (commencing with Section 14000) or Chapter 8 (commencing with Section 14200) of Part 3 of Division 9 of the Welfare and Institutions Code that is not regulated by the Department of Managed Health Care or the Department of Insurance.
(E) Clinical laboratories, as that term is used in Section 1265 of the Business and Professions Code, and that are regulated by the State Department of Public Health.
(F) Acute psychiatric hospitals, as defined by Section 1250.
(2) If the stakeholder advisory group develops standards for including EHR vendors in the California Health and Human Services Data Exchange Framework, EHR vendors shall execute the California Health and Human Services Data Exchange Framework data sharing agreement no later than 12 months after the completion of the standards, and in alignment with existing federal standards and policies pursuant to subdivision (a).
(g) The California Health and Human Services Agency shall work with experienced nonprofit organizations and entities represented in the stakeholder advisory group in subdivision (c) to provide technical assistance to the entities outlined in subdivisions (e) and (f).
(h) On or before July 31, 2022, the California Health and Human Services Agency shall develop in consultation with the stakeholder advisory group in subdivision (c) a strategy for unique, secure digital identities capable of supporting master patient indices to be implemented by both private and public organizations in California.
(i) For purposes of implementing this section, including, but not limited to, hiring staff and consultants, facilitating and conducting meetings, conducting research and analysis, and developing the required reports, the California Health and Human Services Agency may enter into exclusive or nonexclusive contracts on a bid or negotiated basis. Contracts entered into or amended pursuant to this section shall be exempt from Chapter 6 (commencing with Section 14825) of Part 5.5 of Division 3 of Title 2 of the Government Code, Section 19130 of the Government Code, and Part 2 (commencing with Section 10100) of Division 2 of the Public Contract Code, and shall be exempt from the review or approval of any division of the Department of General Services. No person hired or otherwise retained pursuant to this subdivision shall be permitted to have any financial interest in the California Health and Human Services Data Exchange Framework or shall be, or be affiliated with, any health care organization required to participate in the California Health and Human Services Data Exchange Framework pursuant to subdivisions (b) and (f). The term “person,” as used in this subdivision, means any individual, partnership, joint venture, association, corporation, or any other organization or any combination thereof.
(j) (1) Any fees charged by an EHR vendor to enable compliance with the California Health and Human Services Data Exchange Framework shall be reasonable, consistent with Sections 171.302(a) and 171.303 of Title 45 of the Code of Federal Regulations.
(2) Reasonable fees shall be sufficient to include the cost of enabling the collection and sharing of all data required to be exchanged under this section, as specified in the California Health and Human Services Data Sharing Agreement.
(k) As part of any other oversight activities authorized and developed with respect to this section, the California Health and Human Services Agency, in consultation with the stakeholder advisory group or subsequent governing board, may establish administrative oversight and enforcement authority to monitor fees charged by EHR vendors to entities described in paragraph (2) of subdivision (b) for compliance with the federal standards required under subdivision (j). The oversight and enforcement authority may include the imposition of fines and penalties against an EHR vendor that is found not in compliance with the federal standards required under subdivision (j).
(l) All actions to implement the California Health and Human Services Data Exchange Framework, including the adoption or development of any data sharing agreement, requirements, policies and procedures, guidelines, subgrantee contract provisions, or reporting requirements, shall be exempt from the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code). The California Health and Human Services Agency, or a designee department or office under its jurisdiction, shall release program notices that detail the requirements of the California Health and Human Services Data Exchange Framework.

SEC. 5.

 Section 4.5 of this bill incorporates amendments to Section 130290 of the Health and Safety Code proposed by both this bill and Senate Bill 582. That section of this bill shall only become operative if (1) both bills are enacted and become effective on or before January 1, 2024, (2) each bill amends Section 130290 of the Health and Safety Code, and (3) this bill is enacted after Senate Bill 582, in which case Section 4 of this bill shall not become operative.

SEC. 6.

 No reimbursement is required by this act pursuant to Section 6 of Article XIII B of the California Constitution because the only costs that may be incurred by a local agency or school district will be incurred because this act creates a new crime or infraction, eliminates a crime or infraction, or changes the penalty for a crime or infraction, within the meaning of Section 17556 of the Government Code, or changes the definition of a crime within the meaning of Section 6 of Article XIII B of the California Constitution.