Frequently Asked Questions (FAQ)

The CalHHS Health and Human Services Data Exchange Framework (DxF) comprises a single Data Sharing Agreement (DSA) and common set of Policies and Procedures (P&Ps) that will govern the exchange of health and social services information among health care entities and government agencies beginning January 31, 2024. Finalized on July 1, 2022, the DxF was developed with input from a broad set of stakeholders, including a Stakeholder Advisory Group as required by AB 133. The legislation mandates that a broad spectrum of health care organizations execute the Framework’s DSA by January 31, 2023, and exchange or provide access to health information with other mandated organizations by January 31, 2024. This FAQ provides up-to-date information about DxF implementation and may be updated from time to time.

More information is available on the DxF website. Please submit questions about the DxF to: dxf@chhs.ca.gov

Entities required to sign the DxF DSA are listed below, as defined in Health and Safety Code section 130290(f).

  1. General Acute Care Hospitals, as defined by Health and Safety Code Section 1250.
  2. Physician Organizations (e.g., Independent Practice Associations that exchange health information) and Medical Groups.
  3. Skilled Nursing Facilities, as defined in Health and Safety Code Section 1250.
  4. Health Plans
    1. Health Care Service Plans and Disability Insurers providing hospital, medical, or surgical coverage that are regulated by the California Department of Managed Healthcare or the California Department of Insurance.
    2. Medi-Cal Managed Care Plans that have signed a comprehensive risk contract with the Department of Healthcare Services pursuant to the MediCal Act1 or the Waxman-Duffy Prepaid Health Plan Act2 , and that are not regulated by the California Department of Managed Healthcare or the California Department of Insurance.
  5. Clinical Laboratories, as defined in Business and Professions Code Section 1265 and that are regulated by the California Department of Public Health.
  6. Acute Psychiatric Hospitals, as defined in Health and Safety Code Section 1250

1 Cal. Welfare and Institutions Code section 14000, et seq.

2 Cal. Welfare and Institutions Code section 14200, et seq.

Under AB 133, all mandatory signatories must sign the DSA by January 31, 2023. Some of these organizations, such as smaller physician practices and clinics, rehabilitation, long-term acute care, psychiatric, and critical access hospitals, and smaller rural acute care hospitals, will have until January 31, 2026 to fully implement the Data Exchange Framework even though they signed the agreement in January 2023.

After signing, DxF DSA signatories will be required to exchange health and social services information or provide access to health information to and from every other signatory in real time as specified in the DSA and its Policies and Procedures (P&Ps).

Most entities required to sign the DSA will be required to begin exchanging health and social services information on or before January 31, 2024.

Some organizations will have until January 31, 2026 to begin exchanging this information. These organizations are as follows: physician practices of fewer than 25 physicians, rehabilitation hospitals, long-term acute care hospitals, acute psychiatric hospitals, critical access hospitals, and rural general acute care hospitals with fewer than 100 acute care beds, state-run acute psychiatric hospitals, and any nonprofit clinic with fewer than 10 health care providers.

CalHHS is working with stakeholders to develop processes to support signatories in meeting DxF DSA requirements, including by establishing a program to qualify eligible health information organizations (HIOs) to facilitate data exchange between signatories. More information on the program will be available soon.

Participants must follow all applicable state and federal law when sharing Health and Social Services Information through the DSA. For example, if the information is covered by the Health Insurance Portability and Accountability Act (HIPAA) and the Lanterman-Petris-Short Act (LPS), the Participant would need to meet an exception in both HIPAA and LPS in order to share the information. In addition, health information can generally DxF Frequently Asked Questions 4 Last Updated: February 28, 2025 be shared with a valid authorization for release of information from the patient/individual.

For more information on how to share some types of health information in California, please see CDII’s State Health Information Guidance (SHIG).

The Data Exchange Framework allows Participants to provide access to or exchange information including through any health information exchange network, health information organization, or technology that adheres to the DSA and Policies and Procedures found on our web site at Data Sharing Agreement and Policies & Procedures. The DxF is not intended to be an information technology system or single repository of data, rather it is a collection of organizations that are required to share health information using national standards and a common set of policies

The Data Exchange Framework requires that every Participant provide access to or exchange health and social services information with every other Participant consistent with the Permitted, Required and Prohibited Purposes Policy and Procedure. Note that Participants are not required to share health and social services information if sharing would violate federal or state law. For information on required Participants, see the required signatories FAQ. For technical requirements for data sharing, see the Data Elements to Be Exchanged P&P and the Technical Requirements for Exchange Policy and Procedure, currently in development.

  1. Review the Data Sharing Agreement (DSA) and its policies and procedures available on the CDII website so you are aware of your organization’s obligations once you sign the DSA. The DSA and its policies and procedures are final drafts that were developed alongside a wide variety of stakeholders and were previously available for public comment. Neither the DSA nor the policies and procedures are open for negotiation.
  2. Determine who at your organization is authorized to sign the DSA on behalf of the organization.
  3. Determine if there are subordinate entities or facilities for which the authorized person would like to sign.
    • What is a subordinate organization?
  4. Gather necessary information in order to register in the CalHHS Data Sharing Agreement Signing Portal and request a copy of the DSA to be signed.
    • What information will I need to register for the CalHHS Data Sharing Agreement Signing Portal?

 

For your organization, you will need:

  • legal name of the organization
  • mailing address

For the person signing the DSA, you will need:

  • name
  • title within the organization
  • phone number
  • email address

If your organization does not have subordinate entities or facilities, in addition to other information for your organization you will need:

  • type of organization, one of:
    • general acute care hospital
    • physician organization or medical group
    • health care service plan or disability insurer, including risk-based organizations, Medi-Cal managed care plan services, and other health care service plans or disability insurers
    • skilled nursing facility
    • clinical laboratory
    • acute psychiatric hospital
    • other, voluntary signatory

How do I know if what type of organization I am?

  • California license number for general acute care hospitals, health care service plans or disability insurers, skilled nursing facilities, clinical laboratories, or acute psychiatric hospitals.

How do I know which license number to use?

  • Employer Identification Number (EIN) for physician organizations, medical groups, or other, voluntary signatories.

If you don’t have an EIN, you can apply for an EIN online.

If your organization has subordinate entitles or facilities for which the individual would like to sign, you will need the following for each subordinate organization:

  • legal name
  • mailing address
  • type of subordinate entity or facility, as described above in the information you will need for your organization
  • California license number or EIN, as described above in the information you will need for your organization

What is a subordinate organization?

If your organization or one of your subordinate entities or facilities has multiple license numbers for multiple organization types (e.g., a licensed general acute care hospital with a licensed clinical laboratory), they should be listed separately as separate subordinate entities using the appropriate legal name, organization type, and license number or EIN.

For general acute care hospitals, skilled nursing facilities, or psychiatric hospitals, use the license number issued by the California Department of Public Health (CDPH).

For health care service plans or disability insurers, including Medi-Cal managed care plans, use the license number issued by the Department of Managed Health Care (DMHC) or the California Department of Insurance (CDI), or the risk-bearing organization (RBO) number.

For Medi-Cal managed care plans that are not licensed by the DMHC or the CDI, use the contract number issued by the Department of Health Care Services (DHCS).

For clinical laboratories, use the laboratory license number issued by the California Department of Public Health (CDPH). Do not the federally-issued Clinical Laboratory Improvement Amendments (CLIA) number.

Your health system, health plan, laboratory system, etc., may have multiple entities or facilities that are licensed separately by the State of California but belong to a single parent company. If you have identified an individual at your organization that is authorized to sign on behalf of more than one entity or facility, the authorized person to sign the DSA can list these organizations in the signing portal and on the DSA as “subordinate organizations”. This will allow the authorized person to sign one DSA on behalf of a number of organizations within one organization.

Subordinate organizations may be part of the same physical facility. For example, a general acute care hospital may have a licensed clinical laboratory within the hospital. In this case, if one person is authorized to sign on behalf of both the general acute care hospital and the clinical laboratory, the general acute care hospital and the clinical laboratory could both be listed as “subordinate organizations.”

Log onto the signing portal and add the additional subordinate entities or facilities to those already listed, if any, and save the new entries. Then press “Send DSA” to send a new copy of the DSA to the authorized signer. The new signature page will include the new subordinate organizations, along with the subordinate organizations listed previously. Sign and return the DSA.

The original signed DSA will be retained by the signing portal for your reference and by CDII. Your organization and any previous subordinate entities that were listed will keep the original execution date for the DSA (the date that your organization and all previously listed subordinate entities and facilities signed the DSA). The newly signed DSA establishes a new execution date for any newly listed subordinates that have signed.

You cannot remove a subordinate entity or facility using the signing portal once your organization has signed the DSA. Instead, you need to send a written request to CDII at CDII@chhs.ca.gov listing your organization, the name(s) and license numbers or EINs of the subordinates that you would like removed, and the reason for removal. Someone at CDII will contact you to work on your request.

For more information on who must sign the DSA, see Who is required to sign the Data Exchange Framework (DxF) Data Sharing Agreement (DSA) on or before January 31, 2023?

The Data Exchange Framework allows Participants to provide access to or exchange information through any health information exchange network, health information organization, or technology that adheres to the DSA and Policies and Procedures found on our web site. It is the responsibility of each Participant to ensure they meet requirements of the DSA and its Policies and Procedures. Several nationwide networks and frameworks may satisfy some or all of the requirements for of the DSA and Policies and Procedures.

California law directs the DxF to “enable and require real-time access to, or exchange of, health information among health care providers and payers through any health information exchange network, health information organization, or technology that adheres to specified standards and policies.” Technical standards in this Policy and Procedure are examples of specified standards that some Participants are required to use through the health information network, HIE, or technology they choose.

The Nationwide Networks and Frameworks noted in the Policy and Procedure all have established and documented security models that include bilateral authentication of individuals and/or systems as appropriate. The California Trusted Exchange Network (CTEN) that currently supports inter-HIO communications does as well. The DxF and this Policies and Procedures will leverage these existing capabilities

Many health care entities are required by law to sign the Data Sharing Agreement (DSA) by January 31, 2023, with most to begin exchanging data in accordance with the DSA’s policies and procedures (P&Ps) by January 31, 2024. Signing the DSA is the first step in a yearlong process to fully implement the DxF by January 31, 2024 for most entities. Some entities, including physician practices with fewer than 25 physicians, acute psychiatric hospitals, and rural general acute care hospitals, will have until January 31, 2026 to fully implement the DxF. In 2024, entities that have signed the DSA can comply with the P&Ps either by joining and utilizing an intermediary, such as a Qualified Health Information Organization (QHIO), or by independently meeting the requirements of the P&Ps. To assist in this process, entities that sign the DSA may be eligible to receive grant funding to help them connect to a QHIO through the QHIO Onboarding Grant or to otherwise help them identify and implement solutions to meet the DxF requirements with the Technical Assistance Grant.

The P&Ps have been under development since early 2022 and continue to be developed in 2023, through a public and collaborative process that is designed to take into account the needs of all health and human services providers, the individuals they serve, as well as consumers. The P&Ps that have already been finalized and adopted are available here. Additional P&Ps are being released on an ongoing basis for public comment and have been reviewed and discussed in public DSA P&P Subcommittee meetings. Also, CalHHS and CDII are holding public webinars, town halls, and Implementation Advisory Committee (IAC) meetings in order to provide updates, answer questions, and garner feedback regarding DxF implementation. Most P&Ps will become effective January 31, 2024.

We urge stakeholders, organizations, advocates, and consumers to join these public meetings to ask questions and offer feedback. This is an open, transparent process to inform providers of their obligations under the DSA. CalHHS and CDII are working to ensure a smooth transition and adoption of the DxF, and we encourage you to reach out to any of our Educational Initiative Grantees for additional and industry-specific assistance meeting your obligation to sign the Data Sharing Agreement:

View Educational Initiative Grantees, contact, website, and signatory types table in the DxF FAQ PDF.

You can also reach out to CDII directly at cdii@chhs.ca.gov.

Yes. Both registered laboratories and licensed laboratories that are regulated by the California Department of Public Health are clinical laboratories required to sign the Data Sharing Agreement by January 31, 2023.

Skilled nursing facilities that maintain electronic records or “electronic health information” as defined under federal regulation in Section 171.102 of Title 45 of the Code of Federal Regulations. [2/21/2023]

Yes. Solo practices are required to sign the DSA but are not required to implement the DSA until January 31, 2026. Any physician organization or medical group with one or more physicians is required to sign the DSA.

The DSA does not require your organization to share protected health information with non-covered Entities, such as a social services organization. The DSA permits sharing between a Covered Entity and non-Covered Entity when you have a valid authorization from the patient or patient’s representative or the disclosure is otherwise permitted or required by applicable law. (See DSA, Section 6(a); Privacy and Security Safeguards P&P). For more information on how Covered Entities can share protected health information with non-Covered Entities, please see the State Health Information Guidance (SHIG), particularly SHIG Vol. 1.1: Sharing Behavioral Health Information in California, especially Scenario 4, and the scenarios in SHIG Vol. 2.0: Sharing Health Information to Address Food and Nutrition Insecurity in California.

The Data Exchange Framework is not a technology, but instead rules of the road for how organizations will provide access to and exchange health and social services information. Health and social services information will not reside on any state DxF system. The Permitted, Required and Prohibited Purposes P&P describes the purposes for which DxF Participants are required or permitted to exchange health and social services information under the DSA with other Participants. The Privacy and Security Safeguards P&P describes the minimum privacy and security safeguards required by the DxF for Participants to implement.

We continue to work with stakeholders through an open and transparent process to describe additional policies and procedures that Participants must follow as they implement the DxF. Please review the Data Elements to Be Exchanged P&P for a description of the data that Participants are required to exchange under the DxF, and the draft Real Time P&P and the draft Technical Requirements for Exchange P&P, for more about the requirements that Participants must meet. Ultimately, it is a Participant’s choice how to best operationalize the requirements of the DxF as part of its own implementation plan and in compliance with the DSA and P&Ps.

The Data Exchange Framework is not a technology, but instead rules of the road for how organizations will provide access to and exchange health and social services information. Participants in the DxF are free to choose any health information exchange network, health information organization, or technology to exchange health and social services information that adheres to the requirements of the Data Sharing Agreement and its accompanying Policies and Procedures. CDII anticipates that many Participants will choose to use a nationwide network or framework or one of California’s several Health Information Organizations (HIOs) to meet some or all of their obligations to exchange data.

Required signatories under HSC section 130290(f) must sign the Data Sharing Agreement (DSA) whether or not they have an EHR. Participants should review the DSA and its Policies and Procedures, found under the Policies and Procedures section of the CDII DxF Website, to determine what health and social services information (HSSI) they are required to share. A Participant may use any system or solution to share the HSSI which they maintain, so long as they are able to comply with the requirements of the DSA and its Policies and Procedures.

IPAs are required signatories to the DSA and, as Participants, are required to exchange the HSSI they maintain like any other Participant. If they host or manage an EHR or other system that maintains HSSI on behalf of their members, they are required to share HSSI with other Participants and may use any system or solution to exchange that information in accordance with the DSA and its Policies and Procedures. If a Participant does not maintain any HSSI, the Participant is not required to share HSSI under the DSA but must still follow any applicable Policies and Procedures, including but not limited to the DxF Requirement to Exchange Health and Social Services Information Policy and Procedure.

HSC section 130290 does not allow required entities listed in HSC section 130290(f) to opt out of signing the DSA.

The DxF requires Participants to share HSSI in accordance with federal and state law, the DSA, and its Policies and Procedures. This includes any patient/individual consent requirements and an individual’s right to request restrictions on how their information is used and disclosed that are applicable under federal and state law. The DxF does not change or supersede a Participant’s responsibility to comply with an individual’s privacy rights under applicable law or a Participant’s requirements to obtain an individual’s consent to share or access HSSI when required by applicable law. If an individual’s consent is required under applicable law for a Participant to share the individual’s data, the individual can refuse to provide such consent. Similarly, if an individual has the right under applicable law to require a Participant not to share their information, the individual can work with the Participant to exercise that right by reaching out to the Participants who maintain their HSSI to make that request. Each Participant is responsible for ensuring all HSSI that the Participant shares through the DxF complies with applicable law

The DxF does not require any access, use, or disclosure of Health or Social Services Information (HSSI) that would be unlawful. The DSA requires Participants to share HSSI, which includes Protected Health Information (PHI) and medical information, for Required Purposes, which can be found in the Permitted, Required, and Prohibited Purposes Policy and Procedure, and subject to applicable law. If sharing HSSI is not permitted under applicable law, a Participant must respond to the requestor in accordance with the Requirement to Exchange Health and Social Services Information Policy and Procedure, Section III.1. A refusal to share HSSI because it is unlawful under applicable law is not information blocking under the draft California Information Blocking Prohibitions Policy and Procedure.

CDII encourages Participants to request patient authorization to share HSSI wherever possible when applicable law does not permit sharing for a Required Purpose in the Permitted, Required, and Prohibited Purposes Policy and Procedure. Nothing in the DxF, DSA, or the Policies and Procedures limits a patient’s right to decline to sign an authorization to share their information. When it is unlawful to share information without patient authorization and the patient did not sign an authorization, the Participant must not share HSSI under the DSA. In such instances, the DxF Participant would respond to the request for HSSI consistent with Requirement to Exchange Health and Social Services Information Policy and Procedure, Section III.1.

No, specialized plans are not full-service plans considered health care service plans and disability insurers that provide hospital, medical, or surgical coverage, and therefore, are not required to sign the DSA

Yes. Health and Safety Code section 130290 does not differentiate between a “restricted health care service plan” and a “full service health care service plan.” Both a “restricted health care service plan” and a “full service health care service plan” are required to sign the DSA.

Participants may use “any health information exchange network, health information organization, or technology that adheres to [DxF] standards and policies” as stated in HSC 130290(a)(2). Nationwide networks and frameworks, including the Trusted Exchange Framework when it becomes operational, may be applicable to meet some or all exchange obligations under the DSA. CDII encourages DxF Participants to fully utilize the capabilities of exchange options already available to them or in use by them today.

Depending upon the Participant, a nationwide network or framework may not be able to meet all of a Participant’s obligations and the Participant may be required to supplement their use of a nationwide network or framework with other methods. It is the responsibility of the Participant to determine what obligations a nationwide network or framework can meet, how to ensure the Participant’s proper use of the network or framework to comply with the DSA and P&Ps (including but not limited to the Requirement to Exchange Health and Social Services Information P&P, the Permitted, Required, and Prohibited Purposes P&P, the California Information Blocking Prohibitions P&P, the Privacy Standards and Security Safeguards P&P, Data Elements to Be Exchanged P&P, Technical Requirements for Exchange P&P, and Real-Time Exchange P&P), and how to supplement the nationwide network or framework if required. See also the QHIO P&P, that states CDII will create a QHIO Program as an option that may help a Participant meet all of their DxF exchange obligations. QHIOs could be used to supplement participation in a nationwide network or framework when needed.

CDII will assess any organization, including a Trusted Exchange Framework Qualified Health Information Network (QHIN) or nationwide network or framework if it applies to become a QHIO. Only organizations that apply for QHIO status during the open application period will be granted QHIO status. The QHIO application period may be offered by CDII annually, but not more often than once a year.

DxF Participants are not required to use a QHIO, and may use “any health information exchange network, health information organization, or technology that adheres to [DxF] standards and policies” as stated in HSC 130290(a)(2). According to the QHIO P&P, CDII will create a QHIO Program as an option that may help a Participant meet all of their DxF obligations. If a Participant chooses an option other than a QHIO, it is up to the Participant to ensure that the health information exchange network, health information organization, or technology they select adheres to DxF standards and policies

No, a nationwide network or framework, or Trusted Exchange Framework Qualified Health Information Network, is not required to sign the DxF DSA in order to be used by a DxF Participant to meet some or all of its exchange obligations. However, as a signatory to the DSA, DxF Participants must ensure that the data sharing or other agreements they execute with any intermediary, including a nationwide network or framework, do not conflict with the DSA or its P&Ps in such a way that the Participant cannot meet DSA or P&P requirements.

No, using a QHIO is optional. Participants may choose to exchange HSSI via a QHIO, a nationwide network or framework, other intermediary, point-to-point connections using their own technology, or a combination of these methods to comply with the DSA and P&Ps. See related General DxF FAQs, notably questions 16, 30, and 31.

No, QHIOs are not required by CDII or the QHIO Program to enter into contracts and serve every Participant that requests their services. Some QHIOs may not be able to meet the specialized needs of some Participants or the technologies they have chosen; may not be prepared to serve all Participant types; may not offer all of the services requested by a Participant; or may not have the capacity to take on new Participants at the time of a Participant’s inquiry. Please reach out to the QHIO(s) in which your organization is interested for more information on whether they are able to provide services to your organization.

Yes, QHIOs may charge for the services they provide to Participants. CDII recommends that Participants refer to the P&Ps, including the Permitted, Required, and Prohibited Purposes P&P and the proposed Fees P&P, both of which can be found on the CDII DxF webpage, for more information on when Intermediaries, including QHIOs, may charge fees and restrictions on the fees they may charge. Please reach out to the QHIO(s) in which your organization is interested to learn more about the pricing of their services.

Yes, QHIOs may require Participants to sign additional agreements or contracts that specify the terms of the services they offer. In some cases, QHIOs may be acting as a business associate to a Participant as defined under HIPAA requiring the parties to execute a business associate agreement. Agreements that a Participant might be asked to execute by a QHIO include a participation agreement, a data sharing agreement distinct from the DxF DSA, and/or business associate agreement.

No, use of a QHIO does not guarantee compliance with DSA or its P&P requirements. QHIOs offer access to critical services compliant with DxF technical standards requirements and have established critical connectivity that may help Participants comply with their obligations to provide access to or exchange of HSSI. It remains the responsibility of each Participant to ensure that they comply with requirements of the DSA and its P&Ps beyond the technical standards by reviewing and complying with P&Ps including but not limited to:

  • The Permitted, Required, and Prohibited Purposes P&P for the purposes for which the Participant may and must share HSSI,
  • The Privacy Standards and Security Safeguards P&P for information on privacy and security standards the Participant’s systems must meet,
  • The Data Elements to Be Exchanged P&P for information on data elements the Participant must make available,
  • The Technical Requirements for Exchange P&P for the types of exchange a Participant must enable, and
  • The Real-Time Exchange P&P for information on the requirements for timely information sharing

QHIOs are not required by CDII to guarantee Participants that use a QHIO are compliant with the DxF. QHIOs may not have insight into a Participant’s internal policies and standard operating practices which could have an impact on the Participant’s compliance with the DSA and its P&Ps. Participants must assess their own processes to ensure that they remain compliant. QHIOs may choose, but are not required by CDII, to offer services to assist or advise Participants in assessing their compliance with the DSA.

Onboarding to a QHIO typically takes between 90 and 180 days; however, the length of time to onboard to a QHIO will vary depending on the Participant’s technology, Participant vendor readiness, the services the Participant is seeking, and other factors. Participants should reach out to the QHIO(s) for more information on the time to onboard.

The date to begin exchange under the DxF is a requirement established in Health and Safety Code (HSC) § 130290. Neither CalHHS nor CDII are authorized to grant extensions or exemptions from state law. Throughout 2024, CDII will continue to develop resources intended to help Participants determine if they are meeting their obligations under the DxF. We encourage you to stay engaged and recommend reading the DxF Weekly Update that is distributed on Tuesday afternoons. This weekly email provides important updates and links to helpful resources as well as upcoming events. To join the DxF Weekly Update listserv, please email dxf@chhs.ca.gov to be added.

If you have health and social services information that you don’t want exchanged, please contact the health care organization, provider or social services agency who maintains that information. The DxF is not an information technology system or single repository of data, rather, it establishes the “rules of the road” for a collection of organizations that are required to exchange health and social services information with each other. There is no state-wide mechanism to opt out of DxF data exchange.

If a person asks to opt out of DxF data exchange, the Participant should follow their own organization’s procedure for an individual’s request for a restriction on the use or disclosure of their data. The provider can also advise the person that there is otherwise no state-wide mechanism to opt out of DxF data exchange. The DxF is not an information technology system or a single repository of data. The DxF establishes the ”rules of the road” for a collection of organizations that are required to exchange health and social services information with each other.

The DxF DSA and its P&Ps govern and require the Exchange of Health and Social Services Information under the DxF only among signatories to the DSA. Neither CDII nor the DxF prohibit Exchange among non-signatories or between signatories and nonsignatories, whether or not the exchange is facilitated by a QHIO. QHIOs and other Intermediaries assisting Participants to meet their DxF requirements should review their Business Associate Agreements (BAAs) and other agreements with their customers, as well as Applicable Law, in determining what Exchange they can facilitate among signatories and non-signatories to the DSA.

The DxF does not prohibit a QHIO who receives an ADT Event or Notification of an ADT Event from a DxF signatory from sharing any notification of the event with a nonsignatory, so long as the Exchange is permitted by Applicable Law, the DSA, the DxF P&Ps, and relevant BAAs or other agreements the QHIO has with its customers.

The DSA and its P&Ps require that Hospitals and Emergency Departments, and optionally skilled nursing facilities, that are signatories to the DSA send Notification of ADT Events, via a QHIO if they choose, to any authorized organization that is a signatory to the DSA as requested via a roster of Individuals. The QHIO Program requires that QHIOs share rosters of Individuals with the other QHIOs to help facilitate Notification of ADT Events.

The DSA and its P&Ps do not prohibit a QHIO from including the names of Individuals requested by non-signatories on their rosters for Notification of ADT Events.

The DSA and its P&Ps do not prohibit QHIOs from sharing Notifications of ADT Events for Individuals requested by non-signatories, so long as the Disclosure complies with Applicable Law and relevant agreements. The DSA and its P&Ps likewise do not require that a signatory to the DSA send Notifications of ADT Events to non-Participants, whether or not the notifications are facilitated by a QHIO.

Non-Intermediary Participants are not permitted to charge fees for the Exchange of HSSI for a Required Purpose under the DSA. This is true whether they use their own technology, a QHIO, an Intermediary that has signed the DSA but is not a QHIO, or an Intermediary that has not signed the DSA.

A Participant shall not charge fees to any other Participant for any Exchange of Health and Social Services Information under the Data Exchange Framework for a Required Purpose. (DxF Fees P&P, Section II.1.a.)

All Participants have a duty to respond to requests for HSSI and must fulfill that duty by providing the information in accordance with Applicable Law OR other appropriate response.

All Participants shall respond to requests for Health and Social Services Information made by other Participants and shall share Health and Social Services Information when required under the Permitted, Required, and Prohibited Purposes Policy and Procedure. A Participant shall fulfill its duty to respond by either providing the requested Health and Social Services Information it Maintains in accordance with the Data Sharing Agreement (the “DSA”) and Applicable Law; or… providing an appropriate error message or null response as specified by the technical standard in use and in accordance with the Technical Requirements for Exchange Policy and Procedure. (DxF Requirement to Exchange Health and Social Services Information P&P, Section III.1.a)

Non-Intermediary Participants that use an Intermediary that is not a QHIO to meet DxF requirements must obtain assurances that the Intermediary provides services in such a way as to allow the non-Intermediary Participant to comply with the DSA and its P&Ps, regardless of whether the Intermediary is a DxF Participant or not. This includes obtaining reasonable assurances that the Intermediary meets the non-Intermediary Participant’s duty to respond and does not charge fees to other Participants other than their own contracted client for the Exchange of their HSSI for Required Purpose

If a Participant elects not to execute an agreement with a Qualified HIO and instead elects to use its own technology or to execute an agreement with another entity that provides data exchange, the Participant must comply with or obtain reasonable assurances that the other entity enables the Participant to comply with, the minimum requirements for data exchange set forth in the Policies and Procedures or Specifications. (DxF DSA, Section 7(a).)

Non-Intermediary Participants that choose to execute a contract with an Intermediary to help them meet DxF requirements, however, may be charged fees by that Intermediary, in accordance with the DxF Fees P&P:

A Participant shall not charge fees to any other Participant for any Exchange of Health and Social Services Information under the Data Exchange Framework for a Required Purpose. However, a Participant that is an Intermediary may charge fees to another Participant if the Participant that is an Intermediary has executed a contract with the other Participant to provide services. For contracts to provide services to assist another Participant in meeting its obligations under the Data Sharing Agreement, the fees shall be consistent with Applicable Law, including but not limited to the Fees Exception in the Federal Information Blocking Regulations. (DxF Fees P&P, Section II.1.a.)

A Participant is not permitted to Access HSSI for the purpose of selling the information it Accesses or Exchanges, whether the Participant uses its own technology, a QHIO, an Intermediary that has signed the DSA but is not a QHIO, or an Intermediary that has not signed the DSA:

Unless otherwise permitted by Applicable Law or a legally valid agreement, Participants shall not access Health and Social Services Information through the DSA in order to sell such information. (DxF Permitted, Required, and Prohibited Purposes P&P, Section II.3.a.)

Further, while a Participant may de-identify and use HSSI received from another Participant, they may not sell de-identified HSSI when it includes information received from another Participant.

Participant may de-identify and use Health and Social Services Information received from another Participant under the DSA and Use or Disclose such DeIdentified Health and Social Services Information so long as permitted by Applicable Law and consistent with this section…. Participants may not sell deidentified Health and Social Services Information when that de-identified Health and Social Services Information includes information received from another Participant. (DxF Privacy Standards and Security Safeguards P&P, Section III.1.a.ii)

The Centers for Medicare & Medicaid Services (CMS) rules, and other federal requirements, were considered when drafting the DxF P&Ps.

Both HSC § 130290 and the DxF Data Elements to Be Exchanged P&P require that health plans provide Access to or Exchange of claims, encounter, and clinical information that parallels the data required of plans by the CMS Interoperability and Patient Access Rule. Likewise, DxF requires that health care providers provide Access to or Exchange of the same data (that is, EHI) that is required by federal information blocking, which is in turn already more than that required by the CMS Interoperability and Prior Authorization Final Rule.

Further, the Data Elements to Be Exchanged P&P adopts the same definition of “Maintained” as found in the CMS Interoperability and Patient Access Rule. DxF does require the use of USCDI v2 rather than the USCDI version currently required by CMS rules and ONC.

However, both the CMS Interoperability and Patient Access Rule and the CMS Interoperability and Prior Authorization Final Rule focus on FHIR as the required transport, whereas the DxF Technical Requirements for Exchange P&P requires that all DxF Frequently Asked Questions 25 Last Updated: February 28, 2025 Participants support the same IHE profiles found in eHealth Exchange, Carequality, and TEFCA’s QHIN Technical Framework that are likely already available to many health systems. FHIR is optional, but encouraged, in the Technical Requirements for Exchange P&P.

Health and Safety Code (HSC) § 130290, subdivision (b)(1), requires that mandatory signatories to the Data Sharing Agreement (DSA), which includes health insurers and health care service plans, exchange health information or provide access to health information to and from every other mandatory signatory. HSC § 130290(a)(4) defines “health information” for health insurers and health care service plans as, “at a minimum, the data required to be shared under the federal Centers for Medicare and Medicaid Services Interoperability and Patient Access regulations for public programs as contained in United States Department of Health and Human Services final rule CMS-9115-F, 85 FR 25510.” The referenced CMS final rule requires entities to share adjudicated claims, encounter information, and clinical data contained in the US Core Data for Interoperability. (42 C.F.R. § 422.119.)

Note, under the DxF, cost information may be excluded from adjudicated claims and encounter information except for Individual Access Services while retaining the requirement to share adjudicated claims, encounter information, and clinical data without cost information for DxF Participants. (Data Elements to Be Exchanged P&P, Section II.1.iii.)