Frequently Asked Questions (FAQ)

The Data Exchange Framework (DxF) comprises a single Data Sharing Agreement (DSA) and common set of Policies and Procedures (P&Ps) that governs the Exchange of Health and Social Services Information (HSSI) among health care entities, Social Services entities, and government agencies in California.

Finalized on July 1, 2022, the DxF DSA and P&Ps were developed with input from a broad set of stakeholders, including a Stakeholder Advisory Group as required by Assembly Bill 133 (AB 133). That legislation mandated that a broad spectrum of health care organizations execute the DxF DSA by January 31, 2023, and begin to exchange or provide Access to HSSI with other DXF DSA-signatories by January 31, 2024.

These FAQs provide additional information about the DxF and its requirements and may be updated from time to time. Please submit questions about the DxF to: dxf@hcai.ca.gov

THE DXF FAQ PDF IS AVAILABLE HERE

Entities required to sign the DxF DSA, as set forth in Health and Safety Code section 130290(f), are listed below.

 

  • General Acute Care Hospitals, as defined by Health and Safety Code section 1250
  • [CLARIFIED] Physician Organizations and Medical Groups, which include:
  • Skilled Nursing Facilities (SNFs), as defined in Health and Safety Code section 1250, that Maintain electronic health records.
    • For purposes of this section, “electronic health records” means a System that contains an electronic record of health-related information on an Individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.
  • Health Plans, as follows:
    • Health Care Service Plans and Disability Insurers providing hospital, medical, or surgical coverage that are regulated by the California Department of Managed Health Care (DMHC) or the California Department of Insurance (CDI).
    • Medi-Cal Managed Care Plans that have signed a comprehensive risk contract with the Department of Health Care Services pursuant to the Medi-Cal Act1 or the Waxman-Duffy Prepaid Health Plan Act, 2 and that are not regulated by DMHC or CDI.
  • Clinical Laboratories, as described in Business and Professions Code Section 1265, and those that are regulated by the California Department of Public Health (CDPH)
    • Both registered laboratories and licensed laboratories that are regulated by CDPH are required to sign the DxF DSA.
  • Acute Psychiatric Hospitals, as defined in Health and Safety Code section 1250.
  • [NEW] Emergency Medical Services, as defined by Health and Safety Code section 1797.72.

 

[NEW] Beginning January 1, 2027, Department of Health Care Access and Information (HCAI) will publish and keep current on its website the names of any known entities it deems not to be in compliance with the requirement to execute the Data Exchange Framework (DxF) Data Sharing Agreement (DSA).

 

Entities that are encouraged, but not required, to sign the DxF DSA include:

 

  • Government public health and human services agencies, unless they otherwise are required to execute the DxF DSA by Health and Safety Code section 130290(f).
    • For example, a county-operated general acute care hospital which meets the definition of a general acute care hospital in Health and Safety Code section 1250 would be required to sign;
  • Social services organizations, including organizations providing housing services and nutrition assistance;
  • Specialized health plans that are not full-service plans, such as Employee Assistance Program (EAP) Plans;
  • Electronic health record (EHR) vendors;
  • Health information exchanges (HIEs) and other intermediaries, unless they have been qualified as a Qualified Health Information Organization (QHIO);
  • Non-physician health providers, so long as they are not otherwise part of a medical group practice, a professional medical corporation, or a medical partnership, including but not limited to:
    • Dentists;
    • Licensed clinical social workers;
    • Licensed marriage and family therapists;
    • Podiatrists
    • Psychologists
    • Registered nurses
    • Optometrists
    • Marriage and family therapists
    • Clinical social workers
    • Physician assistants
    • Chiropractors
    • Acupuncturists
    • Professional clinical counselors
    • Physical therapists
    • Pharmacists
    • Licensed midwives
    • Naturopathic doctors

 

1 Cal. Welfare and Institutions Code section 14000, et seq.
2 Cal. Welfare and Institutions Code section 14200, et seq.

 

Please see the EMS provider and LEMSA support FAQ for information about how EMS providers’ participation in the Data Exchange Framework (DxF) may be supported.

Deadlines for signing the DxF DSA and beginning Exchange of Health and Social Services Information, as set forth in the Requirement to Exchange Health and Social Services Information Policy and Procedure and Health and Safety Code section 130290, subdivisions (b) and (f), are listed below.

 

Hospitals

Signatory Type3 Deadline to Sign the DSA Deadline to Begin Data Exchange
Rural general acute care hospitals with fewer than 100 beds January 31, 2023 January 31, 2026
Critical access hospitals January 31, 2023 January 31, 2026
Rehabilitation hospitals January 31, 2023 January 31, 2026
Long-term acute care hospitals January 31, 2023 January 31, 2026
Acute psychiatric hospitals January 31, 2023 January 31, 2026
All other general acute care hospitals January 31, 2023 January 31, 2024

 

[CLARIFIED] Physician organizations and medical groups

Signatory Type3 Deadline to Sign the DSA Deadline to Begin Data Exchange
Medical foundations exempt from
licensure pursuant to Health and Safety
Code section 1206(l)		 July 1, 2026 July 1, 2026
Nonprofit clinics with fewer than 10 health
care providers		 January 31, 2023 January 31, 2026
All other physician organizations and
medical groups		 January 31, 2023 January 31, 2026
Skilled nursing facilities that Maintain
electronic health records		 January 31, 2023 January 31, 2024
Health care service plans and disability
insurers		 January 31, 2023 January 31, 2024
Clinical laboratories January 31, 2023 January 31, 2024
[NEW] Emergency medical services July 1, 2026 July 1, 2026
[NEW] Facilities operated by the
California Department of State Hospitals
or California Department of
Developmental Services which use
seclusion and behavioral restraints		 January 31, 2023 January 31, 2029

 

3 Signatory types are simplified. For more information on the signatory types, please refer to question 1.

[NEW] Yes, if you are required to sign the DxF DSA. Beginning July 1, 2026, unless already required by an existing contract requirement, signing the DxF DSA will be required as a condition of continuing, amending, or entering into a new or existing contract for the coverage of or provision of health care services with DHCS, CalPERS, and the California Health Benefit Exchange. DHCS, CalPERS, and California Health Benefit Exchange may require subcontractors and delegates to sign the DxF DSA as a condition of their contracts.

Yes. Health and Safety Code section 130290 does not differentiate between a “restricted health care service plan” and a “full service health care service plan.” Both a “restricted health care service plan” and a “full service health care service plan” are required to sign the DxF DSA.

When the DxF was first established under AB 133 (2021), the statute did not include enforcement or accountability mechanisms. Recently under SB 660 (2025), the legislature provided for some accountability measures, including public transparency, state purchasing levers, coordination with licensing entities, and contractual obligations among participants. SB 660 also directed the DxF Advisory Committee to evaluate and recommend potential future enforcement and dispute‑resolution approaches, ensuring that any additional authority is informed, deliberate, and appropriately resourced. More information on DxF Accountability Measures can be found on the Governance section of the DxF website.

Participants must follow all applicable state and federal law when sharing Health and Social Services Information (HSSI) in accordance with the Data Exchange Framework Data Sharing Agreement. What laws apply during an Exchange may depend on the organization providing the HSSI, the organization receiving the information, the type of HSSI being Exchanged, the purpose for Exchange, and where the organization providing the HSSI obtained the information from. Please consult with your legal counsel to better understand what laws apply to the HSSI your organization is Exchanging. For more guidance on state and federal laws that affect Disclosure and sharing of health information, please see HCAI’s Data Exchange Framework Policies and Procedures, DHCS’ Data Sharing Authorization Guidance, and CalHHS’ State Health Information Guidance (SHIG).

The Data Exchange Framework (DxF) requires that every Participant provide Access to or Exchange Health and Social Services Information (HSSI) with every other Participant consistent with the Requirement to Exchange Health and Social Services Information
Policy and Procedure and the Permitted, Required and Prohibited Purposes Policy and Procedure. Information on DxF Participants can be found in the DxF Participant Directory Listing. If you have concerns about a Participant receiving HSSI, please contact DxF at DxF@hcai.ca.gov.

Note that Participants are still required to maintain the confidentiality of HSSI and cannot share HSSI if sharing would violate federal or state law. Refusing to share HSSI with another Participant because sharing would violate the law meets an exception to
Information Blocking in the California Information Blocking Prohibitions Policy and Procedure. For information on required Participants, see the required signatories FAQ. For technical requirements for data sharing, see the Data Elements to Be Exchanged Policy and Procedure, the Technical Requirements for Exchange Policy and Procedure, and the Real-Time Exchange Policy and Procedure which can be found on the Policies and Procedures section of the DxF website. For more information on privacy and security requirements and information blocking exceptions, please refer to the Privacy Standards and Security Safeguards Policy and Procedure and the California Information Blocking Prohibitions Policy and Procedure.

The Data Exchange Framework allows Participants to provide Access to or Exchange information through any health information exchange network, health information organization, or technology that adheres to the DxF DSA and Policies and Procedures (P&Ps). It is the responsibility of each Participant to ensure they meet requirements of the DxF DSA and its P&Ps. Several Nationwide Networks or Frameworks may satisfy some or all of the requirements of the DxF DSA and its P&Ps.

California law directs the DxF to “enable and require real-time Access to, or Exchange of, health information among Participants through any health information exchange network, health information organization, or technology that adheres to specified standards and policies.” Technical standards in this Policy and Procedure are examples of specified standards that some Participants are required to use through the health information network, health information exchange, or technology they choose.

The Privacy Standards and Security Safeguards Policy and Procedure defines a set of requirements for Participants for maintaining and safeguarding data, including:

 

  • Administrative, technical, and physical safeguards that Participants must follow to protect the confidentiality, integrity and availability of Health and Social Services Information (HSSI);
  • The use of a secure environment that supports the Exchange of HSSI;
  • What Participants must do to protect against unauthorized Disclosure, Access, Use, modification, or Exchange of HSSI; and
  • How Participants must protect against any Loss, Destruction, Disruption of authorized Access or Exchange of HSSI.

 

The Technical Requirements for Exchange Policy and Procedure defines a set of person attributes that must not be included among person attributes for Person Matching unless required by the technical exchange standard or by the Nationwide Network or Framework in use. It further specifies that if Participants use Nationwide Networks or Frameworks or other intermediaries to Exchange HSSI, Participants must follow all applicable law, and conform to the security model and security standards for exchanging information established by that Nationwide Network or Framework.

Health and Safety Code section 130290 does not allow required entities listed in Health and Safety Code section 130290(f) to opt out of signing the DxF DSA.

The DxF requires Participants to share HSSI in accordance with federal and state law, the Data Sharing Agreement, and its Policies and Procedures. This includes any Individual consent requirements and an Individual’s right to request restrictions on how their information is Used and Disclosed that are applicable under federal and state law. The DxF does not change or supersede a Participant’s responsibility to comply with an Individual’s rights under Applicable Law or a Participant’s requirements to obtain an Individual’s consent to Access or Exchange HSSI when required by Applicable Law. If an Individual’s consent is required under Applicable Law for a Participant to share the Individual’s data, the Individual can refuse to provide such consent. Similarly, if an Individual has the right under Applicable Law to require a Participant not to share their information, the Individual can work with the Participant to exercise that right by reaching out to the Participants who Maintain their HSSI to make that request. Each Participant is responsible for ensuring all HSSI that the Participant shares through the DxF complies with Applicable Law.

No, the DxF does not require any Access, Use, or Disclosure of Health and Social Services Information (HSSI) that would be unlawful. The DxF Data Sharing Agreement (DSA) requires Participants to share HSSI, which includes PHI and medical information, for Required Purposes, which can be found in the Permitted, Required, and Prohibited Purposes Policy and Procedure, and subject to Applicable Law. If sharing HSSI is not permitted under Applicable Law, a Participant must respond to the requestor in accordance with the Requirement to Exchange Health and Social Services Information Policy and Procedure, Section III.1. Refusing to share HSSI because it is unlawful under Applicable Law is not Information Blocking under the California Information Blocking Prohibitions Policy and Procedure.

HCAI encourages Participants to request patient Authorization to share HSSI when possible when Applicable Law does not permit sharing for a Required Purpose in the Permitted, Required, and Prohibited Purposes Policy and Procedure. Nothing in the DxF, DSA, or the Policies and Procedures (P&Ps) limits a patient’s right to decline to sign an Authorization to share their information. When it is unlawful to share information without patient Authorization and the patient did not sign an Authorization, the Participant must not share HSSI under the DxF DSA. In such instances, the DxF Participant would respond to the request for HSSI consistent with Requirement to Exchange Health and Social Services Information Policy and Procedure, Section III.1. All P&Ps listed above can be found on the Policies and Procedures section of the DxF website

CMS rules and other federal requirements were considered when drafting the DxF Policies and Procedures. In addition, the Department of Health Care Access and Information (HCAI) continues to monitor new and developing federal requirements for impact on the DxF.

Both Health and Safety Code section 130290 and the DxF Data Elements to Be Exchanged Policy and Procedure, which can be found on the Policies and Procedures section of the DxF website, require that health plans provide Access to or Exchange of claims, encounter, and clinical information that parallels the data required of plans by the CMS Interoperability and Patient Access Rule. Likewise, DxF requires that health care providers provide Access to or Exchange of the same data (that is, electronic health information (EHI)) that is required by the Federal Information Blocking Regulations, which is in turn already more than that required by the CMS Interoperability and Prior Authorization Final Rule.

However, both the CMS Interoperability and Patient Access Rule and the CMS Interoperability and Prior Authorization Final Rule focus on Fast Healthcare Interoperability Resources (FHIR) as the required transport, whereas the DxF Technical Requirements for
Exchange Policy and Procedure requires that all Participants support the same Integrating the Healthcare Enterprise (IHE) profiles found in eHealth Exchange, Carequality, and Trusted Exchange Framework and Common Agreement’s Qualified Health Information Network Technical Framework that are likely already available to many health systems. FHIR is optional, but encouraged, in the Technical Requirements for Exchange Policy and Procedure

Health and Safety Code section 130290(b)(1), requires that required signatories to the DxF Data Sharing Agreement, which includes health insurers and health care service plans, Exchange health information or provide Access to health information to and from every other required signatory. Health and Safety Code section 130290(a)(4) defines “health information” for health insurers and health care service plans as, “at a minimum, the data required to be shared under the federal Centers for Medicare and Medicaid Services Interoperability and Patient Access regulations for public programs as contained in United States Department of Health and Human Services final rule CMS9115-F, 85 FR 25510.” The referenced Centers for Medicare and Medicaid Services final rule requires entities to share adjudicated claims, encounter information, and clinical data contained in USCDI. (42 C.F.R. § 422.119.)

Note, under the DxF, cost information may be excluded from adjudicated claims and encounter information except when providing Individual Access Services. (Data Elements to Be Exchanged Policy and Procedure, Section II.1.iii.)

The DxF Data Sharing Agreement and its Policies and Procedures apply when two DxF Participants Exchange HSSI for an Individual, regardless of the Individual’s residency.

The Data Exchange Framework (DxF) allows Participants to Exchange Health and Social Services Information through any health information exchange network, health information organization, or technology that meets the requirements of the DSA and its Policies and Procedures. The DxF is not intended to be an information technology system or single repository of data, rather it is a collection of organizations that are required to share health information using national standards and a common set of policies. Some Participants may choose to use services provided by a Nationwide Network or Framework or a Qualified Health Information Organization (QHIO) to meet some or all of the DSA requirements. A QHIO is an Intermediary designated by HCAI that meets DxF requirements for secure data Exchange. Refer to DxF QHIOs At A Glance for more information.

To support practical and equitable participation across California’s emergency medical services (EMS) system, the Emergency Medical Services Authority (EMSA) intends to offer services as an Intermediary to facilitate Data Exchange Framework (DxF) participation by Local EMS Agencies (LEMSAs) and EMS provider entities. EMSA’s Intermediary services are designed to reduce administrative and technical burden, particularly for smaller or resource-limited agencies, while maintaining compliance with applicable data exchange requirements.

Under this approach, LEMSAs and EMS provider entities may participate in DxF through EMSA’s Intermediary services:

 

  • Using any compliant health information exchange network or technology, consistent with DxF Data Sharing Agreement and its Policies and Procedures; or
  • A combination of both EMSA’s Intermediary services and any other compliant health information exchange network or technology

 

Before using EMSA’s Intermediary services, LEMSAs and EMS provider entities will need to execute an Intermediary Participation Agreement with EMSA. For additional information on EMSA’s intermediary services, please see the EMSA website.

EMSA will provide guidance, technical support, and implementation pathways to support EMS system participation in DxF in a manner that is consistent, scalable, and aligned with EMSA’s and HCAI’s statutory roles.

The DSA permits sharing PHI between a Covered Entity and non-Covered Entity when you have a valid Authorization from the patient or patient’s representative or the Disclosure is otherwise permitted or required by Applicable Law. (See DSA, Section 6(a); Privacy Standards and Security Safeguards Policy and Procedure). For more information on how Covered Entities can share PHI with non-Covered Entities, please see the State Health Information Guidance (SHIG), particularly SHIG Vol. 1.1: Sharing Behavioral Health Information in California, especially Scenario 4, the scenarios in SHIG Vol. 2.0: Sharing Health Information to Address Food and Nutrition Insecurity in California, and the Data Sharing Authorization Guidance (DSAG) Toolkits.

The Data Exchange Framework (DxF) is not a technology, but instead rules of the road for how organizations will provide Access to and Exchange Health and Social Services information (HSSI). HSSI will not reside on any state DxF system. The Privacy Standards and Security Safeguards Policy and Procedure describes the minimum privacy and security safeguards required by the DxF for Participants to implement. These Policies and Procedures can be found on the Policies and Procedures section of the DxF website.

The Implementation Toolkit provides step-by-step guidance for health and Social Services entities in California to become active Participants in the Data Exchange Framework.

The DxF requires electronic Exchange of health information. All Participants should review the DxF DSA and its Policies and Procedures to determine what Health and Social Services Information (HSSI) is required to be shared. A Participant may use any health information exchange network, health information organization, or technology to share the HSSI which they Maintain, so long as they are able to comply with the requirements of the DxF DSA and its Policies and Procedures. Participants should consider whether to seek services from a Qualified Health Information Organization, another Intermediary, or another vendor to support electronic Exchange of health information.

The “I’m Just Getting Started” section on the How to Join the DxF page of the Data Exchange Framework website includes a DSA resource list and instructions for signing the DxF DSA.

For general acute care hospitals, Skilled Nursing Facilities, or psychiatric hospitals, use the license number issued by the California Department of Public Health (CDPH).

For health care service plans or disability insurers, including Medi-Cal managed care plans, use the license number issued by the Department of Managed Health Care (DMHC) or the California Department of Insurance (CDI), or the risk-bearing organization (RBO) number.

For Medi-Cal managed care plans that are not licensed by the DMHC or the CDI, use the contract number issued by the Department of Health Care Services.

For clinical laboratories, use the laboratory license number issued by the California Department of Public Health (CDPH). Do not use the federally-issued Clinical Laboratory Improvement Amendments number.

Log onto the signing portal and add the additional subordinate entities or facilities to those already listed, if any, and save the new entries. Then press “Send DSA” to send a new copy of the DxF DSA to the authorized signer. The new signature page will include the new subordinate organizations, along with the subordinate organizations listed previously. Sign and return the DxF DSA.

The original signed DxF DSA will be retained by the signing portal for your reference and by the Department of Health Care Access and Information. Your organization and any previous subordinate entities that were listed will keep the original execution date for the DxF DSA (the date that your organization and all previously listed subordinate entities and facilities signed the DxF DSA). The newly signed DxF DSA establishes a new execution date for any newly listed subordinates that have signed.

You cannot remove a subordinate entity or facility using the signing portal once your organization has signed the DxF DSA.

Instead, you need to send a written request to the Department of Health Care Access and Information (HCAI) at DxF@hcai.ca.gov listing your organization, the name(s) and license numbers or employee identification numbers of the subordinates that you would like removed, and the reason for removal. Someone at HCAI will contact you to work on your request.

For more information on who must sign the DxF DSA, please reference question #1

The Department of Health Care Access and Information (HCAI) will assess any organization, including a Trusted Exchange Framework QHIN or Nationwide Network or Framework, if it applies to become a QHIO during an open application period. Only organizations that apply for QHIO status during an open application period can be granted QHIO status. QHIO application periods may be offered based on feedback from Data Exchange Framework (DxF) advisory committees.

DxF Participants are not required to use a QHIO, and may use “any health information exchange network, health information organization, or technology that adheres to [DxF] standards and policies” as stated in Health and Safety Code section 130290(a)(2). In accordance with Health and Safety Code section 130291 and the Qualified Health Information Organization Policy and Procedure, which can be found on the Policies and Procedures section of the DxF website, HCAI has created the QHIO Program as an option that may help a Participant meet their DxF obligations. It is up to the Participant to ensure that the health information exchange network, health information organization, or technology they select adheres to DxF standards and policies.

No, using a QHIO is optional. Participants may choose to Exchange HSSI through any health information exchange network, health information organization, or technology that adheres to the Data Sharing Agreement (DSA) and Policies and Procedures (P&Ps), which may be a QHIO, a Nationwide Network or Framework, other Intermediary, Point-toPoint Interface using their own technology, or a combination of these methods to comply with the DxF DSA and P&Ps.

No, QHIOs are not required by the Department of Health Care Access and Information or the QHIO Program to enter into contracts and serve every Participant that requests their services. Some QHIOs may not be able to meet the specialized needs of some Participants or the technologies they have chosen; may not be prepared to serve all Participant types; may not offer all of the services requested by a Participant beyond those required by Data Exchange Framework and the QHIO Program; or may not have the capacity to take on new Participants at the time of a Participant’s inquiry. Please reach out to the QHIO(s) your organization is interested in for more information on their ability to provide services to your organization.

Yes, QHIOs may charge for the services they provide to Participants. The Department of Health Care Access and Information recommends that Participants refer to the Policies and Procedures, including the Permitted, Required, and Prohibited Purposes Policy and Procedure and the Fees Policy and Procedure, both of which can be found on the Policies and Procedures section of the Data Exchange Framework website for more information on when Intermediaries, including QHIOs, may charge fees and restrictions on the fees they may charge. Please reach out to the QHIO(s) in which your organization is interested to learn more about the pricing of their services.

Yes, QHIOs may require Participants to sign additional agreements or contracts that specify the terms of the services they offer. In some cases, QHIOs may be acting as a Business Associate to a Participant as defined under HIPAA, requiring the parties to execute a Business Associate Agreement. Agreements that a Participant might be asked to execute by a QHIO include a participation agreement, a data sharing agreement distinct from the DxF DSA, and/or Business Associate Agreement.

Participants may comply with the DxF by participating in and sharing information with a QHIO. However, just signing up to use a QHIO does not guarantee compliance with the DxF DSA and all of its P&P requirements. QHIOs offer access to critical services compliant with DxF technical standards requirements and have established critical connectivity that may help Participants comply with their obligations to provide Access to or Exchange of Health and Social Services Information (HSSI). It remains the responsibility of each Participant to ensure that they comply with requirements of the DxF DSA and its P&Ps beyond the technical standards enabled by using a QHIO by reviewing and complying with P&Ps including but not limited to: The Permitted, Required, and Prohibited Purposes Policy and Procedure for the purposes for which the Participant may and must share HSSI,

  • The Privacy Standards and Security Safeguards Policy and Procedure for information on privacy and security standards the Participant’s Systems must meet,
  • The Data Elements to Be Exchanged Policy and Procedure for information on data elements the Participant must make available,
  • The Technical Requirements for Exchange Policy and Procedure for the types of Exchange a Participant must enable, and
  • The Real-Time Exchange Policy and Procedure for information on the requirements for timely information sharing

All P&Ps listed above can be found on the Policies and Procedures section of the DxF website.

In most cases, QHIOs are not able to guarantee Participants that use of a QHIO will ensure compliance with the DxF. While participating in and sharing information with a QHIO can help Participants to comply with the DxF, QHIOs may not have insight into a Participant’s internal policies and standard operating practices to determine whether the Participant was complying with the DxF Data Sharing Agreement (DSA) and all of its Policies and Procedures. Participants must assess their own processes and practices to ensure that they remain compliant in areas the QHIO is not responsible for. See Question 30 to better understand what areas are generally beyond the requirements of the QHIO Program. QHIOs may choose, but are not required by the Department of Health Care Access and Information, to offer services to assist or advise Participants in assessing their compliance with the DSA.

The DxF Data Sharing Agreement (DSA) and its Policies and Procedures govern and require the Exchange of Health and Social Services Information under the DxF only among signatories to the DxF DSA. The DxF does not prohibit Exchange among nonsignatories or between signatories and non-signatories, whether or not the Exchange is facilitated by a QHIO. QHIOs and other Intermediaries assisting Participants to meet their DxF requirements should review their Business Associate Agreements (BAAs) and other agreements with their customers, as well as Applicable Law, in determining what Exchange they can facilitate among signatories and non-signatories to the DxF DSA.

The DxF does not prohibit a QHIO who receives an Admission or Discharge Event or Notification of an Admission or Discharge from a DxF signatory from sharing any notification of the Event with a non-signatory, so long as the Exchange is permitted by Applicable Law and relevant BAAs or other agreements the QHIO has with its customers.

The Data Exchange Framework (DxF) Data Sharing Agreement (DSA) and its Policies and Procedures (P&Ps) require that Hospitals and Emergency Departments, and optionally Skilled Nursing Facilities, that are signatories to the DxF DSA send Notification of Admissions and Discharges to any authorized organization that is a signatory to the DxF DSA as requested via a Roster of Individuals. A Participant may choose to use a QHIO to send Notification of Admissions and Discharges, and the QHIO Program requires that QHIOs share Rosters of Individuals with the other QHIOs to help facilitate Notification of Admissions and Discharges.

The DxF DSA and its P&Ps do not prohibit a QHIO from including the names of Individuals requested by non-signatories on their Rosters for Notification of Admissions and Discharges, so long as it complies with Applicable Law.

The DxF DSA and its P&Ps do not prohibit QHIOs from sharing Notifications of Admissions and Discharges for Individuals requested by non-signatories, so long as the Disclosure complies with Applicable Law and relevant agreements. The DxF DSA and its P&Ps likewise do not require that a signatory to the DxF DSA send Notifications of Admissions and Discharges to non-Participants, whether or not the notifications are facilitated by a QHIO.

Onboarding to a QHIO typically takes between 90 and 180 days; however, the length of time to onboard to a QHIO will vary depending on the Participant’s technology, Participant vendor readiness, the services the Participant is seeking, and other factors. Participants should reach out to the QHIO(s) for more information on the time to onboard.

No, Nationwide Networks or Frameworks, including the TEFCA QHINs, are not required to sign the DxF DSA in order to be used by a DxF Participant to meet some or all of its Exchange obligations under the DxF. However, as a signatory to the DxF DSA, DxF Participants must ensure that the data sharing or other agreements they execute with any Intermediary, including a Nationwide Networks or Frameworks or QHIN, do not conflict with the DxF DSA or its P&Ps in such a way that the Participant cannot meet DxF DSA or P&P requirements.

Non-Intermediary Participants are not permitted to charge fees for the Exchange of Health and Social Services Information (HSSI) for a Required Purpose under the DxF Data Sharing Agreement (DSA). This is true whether they use their own technology, a Qualified Health Information Organization (QHIO), an Intermediary that has signed the DxF DSA but is not a QHIO, or an Intermediary that has not signed the DxF DSA.

A Participant shall not charge fees to any other Participant for any Exchange of Health and Social Services Information under the Data Exchange Framework for a Required Purpose. (DxF Fees P&P, Section II.1.a.)

All Participants have a duty to respond to requests for HSSI and must fulfill that duty by providing the information in accordance with Applicable Law OR other appropriate response.

All Participants shall respond to requests for Health and Social Services Information made by other Participants and shall share Health and Social Services Information when required under the Permitted, Required, and Prohibited Purposes Policy and Procedure. A Participant shall fulfill its duty to respond by either providing the requested Health and Social Services Information it Maintains in accordance with the Data Sharing Agreement (the “DSA”) and Applicable Law; or… providing an appropriate error message or null response as specified by the technical standard in use and in accordance with the Technical Requirements for Exchange Policy and Procedure. (DxF Requirement to Exchange Health and Social Services Information P&P, Section III.1.a)

Non-Intermediary Participants that use an Intermediary that is not a QHIO to meet DxF requirements must ensure that the Intermediary provides services in such a way as to allow the non-Intermediary Participant to comply with the DxF DSA and its Policies and Procedures, regardless of whether the Intermediary is a DxF Participant or not. This includes obtaining reasonable assurances that the Intermediary meets the non-Intermediary Participant’s duty to respond and does not charge fees to other Participants other than their own contracted client for the Exchange of their HSSI for Required Purpose.

If a Participant elects not to execute an agreement with a Qualified HIO and instead elects to use its own technology or to execute an agreement with another entity that provides data exchange, the Participant must comply with or obtain reasonable assurances that the other entity enables the Participant to comply with, the minimum requirements for data exchange set forth in the Policies and Procedures or Specifications. (DxF DSA, Section 7(a).)

Non-Intermediary Participants that choose to execute a contract with an Intermediary to help them meet DxF requirements, however, may be charged fees by that Intermediary, in accordance with the DxF Fees P&P:

A Participant shall not charge fees to any other Participant for any Exchange of Health and Social Services Information under the Data Exchange Framework for a Required Purpose. However, a Participant that is an Intermediary may charge fees to another Participant if the Participant that is an Intermediary has executed a contract with the other Participant to provide services. For contracts to provide services to assist another Participant in meeting its obligations under the Data Sharing Agreement, the fees shall be consistent with Applicable Law, including but not limited to the Fees Exception in the Federal Information Blocking Regulations. (DxF Fees P&P, Section II.1.a.)

A Participant is not permitted to Access Health and Social Services Information (HSSI) for the purpose of selling the information it Accesses or Exchanges, whether the Participant uses its own technology, a Qualified Health Information Organization (QHIO), an Intermediary that has signed the DxF Data Sharing Agreement (DSA) but is not a QHIO, or an Intermediary that has not signed the DxF DSA:

Unless otherwise permitted by Applicable Law or a legally valid agreement, Participants shall not access Health and Social Services Information through the DSA in order to sell such information. (DxF Permitted, Required, and Prohibited Purposes P&P, Section II.3

Further, while a Participant may De-Identify and Use HSSI received from another Participant, they may not sell de-identified HSSI when it includes information received from another Participant.

Participant may de-identify and use Health and Social Services Information received from another Participant under the DSA and Use or Disclose such De-Identified Health and Social Services Information so long as permitted by Applicable Law and consistent with this section. […] Participants may not sell de-identified Health and Social Services Information when that de-identified Health and Social Services Information includes information received from another Participant. (DxF Privacy Standards and Security Safeguards P&P, Section III.1.a.ii)

The date to begin Exchange under the Data Exchange Framework (DxF) is a requirement established in Health and Safety Code section 130290. The Department of Health Care Access and Information (HCAI) is not authorized to grant extensions or exemptions from state law. HCAI will continue to develop resources to help Participants understand how to meet their obligations under the DxF. Stakeholders are encouraged to stay engaged and may subscribe to DxF email updates. These updates provide important information and links to helpful resources as well as upcoming events. To subscribe, please complete the form at the bottom of the News & Events page.

If you have HSSI that you don’t want Exchanged, please contact the health care organization, provider or Social Services agency who Maintains that information. The DxF is not an information technology system or single repository of data, and does not include a centralized technical mechanism to restrict Exchange of health or social service information.

If an Individual asks to opt out of DxF data Exchange, the Participant should follow their own organization’s policies and procedures for an Individual’s request for a restriction on the Use or Disclosure of their data. The provider can also advise the Individual that there is centralized technical mechanism to restrict Exchange of health or social service information through the DxF. Each Participant is responsible for ensuring all HSSI that the Participant shares through the DxF complies with Applicable Law.