California's Data Exchange Framework and HIPAA: what small practices need to know

California's Data Exchange Framework creates active data-sharing obligations for most physician practices. Here is what has changed since 2024, who is required to participate, and how HIPAA, CMIA, and 42 CFR Part 2 interact.

By CoreFolio

Published May 6, 2026Verified June 4, 202610-minute read

California healthcare practices operate under two parallel regulatory frameworks: federal Health Insurance Portability and Accountability Act (HIPAA) and a growing body of California-specific law. For most physician practices and medical groups, those California obligations are no longer approaching — they are already in effect. The key deadlines for most entities passed on January 31, 2026.

This article covers what has changed, who is required to participate in California's Data Exchange Framework (DxF), how the DxF intersects with your HIPAA obligations, and recent changes to the Confidentiality of Medical Information Act (CMIA) and federal 42 CFR Part 2 that affect behavioral health providers specifically.

What the California Data Exchange Framework is

The DxF is a state-mandated health data sharing program created by Assembly Bill 133 (AB 133), which Governor Newsom signed in July 2021 (codified at California Health and Safety Code § 130290). The legislation established a common Data Sharing Agreement (DSA) and set of policies requiring certain healthcare entities to share patient data electronically with other DxF participants — for treatment, payment, health care operations, and care coordination purposes.

The DxF is not a centralized health information exchange or a single data repository. It is a contractual and policy framework that obligates covered entities to share health and social services information with other participating entities on demand, using national interoperability standards.

Oversight transferred to HCAI in 2025

In August 2025, administration of the DxF transferred from the California Health and Human Services Agency (CalHHS) to the Department of Health Care Access and Information (HCAI). The DxF website is now at dxf.chhs.ca.gov, overseen by HCAI.

SB 660 added accountability mechanisms

In October 2025, Governor Newsom signed Senate Bill 660 (SB 660), which expanded the DxF program in two ways material to small practices:

Beginning January 1, 2027: HCAI will publish and keep current a public list of entities deemed non-compliant with the requirement to execute the DSA. HCAI may also refer non-compliant entities to relevant state licensing agencies.
New entities added: Emergency medical services providers are now required to execute the DSA by July 1, 2026.

SB 660 also directed the DxF Advisory Committee to evaluate and recommend enforcement and dispute resolution frameworks, with any additional enforcement authority subject to appropriation.

Who is required to participate — and by when

The deadlines below are from the DxF FAQ at dxf.chhs.ca.gov and reflect both the original AB 133 requirements and the SB 660 additions. Verify your specific entity type directly with HCAI if you have any uncertainty.

Required participants — deadline to begin data exchange: January 31, 2026

General acute care hospitals
Physician organizations and medical groups — including solo practices (one or more physicians), medical group practices, professional medical corporations, and independent practice associations that maintain electronic health information (EHI) on behalf of participating physicians
Skilled nursing facilities with electronic health records (EHRs)
Health care service plans and disability insurers
Clinical laboratories
Nonprofit clinics with fewer than 10 health care providers
Rehabilitation hospitals, long-term acute care hospitals, acute psychiatric hospitals, critical access hospitals, and rural general acute care hospitals with fewer than 100 acute care beds

All of these entities were also required to sign the DSA by January 31, 2023. If you are in one of these categories and have not yet executed the DSA, you are already past both deadlines.

Required participants — July 1, 2026 deadline (added by SB 660)

Medical foundations exempt from licensure under Health and Safety Code § 1206(l)
Emergency medical services providers

Encouraged but not required

Non-physician health providers who are not part of a physician medical group or professional medical corporation — including:

Solo licensed clinical social workers (LCSWs)
Solo licensed marriage and family therapists (MFTs)
Solo psychologists and professional clinical counselors
Dentists, physical therapists, pharmacists, registered nurses, and other licensed clinicians practicing independently

Why this matters for behavioral health: Many solo or small behavioral health practices in California are not legally required to sign the DSA as of June 2026. However, if those clinicians practice within a physician organization or medical group that is a required signatory, the organization's obligation may extend to their participation.

How the DxF interacts with HIPAA and CMIA

HIPAA allows — and in certain circumstances requires — the sharing of protected health information (PHI) for treatment purposes without specific patient authorization. California's CMIA has historically been stricter: it requires written authorization for certain disclosures that HIPAA permits without authorization.

The DxF creates a significant carve-out to that pattern. Under the DSA, participating entities are required to share health and social services information with other DxF participants for treatment, payment, and health care operations — even in situations where CMIA would ordinarily require explicit authorization. The DSA includes provisions that preempt those specific CMIA consent requirements for DxF transactions.

The practical impact for participants: Once your practice has signed the DSA, you cannot refuse a lawful DxF data request by citing CMIA consent requirements. The DxF participation agreement governs those transactions. This is a material departure from the baseline CMIA framework.

What HIPAA says about state law preemption

Under 45 CFR § 160.203, HIPAA generally preempts contrary state law — but not state law that is more protective of patient privacy. California's CMIA is generally more protective than HIPAA for purposes outside the DxF. The DxF creates a contractual carve-out for specific data sharing transactions among participants. Understanding which transactions are governed by which regime is an area where consultation with a California healthcare attorney is warranted.

The 2024 42 CFR Part 2 final rule — significant changes for behavioral health

For practices that treat patients with substance use disorders (SUDs), federal law 42 CFR Part 2 — which governs the confidentiality of SUD treatment records — underwent the most significant revision in decades in 2024. The compliance deadline was February 16, 2026, meaning these changes are now in effect.

In February 2024, HHS, through the Substance Abuse and Mental Health Services Administration (SAMHSA) and the Office for Civil Rights (OCR), published a final rule implementing changes required by the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020. The key changes:

Aligned with HIPAA for treatment, payment, and operations: Part 2 now allows a single patient consent for all future uses and disclosures for treatment, payment, and health care operations (TPO). Once a Part 2 record is disclosed under that TPO consent to a HIPAA covered entity, the receiving entity may redisclose it under HIPAA rules — with one important exception.

Legal proceedings remain strictly restricted: Neither the original Part 2 rules nor the 2024 amendment allow SUD records to be used in civil, criminal, administrative, or legislative proceedings against a patient without separate patient consent or a court order. This restriction survives the HIPAA alignment.

SUD counseling notes require separate consent: The 2024 rule created a new category — SUD counseling notes — analogous to the psychotherapy notes protection under HIPAA. A provider's notes analyzing the content of an SUD counseling session, maintained separately from the rest of the treatment record, require specific separate patient consent and cannot be disclosed based on the broad TPO consent alone.

Enforcement aligned with HIPAA: The 2024 rule replaced Part 2's criminal-only penalty structure with civil and criminal enforcement authority aligned with HIPAA. In August 2025, HHS delegated enforcement authority for Part 2 violations to OCR — the same agency that enforces HIPAA.

What this means for California behavioral health practices: Part 2 is now substantially more aligned with HIPAA than it was before 2024, which simplifies care coordination. However, the court-proceeding restrictions and the new SUD counseling notes category mean Part 2 still imposes requirements stricter than HIPAA in those specific contexts. Practices that were operating under the pre-2024 rules need to confirm their consent forms, notice of privacy practices, and breach notification procedures have been updated. California's CMIA provisions for SUD and behavioral health records add an additional layer on top of both HIPAA and Part 2.

CMIA — key differences from HIPAA, and recent changes

Separate from the DxF, the CMIA (California Health and Safety Code §§ 56–56.37) governs the confidentiality of medical information in California. Key differences from HIPAA that remain in effect:

The CMIA applies to more entities than HIPAA — including employers and life insurers that are not covered entities under federal law
The CMIA requires written authorization for certain disclosures that HIPAA permits without authorization
Penalties include civil lawsuits by patients — a remedy not available under federal HIPAA

SB 81 (September 2025): immigration status now protected medical information

California SB 81, signed September 20, 2025 and effective immediately, amended the CMIA to designate a patient's immigration status (current or past) and place of birth as protected "medical information." California healthcare providers, health plans, and their contractors are now prohibited from disclosing immigration-related information for immigration enforcement purposes, except when required by a valid judicial warrant or court order. Providers must also designate non-public areas of their facilities where patients receive care or discuss protected health information, and restrict immigration enforcement access to those areas absent a warrant.

California Supreme Court — lowered CMIA breach threshold (May 2026)

In May 2026, the California Supreme Court ruled in J.M. v. Illuminate Education, Inc. that a breach of confidentiality under CMIA § 56.101 occurs when medical information is exposed to a significant risk of unauthorized access or use — not only when unauthorized access is confirmed. The ruling lowers the pleading standard for patients bringing CMIA claims, increasing the civil litigation exposure for a data security incident involving California patients even when there is no evidence the data was actually viewed.

What California practices should do now

1. Verify your DxF status. For physician practices and medical groups, the January 31, 2026 data exchange deadline has passed. If you have not signed the DSA and begun exchange, check dxf.chhs.ca.gov, contact your EHR vendor, or consult your professional association. HCAI will begin publishing non-compliant entity names publicly on January 1, 2027.

2. Confirm your QHIO designation. DxF participation requires designating a Qualified Health Information Organization (QHIO) to facilitate exchange. California has certified nine QHIOs. This designation is required for participation; it is not optional.

3. Update your EHR vendor agreement. DxF participation requires technical interoperability. Confirm your EHR vendor is DxF-ready and that your business associate agreement (BAA) addresses DxF-specific data sharing obligations.

4. If you treat SUD patients, review your Part 2 compliance posture. The February 16, 2026 compliance deadline has passed. Confirm your consent forms reflect the new single-consent-for-TPO structure, that SUD counseling notes are treated with the new separate-consent requirement, and that your breach notification procedures align with the updated Part 2/HIPAA enforcement model.

5. Update your policies for immigration-related information. SB 81 has been in effect since September 2025. Verify your privacy policies, patient intake forms, and staff training reflect the CMIA expansion to cover immigration status and place of birth.

6. Include California-specific obligations in your HIPAA risk analysis. The DxF creates new data transmission paths — new vendors (the QHIO), new data sharing parties, new technical infrastructure. All of that belongs in your risk analysis under 45 CFR § 164.308(a)(1)(ii)(A). A risk analysis that does not account for California-specific data flows is incomplete.

Sources: Assembly Bill 133 (2021), codified at California Health and Safety Code § 130290; Senate Bill 660 (October 2025), amending Health and Safety Code § 130290; California Data Exchange Framework FAQ, dxf.chhs.ca.gov/faq (verified June 4, 2026); HCAI DxF program page, hcai.ca.gov/data/initiatives/dxf (verified June 4, 2026); SB 660 Fact Sheet, dxf.chhs.ca.gov (October 2025); California Confidentiality of Medical Information Act, Cal. Health & Safety Code §§ 56–56.37; SB 81 (September 2025), amending CMIA; J.M. v. Illuminate Education, Inc. (California Supreme Court, May 2026); HHS/SAMHSA/OCR, 42 CFR Part 2 Final Rule, 89 Fed. Reg. 12,472 (Feb. 16, 2024); HHS 42 CFR Part 2 Fact Sheet, hhs.gov/hipaa/for-professionals/regulatory-initiatives (verified June 4, 2026); 45 CFR § 160.203 (HIPAA preemption of state law). Note: DxF participation requirements and enforcement timelines are subject to ongoing updates. Verify current requirements with HCAI at dxf.chhs.ca.gov or with qualified California healthcare counsel.

FAQ

Common questions

What is the California Data Exchange Framework?

The California Data Exchange Framework (DxF) is a state-mandated health data sharing program created by Assembly Bill 133 (2021) and administered by the Department of Health Care Access and Information (HCAI). It requires certain healthcare entities to share patient data electronically with other DxF participants for care coordination, treatment, payment, and health care operations.

Does the California DxF apply to my small physician practice?

Most physician practices — including solo practices — are required participants. Physician organizations and medical groups (including solo practices) were required to sign the Data Sharing Agreement by January 31, 2023 and to begin data exchange by January 31, 2026. Medical foundations exempt from licensure under Health and Safety Code § 1206(l) have a July 1, 2026 deadline. Check your status at dxf.chhs.ca.gov or with your EHR vendor.

Are non-physician behavioral health providers required to participate in the DxF?

Generally no — unless they practice as part of a physician medical group. Solo licensed clinical social workers (LCSWs), licensed marriage and family therapists (MFTs), psychologists, professional clinical counselors, and other non-physician providers are encouraged but not required to sign the Data Sharing Agreement as of June 2026. Verify your specific situation with California healthcare counsel, as the list of required participants may expand.

How does the California DxF interact with HIPAA?

HIPAA generally preempts contrary state law but not state law that is more protective of patient privacy. California's CMIA is generally stricter than HIPAA. The DxF Data Sharing Agreement includes provisions that preempt some CMIA consent requirements for data sharing among DxF participants — a significant policy shift that practitioners should understand before assuming CMIA consent rules apply to every DxF transaction.

What is the California Confidentiality of Medical Information Act (CMIA)?

The CMIA (California Health and Safety Code §§ 56–56.37) governs confidentiality of medical information in California. It applies to more entities than HIPAA, requires written authorization for certain disclosures HIPAA permits without authorization, and allows civil lawsuits by patients — a remedy not available under federal HIPAA. A 2025 amendment (SB 81) expanded the definition of 'medical information' to include a patient's immigration status and place of birth.

What changed with 42 CFR Part 2 and substance use disorder records?

Significantly. A 2024 final rule (compliance required February 16, 2026) aligned 42 CFR Part 2 much more closely with HIPAA for treatment, payment, and health care operations (TPO) purposes. Providers may now obtain a single consent for all future TPO disclosures. However, Part 2 retains stricter-than-HIPAA protections in two areas: use of records in legal proceedings (still restricted without separate consent or a court order) and SUD counseling notes, which require specific separate consent analogous to HIPAA psychotherapy notes.

Keep learning

How-to
What is a business associate agreement, and who needs one?
A business associate agreement (BAA) is required whenever a vendor handles your patient data. Here is who qualifies as a business associate, what the agreement must contain, and what happens when you skip it.
May 9, 20265-minute read
How-to
How to do a HIPAA risk analysis yourself: a step-by-step guide for small practices
The Security Rule requires every covered entity to conduct an accurate, thorough risk analysis. Here is what that actually means, what it has to contain, and how to do it yourself — or prepare for a focused consultant review.
May 14, 20266-minute read
The 2026 rule
2026 HIPAA Security Rule: 7 major changes for small practices
First major Security Rule update since 2013 proposes MFA, encryption, and annual risk analysis. Seven changes every small practice should act on now.
May 12, 20266-minute read