Skip to main content
CoreFolioHIPAA
California

California's Data Exchange Framework and HIPAA: what small practices need to know

California's Data Exchange Framework (DxF) creates new data sharing obligations that layer on top of HIPAA. Here is how the two regimes interact and what covered entities in California need to understand.

5-minute read

California healthcare practices operate under two parallel regulatory frameworks: federal HIPAA and a growing body of California-specific law. Understanding how they interact — and where California's rules are stricter — is essential for any practice in the state.

This article focuses on the California Data Exchange Framework (DxF), which has created new data sharing obligations since 2024, and how it intersects with your existing HIPAA compliance posture.

What the California Data Exchange Framework is

The California Data Exchange Framework (DxF) is a state-mandated health data sharing program created by SB 1240 (2022). It requires certain healthcare entities to share patient data electronically with other participants in the network — on patient request, for care coordination, and in certain emergency situations.

The DxF is administered by the California Health and Human Services Agency (CalHHS) and the newly established Data Exchange Framework Policy Council. Participation agreements are required for covered entities that meet certain criteria — generally those with electronic health record systems and those submitting claims to Medi-Cal or operating in certain care settings.

Who is currently required to participate:

  • Hospitals (general acute care, 2024 deadline)
  • Medical groups and independent practice associations above certain thresholds
  • Health plans
  • Ambulatory surgical centers

Who is subject to the framework but on a later timeline:

  • Physician practices and clinics (implementation deadlines vary by practice type)
  • Behavioral health providers
  • Long-term care

The DxF is phased. Not every small practice is immediately required to participate. But the direction of travel is clear: the data exchange requirements will expand to cover more practice types over time.

How the DxF interacts with HIPAA

HIPAA allows — and in certain circumstances requires — the sharing of PHI for treatment purposes without specific patient authorization. California law has historically been stricter: the Confidentiality of Medical Information Act (CMIA) and other state statutes impose additional consent requirements on top of HIPAA.

The DxF introduces a new wrinkle: participating entities are required to share patient data with other DxF participants upon request for care coordination purposes — even in situations where California's more restrictive consent rules might otherwise require explicit authorization.

The DxF Participation Agreement includes provisions that preempt some of California's otherwise-stricter consent requirements for data sharing among DxF participants. This is a significant policy shift that practitioners and their attorneys should understand.

The practical impact: If your practice is a DxF participant, data sharing obligations under the Framework may override some of the stricter CMIA consent requirements you are used to following. You cannot refuse a DxF data request by citing CMIA if the DxF participation agreement governs that transaction.

What HIPAA says about state law preemption

Under 45 CFR § 160.203, HIPAA generally preempts contrary state law — but there are important exceptions. HIPAA does not preempt state law that is more protective of patient privacy than HIPAA itself.

California's CMIA is generally more protective than HIPAA for most purposes. The DxF creates a carve-out for specific data sharing transactions among participants. Understanding which transactions are governed by which regime requires careful analysis — this is an area where consultation with a California healthcare attorney is warranted.

Behavioral health and substance use disorder records

California has its own additional protections for behavioral health and substance use disorder records — and these interact with federal law in complex ways. Federal law (42 CFR Part 2) governs substance use disorder records and imposes stricter requirements than standard HIPAA. California CMIA provisions add another layer.

Behavioral health practices in California — psychologists, licensed clinical social workers, marriage and family therapists, psychiatrists — need to understand which records are governed by which regime and whether the DxF creates any new sharing obligations for those record types.

The short answer: Behavioral health records have additional protections under both federal and California law that are not overridden by the DxF in the same way as general medical records. But the details matter and vary by record type. Get advice specific to your practice.

What small California practices should do now

1. Confirm whether you are a current DxF participant. Check with CalHHS or your professional association. If your practice type is on the current implementation timeline, you may already have participation obligations.

2. Understand your current DxF status. If you are required to participate, you have likely received communication from CalHHS or your EHR vendor about the participation agreement and technical requirements.

3. Review your BAAs with your EHR vendor. The DxF requires technical interoperability. Your EHR vendor should be DxF-compliant if they serve California practices. Confirm this in writing — your BAA may need to be updated to address DxF-specific data sharing.

4. Review your policies for patient data requests. If your practice is a DxF participant, your existing policies for handling patient data requests may need to be updated to reflect the DxF's requirements alongside CMIA.

5. Include California-specific rules in your HIPAA risk analysis. Your annual HIPAA risk analysis should include California-specific data handling obligations as part of the regulatory landscape you are managing. The DxF creates new data transmission paths that need to be assessed.

CMIA and the Confidentiality of Medical Information Act

Separate from the DxF, the CMIA (California Health and Safety Code §§ 56–56.37) governs the confidentiality of medical information in California. Key differences from HIPAA:

  • The CMIA applies to more entities than HIPAA (employers, life insurers, and others who are not covered entities under federal law)
  • The CMIA requires written authorization for certain disclosures that HIPAA permits without authorization
  • Penalties under the CMIA include civil lawsuits by patients — a remedy not available under federal HIPAA

California practices need to operate in compliance with both HIPAA and the CMIA simultaneously. Where they conflict, the more protective standard generally applies — with the DxF as a significant exception for participating entities.

Sources: California Data Exchange Framework (DxF), California Health and Human Services Agency; SB 1240 (2022); California Confidentiality of Medical Information Act, Cal. Health & Safety Code §§ 56–56.37; 45 CFR § 160.203 (preemption); 42 CFR Part 2 (substance use disorder records). Note: DxF participation timelines and requirements are subject to ongoing updates. Verify current requirements with CalHHS or qualified California healthcare counsel.