Data Sharing and Confidentiality FAQs
1. What data and information do the Memorandum of Understanding (MOUs) require parties to share?
Managed Care Plans (MCPs) and Third-Party Entities are expected to share the minimum necessary information and data to facilitate referrals and address barriers to care coordination in certain cases as the need arises. MCPs and Third-Party Entities are required to identify or establish policies and procedures for how this data and information will be shared, when necessary, that comply with all applicable laws and regulations, such as ensuring the parties have a process to obtain Member consent if needed.
DHCS has released
APL 26-004 and
BHIN 26-013 to provide guidance regarding responsibilities for data sharing for MCPs, Mental Health Plans (MHPs), Drug Medi-Cal Organized Delivery System (DMC-ODS) plans, and Drug Medi-Cal (DMC) Counties.
The
CalAIM Data Sharing Authorization Guidance includes Child Welfare guiding principles and examples of data sharing use cases such as Enhanced Care Management (ECM) assignment and Member engagement; care coordination and referral management; and MCP coordination of behavioral health services.
2. How can MCPs and Third-Party Entities (e.g., Regional Centers, IHSS County Offices, Women, Infants, & Children Agencies) share data given that the Third-Party Entities may not be able to obtain Members’ consent?
The MOU does not supersede any federal or State requirements and parties should share data as allowed under existing law and guidance, and all parties must continue to comply with applicable law and regulations. California Advancing and Innovating Medi-Cal (CalAIM) initiative, and Assembly Bill (AB) 133 permits certain disclosure of personal information if such disclosure helps implement CalAIM and is consistent with federal law and other State laws. The activities between MCPs and Third-Party Entities that are subject of the MOUs are directly related to CalAIM implementation as they pertain to coordinating care and providing whole person care approach in caring for the Member. The data sharing authorization requirements of AB 133 and related guidelines can be found in the
CalAIM Data Sharing Authorization Guidance document.
3. How can MCPs and Third-Party Entities share information and data if they do not have the infrastructure to share and receive data electronically and in real-time?
The Department of Health Care Services (DHCS) will continue to collaborate with California Department of Public Health (CDPH), the California Department of Social Services (CDSS), and the California Department of Developmental Services (CDDS) regarding long-term solutions to facilitate data sharing at the state-level to support Third-Party Entities who do not have the technical infrastructure to share/receive data. In the interim, parties should share data as permitted under applicable law as quickly and expansively as possible. The MCPs will be notified as additional guidance on data sharing becomes available.
4. How can Third-Party Entities legally receive and share protected health information (PHI) if they are not covered entities under the Health Insurance Portability and Accountability Act (HIPAA) and their systems may not protect the PHI once received?
DHCS expects MCPs and Third-Party Entities to share the minimum necessary information and data needed to carry out the goals of the MOU. The MOUs do not take precedence over any prevailing federal or State laws or regulations governing the ability of the MCP or Third-Party Entity to exchange information. Instead, the MOUs underscore the necessity for all parties involved to engage in data sharing activities strictly in accordance with the existing laws and guidance at both the federal and State levels.
Under HIPAA, covered entities are permitted to share PHI with noncovered entities in certain instances for the purposes of treatment, payment, and health care operations (which includes care coordination), even if the noncovered entity does not comply with HIPAA. MCPs should consult with their counsel to assess whether they may share PHI for these purposes with Third-Party Entities. DHCS, Health Care Providers, and MCPs are Covered Entities under HIPAA. Third Party Entities typically receive PHI by way of a Business Associate Agreement or the like. Please consult with your own legal counsel for more information on this topic. 