26B-8-508. Exceptions to prohibition on disclosure of identifiable health data.
| (1) |
The committee may not disclose any identifiable health data unless:
Terms Used In Utah Code 26B-8-508- Committee: means the Health Data Committee created in Section 26B-1-413. See Utah Code 26B-8-501
- Control number: means a number assigned by the committee to an individual's health data as an identifier so that the health data can be disclosed or used in research and statistical analysis without readily identifying the individual. See Utah Code 26B-8-501
- Data supplier: means a health care facility, health care provider, self-funded employer, third-party payor, health maintenance organization, or government department which could reasonably be expected to provide health data under this part. See Utah Code 26B-8-501
- disclose: means the communication of health care data to any individual or organization outside the committee, its staff, and contracting agencies. See Utah Code 26B-8-501
- Health data: means information relating to the health status of individuals, health services delivered, the availability of health manpower and facilities, and the use and costs of resources and services to the consumer, except vital records as defined in Section 26B-8-101 shall be excluded. See Utah Code 26B-8-501
- Identifiable health data: means any item, collection, or grouping of health data that makes the individual supplying or described in the health data identifiable. See Utah Code 26B-8-501
- Person: means :Utah Code 68-3-12.5
- Public health authority: means an agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, an Indian tribe, or a person acting under a grant of authority from or a contract with such an agency, that is responsible for public health matters as part of the agency or authority's official mandate. See Utah Code 26B-1-102
| (a) |
the individual has authorized the disclosure; |
| (b) |
the disclosure is to the department or a public health authority in accordance with Subsection (2); or |
| (c) |
the disclosure complies with the provisions of:
| (ii) |
insurance enrollment and coordination of benefits under Subsection 26B-8-504(1)(d); or |
|
|
| (2) |
The committee may disclose identifiable health data to the department or a public health authority under Subsection (1)(b) if:
| (a) |
the department or the public health authority has clear statutory authority to possess the identifiable health data; and |
| (b) |
the disclosure is solely for use:
| (i) |
in the Utah Statewide Immunization Information System operated by the department; |
| (ii) |
in the Utah Cancer Registry operated by the University of Utah, in collaboration with the department; or |
| (iii) |
by the medical examiner, as defined in Section 26B-8-201, or the medical examiner’s designee. |
|
|
| (3) |
The committee shall consider the following when responding to a request for disclosure of information that may include identifiable health data:
| (a) |
whether the request comes from a person after that person has received approval to do the specific research or statistical work from an institutional review board; and |
| (b) |
whether the requesting entity complies with the provisions of Subsection (4). |
|
| (4) |
A request for disclosure of information that may include identifiable health data shall:
| (a) |
be for a specified period; or |
| (b) |
be solely for bona fide research or statistical purposes as determined in accordance with administrative rules adopted by the department in accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act , which shall require:
| (i) |
the requesting entity to demonstrate to the department that the data is required for the research or statistical purposes proposed by the requesting entity; and |
| (ii) |
the requesting entity to enter into a written agreement satisfactory to the department to protect the data in accordance with this part or other applicable law. |
|
|
| (5) |
A person accessing identifiable health data pursuant to Subsection (4) may not further disclose the identifiable health data:
| (a) |
without prior approval of the department; and |
| (b) |
unless the identifiable health data is disclosed or identified by control number only. |
|
| (6) |
Identifiable health data that has been designated by a data supplier as being subject to regulation under 42 C.F.R. part 2, Confidentiality of Substance Use Disorder Patient Records, may only be used or disclosed in accordance with applicable federal regulations. |
Renumbered and Amended by Chapter 306, 2023 General Session
