Utah Administrative Code

The Utah Administrative Code is the body of all effective administrative rules as compiled and organized by the Division of Administrative Rules (see Subsection 63G-3-102(5); see also Sections 63G-3-701 and 702).

NOTE: For a list of rules that have been made effective since April 1, 2019, please see the codification segue page.

NOTE TO RULEFILING AGENCIES: Use the RTF version for submitting rule changes.


R380. Health, Administration.

Rule R380-250. HIPAA Privacy Rule Implementation.

As in effect on April 1, 2019

Table of Contents

R380-250-1. Authority and Purpose.

(1) This rule implements provisions required by 45 CFR Part 164, subpart E, dealing with the treatment of certain individually identifiable health information held by the Department of Health.

(2) This rule is authorized by Utah Code Sections 26-1-5 and 26-1-17.

R380-250-2. Definitions.

As used in this rule:

(1) "Access" means an eligibility query either telephonically or electronically. This does not include direct access to databases.

(2) "Covered program" means the smallest agency or program unit within the Department responsible for carrying out a covered function as that term is used in 45 CFR 164.501.

(3) "HIPAA Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information found in 45 CFR Part 160 and Subparts A and E of Part 164.

(4) "Individual" means a natural person. In the case of a individual without legal capacity or a deceased person, the personal representative of the individual.

R380-250-3. General Compliance.

(1) This rule applies only to those functions of the Department that are covered functions as that term is used in 45 CFR Part 164.

(2) Covered programs shall comply with the privacy requirements of 45 CFR Part 164, Subpart E in dealing with individually identifiable health information and the subjects of that information.

R380-250-4. Changes to Rule.

The Department reserves the right to alter this rule and its notices of privacy practices required by the HIPAA Privacy Rule.

R380-250-5. Sanctions, Retaliation.

(1) An employee of a covered program may be disciplined for failure to comply with the HIPAA Privacy Rule requirements found in 45 CFR Part 164, Subpart E. Discipline may include termination and civil or criminal prosecution.

(2) An employee of a covered program may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any person for exercising any right established by the HIPAA Privacy Rule or for opposing in good faith any act or practice made unlawful by the HIPAA Privacy Rule.

R380-250-6. Waiver of Rights Prohibited.

A covered program may not require individuals to waive their rights under 45 CFR 160.306 or 45 CFR Part 164, Subpart E as a condition of the provision of treatment, payment, health plan enrollment, or eligibility for benefits.

R380-250-7. Complaints.

(1) An individual may seek a review of a covered program's policies and procedures or its compliance with such policies and procedures through informal contact with the covered program.

(2) An individual may file a formal complaint concerning a covered program's policies and procedures implementing 45 CFR Part 164, Subpart E or its compliance with such policies and procedures or the requirements of 45 CFR Part 164, Subpart E by filing with the Office of the Executive Director of the Department a request for program action meeting the requirements of the Utah Administrative Procedures Act.

R380-250-8. Right to Request Privacy Protection.

(1) An individual may request restrictions on use and disclosure of protected health information as permitted in 45 CFR 164.522 by submitting a written request to the designated privacy officer for the covered program.

(2) The decision whether to grant the request, documentation of any restrictions, alternate communication methods, and conditions on providing confidential communications shall be in accordance with 45 CFR 164.522.

R380-250-9. Individual Access to Protected Health Information.

(1) An individual may request access to protected health information as permitted in 45 CFR 164.524 by submitting a written request to the designated privacy officer for the covered program.

(2) The right to access, decision whether to grant access, review of denials, timeliness of responses, form of access, time and manner of access, documentation and other required responses shall be in accordance with 45 CFR 164.524.

R380-250-10. Amendment of Protected Health Information.

(1) An individual may request amendment to protected health information about that individual that the individual believes is incorrect as permitted in 45 CFR 164.526 by submitting a written request to the designated privacy officer for the covered program.

(2) The decision whether to grant the request, the time frames for action by the covered program, amendment of the record, requirements for denial, and acting on notices of amendment from third parties shall be in accordance with 45 CFR 164.526.

R380-250-11. Accounting for Disclosures.

(1) An individual may request an accounting of disclosures of protected health information as permitted in 45 CFR 164.528 by submitting a written request to the designated privacy officer for the covered program.

(2) The content of the accounting and the provision of the accounting, shall be in accordance with 45 CFR 164.528.

R380-250-12. Provider Notice of Privacy Practices.

A Medicaid provider or a Children's Health Insurance Program (CHIP) provider shall not access the Medicaid database or the CHIP eligibility database, unless the provider's notice of privacy practices contains a statement that the provider either has, or may submit personally identifiable information about the patient to the Medicaid eligibility database or to the CHIP eligibility database.

KEY

HIPAA, privacy

Date of Enactment or Last Substantive Amendment

August 7, 2013

Notice of Continuation

April 10, 2018

Authorizing, Implemented, or Interpreted Law

26-1-5; 26-1-17


Additional Information

Contact

For questions regarding the content or application of rules under Title R380, please contact the promulgating agency (Health, Administration). A list of agencies with links to their homepages is available at http://www.utah.gov/government/agencylist.html or from http://www.rules.utah.gov/contact/agencycontacts.htm.