Utah Administrative Code

The Utah Administrative Code is the body of all effective administrative rules as compiled and organized by the Division of Administrative Rules (see Subsection 63G-3-102(5); see also Sections 63G-3-701 and 702).

NOTE: For a list of rules that have been made effective since August 1, 2019, please see the codification segue page.

NOTE TO RULEFILING AGENCIES: Use the RTF version for submitting rule changes.

R428. Health, Center for Health Data, Health Care Statistics.

Rule R428-2. Health Data Authority Standards for Health Data.

As in effect on August 1, 2019

Table of Contents

R428-2-1. Legal Authority.

This rule is promulgated under authority granted by Title 26, Chapter 33a.

R428-2-2. Purpose.

This rule establishes definitions, requirements, and general guidelines relating to the collection, control, use and release of data pursuant to Title 26, Chapter 33a.

R428-2-3. Definitions.

(1) The terms used in this rule are defined in Section 26-33a-102.

(2) In addition, the following definitions apply to all of Title R428:

(a) "Adjudicated claim" means a claim submitted to a carrier for payment where the carrier has made a determination whether the services provided fall under the carrier's benefit.

(b) "Ambulatory surgery data" means the consolidation of complete billing, medical, and personal information describing a patient, the services received, and charges billed for a surgical or diagnostic procedure treatment in an outpatient setting into a data record.

(c) "Ambulatory surgical facility" is defined in Section 26-21-2.

(d) "Carrier" means any of the following Third Party Payors as defined in 26-33a-102(16):

(i) an insurer engaged in the business of health care or dental insurance in the state of Utah, as defined in Section 31A-1-301;

(ii) a business under an administrative services organization or administrative services contract arrangement;

(iii) a third party administrator, as defined in Section 31A-1-301, licensed by the state of Utah that collects premiums or settles claims of residents of the state, for health care insurance policies or health benefit plans, as defined in Section 31A-1-301;

(iv) a governmental plan, as defined in Section 414 (d), Internal Revenue Code, that provides health care benefits;

(v) a program funded or administered by Utah for the provision of health care services, including Medicaid, the Utah Children's Health Insurance Program created under Section 26-40-103, and the medical assistance programs described in Title 26, Chapter 18 or any entity under a contract with the Utah Department of Health to serve clients under such a program;

(vi) a non-electing church plan, as described in Section 410 (d), Internal Revenue Code, that provides health care benefits;

(vii) a licensed professional employer organization as defined in Section 31a-40-102 acting as an administrator of a health care insurance plan;

(viii) a health benefit plan funded by a self-insurance arrangement;

(ix) the Public Employees' Benefit and Insurance Program created in Section 49-20-103;

(x) a pharmacy benefit manager, defined to be a person that provides pharmacy benefit management services as defined in Section 49-20-502 on behalf of any other carrier defined in subsection R428-2-3.

(e) "Claim" means a request or demand on a carrier for payment of a benefit.

(f) "Covered period" means the calendar year on which the data used for calculation of HEDIS measures is based.

(g) "Data element" means the specific information collected and recorded for the purpose of health care and health service delivery. Data elements include information to identify the individual, health care provider, data supplier, service provided, charge for service, payer source, medical diagnosis, and medical treatment.

(h) "Discharge data" means the consolidation of complete billing, medical, and personal information describing a patient, the services received, and charges billed for a single inpatient hospital stay into a discharge data record.

(i) "Electronic media" means a compact disc, digital video disc, external hard drive, or other media where data is stored in digital form.

(j) "Electronic transaction" means to submit data directly via electronic connection from a hospital or ambulatory surgery facility to the Office according to Electronic Data Interchange standards established by the American National Standards Institute's Accredited Standards Committee, known as the Health Care Transaction Set (837) ASC X 12N.

(k) "Eligible Enrollee" means an enrollee who meets the criteria outlined in the NCQA survey specifications.

(l) "Emergency Room Data" means the consolidation of complete billing, medical, and personal information describing a patient, the services received, and charges billed for a single visit and treatment of a patient in an emergency room into an emergency room data record.

(m) "Enrollee" means any individual who has entered into a contract with a carrier for health care or on whose behalf such an arrangement has been made.

(n) "Health Insurance" has the same meaning as found in Section 31A-1-301.

(o) "Healthcare claims data" means information consisting of, or derived directly from, member enrollment, medical claims, and pharmacy claims that this rule requires a carrier to report.

(p) "Healthcare Facility" means a hospital or ambulatory surgical facility.

(q) "Healthcare Facility Data" means ambulatory surgery data, discharge data, or emergency room data.

(r) "HEDIS" means the Healthcare Effectiveness Data and Information Set, a set of standardized performance measures developed by the NCQA.

(s) "HEDIS data" means the complete set of HEDIS measures calculated by the carriers according to NCQA specifications, including a set of required measures and voluntary measures defined by the department, in consultation with the carriers.

(t) "Hospital" means a general acute hospital or specialty hospital as defined in Section 21-21-2 that is licensed under Rule R432.

(u) "Level 1 data element" means a required reportable data element.

(v) "Level 2 data element" means a data element that is reported when the information is available from the patient's hospital record.

(w) "NCQA" means the National Committee for Quality Assurance, a not-for-profit organization committed to evaluating and reporting on the quality of managed care plans.

(x) "Office" means the Office of Health Care Statistics within the Utah Department of Health.

(y) "Order" means an action of the committee that determines the legal rights, duties, privileges, immunities, or other interests of one or more specific persons, but not a class of persons.

(z) "Patient Social Security number" is the social security number of a person receiving health care.

(aa) "Performance Measure" means the quantitative, numerical measure of an aspect of the carrier, or its membership in part or in its entirety, or qualitative, descriptive information on the carrier in its entirety as described in HEDIS.

(bb) "Public Use Data Set" means a data extract or a subset of a database that is deemed by the Office to not include identifiable data or where the probability of identifying individuals is minimal.

(cc) "Report" means a disclosure of data or information collected or produced by the committee or Office, including but not limited to a compilation, study, or analysis designed to meet the needs of specific audiences.

(dd) "Research and Statistical Purposes" means having the objective of creating knowledge or answering questions, including a systematic investigation that includes development, testing, and evaluation; the description, estimation, projection, or analysis of the characteristics of individuals, groups, or organizations; an analysis of the relationships between or among these characteristics; the identification or creation of sampling frames and the selection of samples; the preparation and publication of reports describing these matters; and the development, implementation, and maintenance of methods, procedures, or resources to support the efficient use or management of the data.

(ee) "Research Data Set" means a data extract or subset of a database intended for use by investigators or researchers for bona fide research purposes that may include identifiable information or where there is more than a minimal probability that the data could be used to identify individuals.

(ff) "Record linkage number" is an irreversible, unique, encrypted number that will replace patient social security number.

(gg) "Sample file" means the data file containing records of selected eligible enrollees drawn by the survey agency from the carrier's sampling frame.

(hh) "Sampling Frame" means the carrier enrollment file as described criteria outlined by the NCQA survey specifications.

(ii) "Submission year" means the year immediately following the covered period.

(jj) "Survey agency" means an independent contractor on contract with the Office of Health Care Statistics.

(kk) "Utah Health Care Performance Measurement Plan" means the plan for data collection and public reporting of health-related measures, adopted by the Utah Health Data Committee to establish a statewide health performance reporting system.

(ll) "Uniform billing form" means the uniform billing form recommended for use by the National Uniform Billing Committee.

(mm) "Utah Healthcare Facility Data Submission Guide" means the document referenced in Subsection R428-1-4(1).

(nn) "NCQA Survey Specifications" means the document referenced in Subsection R428-1-4(2)

(oo) "NCQA HEDIS Specifications" means the document referenced in Subsection R428-1-4(3)

(pp) "Data Submission Guide for Claims Data" means the document referenced in Subsection R428-1-4(4).

R428-2-4. Technical Assistance.

The Office may provide technical assistance or consultation to a data supplier upon request and resource availability. The consultation shall be to enable a data supplier to submit required data according to Title R428.

R428-2-5. Data Classification and Access.

(1) Data collected by the committee are not public, and as such are exempt from the classification and release requirements specified in Title 63g, Chapter 2, Government Records Access and Management Act.

(2) Any person having access to data collected or produced by the committee or the Office under Title 26, Chapter 33a shall not:

(a) take any action that might provide information to any unauthorized individual or agency;

(b) scan, copy, remove, or review any information to which specific authorization has not been granted;

(c) discuss information with unauthorized persons which could lead to identification of individuals;

(d) give access to any information by sharing passwords or file access codes.

(3) Any person having access to data collected or produced by the committee or the Office under Title 26, Chapter 33a shall:

(a) maintain the data in a safe manner which restricts unauthorized access;

(b) limit use of the data to the purposes for which access is authorized;

(c) report immediately any unauthorized access to the Office or its designated security officer.

(4) A failure to report known violations by others is subject to the same punishment as a personal violation.

(5) The Office shall deny a person access to the facilities, services and data as a consequence of any violation of the responsibilities specified in this section.

R428-2-6. Editing and Validation.

(1) Each data supplier shall review each required record prior to submission. The review shall consist of checks for accuracy, consistency, completeness, and conformity.

(2) The Office may subject submitted data to edit checks. The Office may require the data supplier to correct data failing an edit check as follows:

(a) The Office may, by first class U.S. mail or email, inform the submitting data supplier of any data failing an edit check.

(b) The submitting data supplier shall make necessary corrections and resubmit all corrected data to the Office within 10 business days of the date the Office notified the supplier.

(3) The Office or its designee may reject any data submission that fails to conform to the submission requirements. A data supplier whose submission is rejected shall resubmit the data in the appropriate, corrected format to the Office or its designee within 10 state business days of notice that the data does not meet the submission requirements.

R428-2-7. Error Rates.

The committee may establish and order reporting quality standards based on non-reporting or edit failure rates.

R428-2-8. Data Disclosure.

(1) The committee may disclose data received from data suppliers or data or information derived from this data as specified in Title 26, Chapter 33a.

(2) The Office may prepare reports relating to health care cost, quality, access, health promotion programs, or public health. These actions may be to meet legislative intent or upon request from individuals, government agencies, or private organizations. The Office may create reports in a variety of formats including print or electronic documents, searchable databases, web-sites, or other user-oriented methods for displaying information.

(3) Unless otherwise specified by the committee, the time period for data suppliers and health care providers to prepare a response as required in Subsections 26-33a-107(1) and 26-33a-107(3) shall be 15 business days. If a data supplier fails to respond in the specified time frame, the committee may conclude that the information is correct and suitable for release.

(4) The committee may note in a report that accurate appraisal of a certain category or entity cannot be presented because of a failure to comply with the committee's request for data, edit corrections, or data validation.

(5) The Office may release to the data supplier or its designee any data elements provided by the supplier without notification when a data supplier requests the data be so supplied.

(6) The committee may disclose data in computer readable formats.

(7) The Director of the Office may approve the disclosure of a public use data set upon receipt of a written request that includes the following:

(a) the name, address, e-mail and telephone number of the requester;

(b) a statement of the purpose for which the data will be used;

(c) agreement to other terms and conditions as deemed necessary by the Office.

(8) As allowed by Section 26-33a-109, thecommittee may release identified data for research and statistical purposes. A person requesting a research data set must provide:

(a) the name, address, e-mail and telephone number of the requester and for each person who will have access to the research data set;

(b) a statement of the purpose for which the research data set will be used;

(c) the starting and ending dates for which the research data set is requested;

(d) an explanation of why a public use data set could not be used for to accomplish the stated research purposes, including a separate justification for each element containing identified data requested;

(e) evidence of the integrity and ability to safeguard the data from any breach of confidentiality;

(f) evidence of competency to effectively use the data in the manner proposed;

(g) a satisfactory review from an Office-approved institutional review board;

(h) a guarantee that no further disclosure will occur without prior approval of the Office;

(i) a signed agreement to comply with other terms and conditions as stipulated by the committee.

R428-2-9. Penalties.

(1) The Office may apply civil penalties or subject violators to legal prosecution.

(2) Sections 26-23-6 and 26-33a-110 specify civil and criminal penalties for failure to comply with the requirements of Title R428 or Title 26, Chapter 33a.

(3) Notwithstanding Subsection R428-2-9(2), any person that violates any provision of Title R428 may be assessed an administrative civil money penalty not to exceed $3,000 upon an administrative finding of a first violation and up to $5,000 for a subsequent similar violation within two years. A person may also be subject to penalties imposed by a civil or criminal court, which may not exceed $5,000 or a class B misdemeanor for the first violation and a class A misdemeanor for any subsequent similar violation within two years.

(4) Notwithstanding Subsection R428-2-9(2) and R428-2-9(3), a data supplier that violates any provision of Title R428 may be assessed an administrative civil money penalty for each day of non-compliance. Fines may be imposed as follows:

(a) Not to exceed the sum of $10,000 per violation

(b) Each day of violation is a separate violation

(c) Deadlines established in separate sections of Title R428 are considered as separate provisions.

(5) The Office may impose a fine on any data supplier that misses a deadline to submit data required in Title R428 as follows:

(a) A fine of $250 per violation shall be imposed until the data has been supplied as required

(b) The fines shall increase to $500 per violation for each violation when any data supplier that is currently in violation misses another deadline

(c) After forty-five consecutive calendar days of violation, the Office may adjust the per day penalty subject to the limits in (4)(a) taking into account the following aggravating and mitigating circumstances:

(i) Prior violation history and history of compliance

(ii) Good faith efforts to prevent violations

(iii) The size and financial capability of the data supplier.

R428-2-10. Exemptions and Extensions.

(1) The committee may grant exemptions or extensions from reporting requirements in Title R428 to data suppliers under certain circumstances.

(2) The committee may grant an exemption to a data supplier when the supplier demonstrates that compliance imposes an unreasonable cost.

(a) A data supplier may request an exemption from any particular requirement or set of requirements of Title R428. The data supplier must submit a request for exemption no less than 30 calendar days before the date the supplier would have to comply with the requirement.

(b) The committee may grant an exemption for a maximum of one calendar year. A data supplier wishing an additional exemption must submit an additional, separate request.

(3) The committee may grant an extension to a data supplier when the supplier demonstrates that technical or unforeseen difficulties prevent compliance.

(a) A data supplier may request an extension for any deadline required in Title R428. For each deadline for which the data supplier requests an extension, the data supplier must submit its request no less than seven calendar days before the deadline in question.

(b) The committee may grant an extension for a maximum of 30 calendar days. A data supplier wishing an additional extension must submit an additional, separate request.

(4) The supplier requesting an extension or exemption shall include:

(a) The data supplier's name, mailing address, telephone number, and contact person;

(b) the dates the exemption or extension is to start and end;

(c) a description of the relief sought, including reference to specific sections or language of the requirement;

(d) a statement of facts, reasons, or legal authority in support of the request; and

(e) a proposed alternative to the requirement or deadline.

(5) A carrier that covers fewer than 2,500 individual Utah residents as of January 1 of a given year is exempt from all requirements of this title except that once a carrier has covered a cumulative total of 2,500 such individuals during a calendar year, they are no longer considered exempt for the remainder of that year.

R428-2-11. Contractor Liability.

(1) A data supplier may contract with another entity to submit required data elements on their behalf under Title R428. In such cases, the data supplier must notify the Office of the identity and contact information of the contractor.

(2) Regardless of the existence of a contractor, the responsibility for complying with all requirements of Title R428 remains solely with the data supplier.

R428-2-12. Data Supplier Contacts.

(1) Data suppliers required to submit healthcare claims data or healthcare facility data shall provide current contact information to the Office by September 1 of each year using a web-site provided by the Office for this purpose.

(2) Each data supplier newly required to submit healthcare claims data or healthcare facility data under this rule, including by a change to the rule or because it no longer qualifies for an exemption, shall provide contact information to the Office within 30 days of learning that they will be required to submit data under this rule.

(3) Each data supplier shall designate a person who is responsible for submitting data and a person who is responsible for communicating with the Office regarding the submission of the data. Each data supplier shall notify the Office of changes in this designation within thirty calendar days.


health, health policy, health planning

Date of Enactment or Last Substantive Amendment

December 13, 2017

Notice of Continuation

November 10, 2016

Authorizing, Implemented, or Interpreted Law


Additional Information


For questions regarding the content or application of rules under Title R428, please contact the promulgating agency (Health, Center for Health Data, Health Care Statistics). A list of agencies with links to their homepages is available at http://www.utah.gov/government/agencylist.html or from http://www.rules.utah.gov/contact/agencycontacts.htm.