Utah Administrative Code
The Utah Administrative Code is the body of all effective administrative rules as compiled and organized by the Division of Administrative Rules (see Subsection 63G-3-102(5); see also Sections 63G-3-701 and 702).
NOTE: For a list of rules that have been made effective since January 1, 2020, please see the codification segue page.
NOTE TO RULEFILING AGENCIES: Use the RTF version for submitting rule changes.
R495. Human Services, Administration.
Rule R495-881. Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule Implementation.
As in effect on January 1, 2020
Table of Contents
- R495-881-1. Authority and Purpose.
- R495-881-2. Definitions.
- R495-881-3. General Compliance.
- R495-881-4. Changes to Rule.
- R495-881-5. Sanctions, Retaliation.
- R495-881-6. Waiver of Rights Prohibited.
- R495-881-7. Complaints.
- R495-881-8. Right to Request Privacy Protection.
- R495-881-9. Individual Access to Protected Health Information.
- R495-881-10. Amendment of Protected Health Information.
- R495-881-11. Accounting for Disclosures.
- Date of Enactment or Last Substantive Amendment
- Notice of Continuation
- Authorizing, Implemented, or Interpreted Law
(1) This rule implements provisions required by 45 CFR Part 164, subpart E, dealing with the treatment of certain individually identifiable health information held by the Department of Human Services.
(2) This rule is authorized by Section 62A-1-111.
As used in this rule:
(1) "Covered entity" means a program within the Department responsible for carrying out a covered function as that term is used in 45 CFR 164.501.
(2) "HIPAA" means the federal Health Insurance Portability and Accountability Act of 1997 and its implementing regulations.
(3) "Individual" means a natural person. In the case of an individual without legal capacity or a deceased person, the personal representative of the individual.
(1) This rule applies only to those functions of the Department that are covered functions as that term is used in 45 CFR Part 164.
(2) Covered entities shall comply with the privacy requirements of 45 CFR Part 164, Subpart E in dealing with individually identifiable health information and the subjects of that information.
The Department reserves the right to alter this rule and its notices of privacy practices required by HIPAA.
(1) An employee of a covered entity may be disciplined for failure to comply with the HIPAA requirements found in 45 CFR Part 164, Subpart E. Discipline may include termination and civil or criminal prosecution.
(2) An employee of a covered entity may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any person for exercising any right established by HIPAA or for opposing in good faith any act or practice made unlawful by HIPAA.
A covered entity may not require individuals to waive their rights under 45 CFR 160.306 or 45 CFR Part 164, Subpart E as a condition of the provision of treatment, payment, health plan enrollment, or eligibility for benefits.
(1) An individual may seek a review of a covered entity's policies and procedures or its compliance with such policies and procedures through informal contact with the covered entity.
(2) An individual may file a formal complaint concerning a covered entity's policies and procedures implementing 45 CFR Part 164, Subpart E or its compliance with such policies and procedures or the requirements of 45 CFR Part 164, Subpart E by filing a complaint with the Office of the Executive Director of the Department requesting an agency action meeting the requirements of the Utah Administrative Procedures Act or with the Office of Civil Rights, U.S. Department of Health and Human Services.
(1) An individual may request restrictions on use and disclosure of protected health information as permitted in 45 CFR 164.522 by submitting a written request to the designated privacy officer for the covered entity.
(2) The decision whether to grant the request, documentation of any restrictions, alternate communication methods, and conditions on providing confidential communications shall be in accordance with 45 CFR 164.522.
(1) An individual may request access to protected health information as permitted in 45 CFR 164.524 by submitting a written request to the designated privacy officer for the covered entity.
(2) The right to access, decision whether to grant access, review of denials, timeliness of responses, form of access, time and manner of access, documentation and other required responses shall be in accordance with 45 CFR 164.524.
(1) An individual may request an amendment to the protected health information about that individual that the individual believes is incorrect as permitted in 45 CFR 164.526 by submitting a written request to the designated privacy officer for the covered entity.
(2) The decision whether to grant the request, the time frames for action by the covered entity, amendment of the record, requirements for denial, and acting on notices of amendment from third parties shall be in accordance with 45 CFR 164.526.
(1) An individual may request an accounting of disclosures of protected health information as permitted in 45 CFR 164.528 by submitting a written request to the designated privacy officer for the covered entity.
(2) The content of the accounting and the provision of the accounting, shall be in accordance with 45 CFR 164.528.
July 23, 2008
April 2, 2018
For questions regarding the content or application of rules under Title R495, please contact the promulgating agency (Human Services, Administration). A list of agencies with links to their homepages is available at http://www.utah.gov/government/agencylist.html or from http://www.rules.utah.gov/contact/agencycontacts.htm.