Utah Administrative Code

The Utah Administrative Code is the body of all effective administrative rules as compiled and organized by the Division of Administrative Rules (see Subsection 63G-3-102(5); see also Sections 63G-3-701 and 702).

NOTE: For a list of rules that have been made effective since August 1, 2019, please see the codification segue page.

NOTE TO RULEFILING AGENCIES: Use the RTF version for submitting rule changes.


R495. Human Services, Administration.

Rule R495-881. Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule Implementation.

As in effect on August 1, 2019

Table of Contents

R495-881-1. Authority and Purpose.

(1) This rule implements provisions required by 45 CFR Part 164, subpart E, dealing with the treatment of certain individually identifiable health information held by the Department of Human Services.

(2) This rule is authorized by Section 62A-1-111.

R495-881-2. Definitions.

As used in this rule:

(1) "Covered entity" means a program within the Department responsible for carrying out a covered function as that term is used in 45 CFR 164.501.

(2) "HIPAA" means the federal Health Insurance Portability and Accountability Act of 1997 and its implementing regulations.

(3) "Individual" means a natural person. In the case of an individual without legal capacity or a deceased person, the personal representative of the individual.

R495-881-3. General Compliance.

(1) This rule applies only to those functions of the Department that are covered functions as that term is used in 45 CFR Part 164.

(2) Covered entities shall comply with the privacy requirements of 45 CFR Part 164, Subpart E in dealing with individually identifiable health information and the subjects of that information.

R495-881-4. Changes to Rule.

The Department reserves the right to alter this rule and its notices of privacy practices required by HIPAA.

R495-881-5. Sanctions, Retaliation.

(1) An employee of a covered entity may be disciplined for failure to comply with the HIPAA requirements found in 45 CFR Part 164, Subpart E. Discipline may include termination and civil or criminal prosecution.

(2) An employee of a covered entity may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any person for exercising any right established by HIPAA or for opposing in good faith any act or practice made unlawful by HIPAA.

R495-881-6. Waiver of Rights Prohibited.

A covered entity may not require individuals to waive their rights under 45 CFR 160.306 or 45 CFR Part 164, Subpart E as a condition of the provision of treatment, payment, health plan enrollment, or eligibility for benefits.

R495-881-7. Complaints.

(1) An individual may seek a review of a covered entity's policies and procedures or its compliance with such policies and procedures through informal contact with the covered entity.

(2) An individual may file a formal complaint concerning a covered entity's policies and procedures implementing 45 CFR Part 164, Subpart E or its compliance with such policies and procedures or the requirements of 45 CFR Part 164, Subpart E by filing a complaint with the Office of the Executive Director of the Department requesting an agency action meeting the requirements of the Utah Administrative Procedures Act or with the Office of Civil Rights, U.S. Department of Health and Human Services.

R495-881-8. Right to Request Privacy Protection.

(1) An individual may request restrictions on use and disclosure of protected health information as permitted in 45 CFR 164.522 by submitting a written request to the designated privacy officer for the covered entity.

(2) The decision whether to grant the request, documentation of any restrictions, alternate communication methods, and conditions on providing confidential communications shall be in accordance with 45 CFR 164.522.

R495-881-9. Individual Access to Protected Health Information.

(1) An individual may request access to protected health information as permitted in 45 CFR 164.524 by submitting a written request to the designated privacy officer for the covered entity.

(2) The right to access, decision whether to grant access, review of denials, timeliness of responses, form of access, time and manner of access, documentation and other required responses shall be in accordance with 45 CFR 164.524.

R495-881-10. Amendment of Protected Health Information.

(1) An individual may request an amendment to the protected health information about that individual that the individual believes is incorrect as permitted in 45 CFR 164.526 by submitting a written request to the designated privacy officer for the covered entity.

(2) The decision whether to grant the request, the time frames for action by the covered entity, amendment of the record, requirements for denial, and acting on notices of amendment from third parties shall be in accordance with 45 CFR 164.526.

R495-881-11. Accounting for Disclosures.

(1) An individual may request an accounting of disclosures of protected health information as permitted in 45 CFR 164.528 by submitting a written request to the designated privacy officer for the covered entity.

(2) The content of the accounting and the provision of the accounting, shall be in accordance with 45 CFR 164.528.

KEY

HIPAA, privacy

Date of Enactment or Last Substantive Amendment

July 23, 2008

Notice of Continuation

April 2, 2018

Authorizing, Implemented, or Interpreted Law

62A-1-111


Additional Information

Contact

For questions regarding the content or application of rules under Title R495, please contact the promulgating agency (Human Services, Administration). A list of agencies with links to their homepages is available at http://www.utah.gov/government/agencylist.html or from http://www.rules.utah.gov/contact/agencycontacts.htm.