Utah Admin. Code R428-2-7 - Data Disclosure
(1) The department
may disclose data received from data suppliers or data or information derived
from this data as specified in Title 26B, Chapter 8, Part 5, Utah Health Data
Authority.
(2) The department may
prepare reports relating to health care cost, quality, access, health promotion
programs, or public health. These actions may be to meet legislative intent or
upon request from individuals, government agencies, or private organizations.
The department may create reports in a variety of formats including print or
electronic documents, searchable databases, websites, or other user-oriented
methods for displaying information.
(3) Unless otherwise specified by the
department, the time period for data suppliers and health care providers to
prepare a response as required in Subsections
26B-8-506(1) and
26B-8-506(3)
shall be 15 business days. If a data supplier fails to respond in the specified
time frame, the department may conclude that the information is correct and
suitable for release.
(4) The
department may note in a report that an accurate appraisal of a certain
category or entity cannot be presented because of a failure to comply with the
department's request for data, edit corrections, or data validation.
(5) The department may release to the data
supplier or its designee any data elements provided by the supplier without
notification when a data supplier requests the data be so supplied.
(6) The department may disclose data in
computer readable formats.
(7) The
department may approve the disclosure of de-identified data upon receipt of a
written request that includes the following:
(a) name, address, email, and telephone
number of the requesting organization;
(b) a statement of the purpose for which the
data will be used; and
(c)
agreement to other terms and conditions as deemed necessary by the
department.
(8) As
allowed by Section
26B-8-508, the department may
release identifiable data for research or statistical purposes. A person
requesting the identifiable data must provide:
(a) name of the requesting organization,
address, email, and telephone number of the organization and for each person
who will have access to the identifiable data;
(b) statement of the purpose for which the
identifiable data will be used;
(c)
starting and ending dates for which the identifiable data is
requested;
(d) explanation of why
de-identified could not be used to accomplish the stated research purposes,
including a separate justification for each identifiable data element
requested;
(e) evidence of the
integrity and ability to safeguard the data from any breach of
confidentiality;
(f) evidence of
competency to effectively use the data in the manner proposed;
(g) satisfactory review from a
department-approved institutional review board;
(h) guarantee that no further disclosure will
occur without prior approval of the department; and
(i) a signed agreement to comply with other
terms and conditions as stipulated by the department.
(9) A person receiving data from the
department may not contact or try to contact any patient or member included in
the data.
(10) A person receiving
data from the department may not contact or try to contact any entity or
provider included in the data without formal approval by the
department.
(11) Data disclosed by
carriers and received by the department pursuant to Title R428 is exempt from
HIPAA. This rule only refers to the data de-identification standards within
HIPAA.
Notes
State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.
No prior version found.