Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · Utah · Title 26B — Utah Health and Human Services Code · Chapter 8

26B-8-501.1. Health data authority duties.

1,056 words·~5 min read·/ut/title-26b/chapter-8/26b-8-501-1·

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Effective 5/6/2026
26B-8-501.1. Health data authority duties.
(1)The department shall:
(a)develop and maintain written plans for collecting, managing, and using data under this part, including:
(i)a strategic plan that:
(A)identifies the key health care issues, questions, and problems that can be addressed or improved with better data, more thorough analysis, or improved access to data;
(B)details current data collection, organization, and dissemination efforts within the state that are relevant to the identified needs; and
(C)describes and prioritizes the actions the department will take to obtain needed data, improve any existing processing activity as that term is defined in Section 63A-19-101 , and outline how these actions address issues, questions, or problems identified under Subsection (1)(a)(i)(A) ;
(ii)a data management plan that:
(A)specifies the types of data needed, the intended suppliers, and the required data formats, including consideration for alternative sources and forms of data, estimating costs for both suppliers and the department, and demonstrating a cost-effective approach; and
(B)describes the types and methods of validation to be performed to assess the validity and reliability of the data; and
(iii)a data analytics and dissemination plan that:
(A)describes the expected processes for interpreting and analyzing the data, including the types of expertise and participation needed;
(B)details the types of reports the department will make available, along with their intended audiences and uses;
(C)explains the intended uses of the data, including analytic approaches and expected benefits of the data related to purposes described in Subsection (1)(g) ; and
(D)describes actions or efforts used to prevent individual reidentification;
(b)publish the plans described in Subsection (1)(a) on the department's website;
(c)have the authority to collect, validate, analyze, and present health data in accordance with a plan described in Subsection (1)(a) while protecting individual privacy through:
(i)the use of the best practices of data privacy;
(ii)adopting safeguards found in 45 C.F.R. Sec. 164.312 and any relevant definitions in 45 C.F.R. Part 160 and 45 C.F.R. Part 164 Subparts A and C; and
(iii)encrypting identifiable health data when stored and when transmitted;
(d)evaluate existing identification coding methods and, if necessary, require by rule adopted in accordance with Subsection
(2), that health data suppliers use a uniform system for identification of patients, health care facilities, and health care providers on health data they submit under this part;
(e)advise, consult, contract, and cooperate with any organization for the collection, analysis, processing, or reporting of health data;
(f)establish fees to ensure that the users of data collected under this part assist in covering the cost for collecting the data; and
(g)collect health data and other data under this part that are relevant to:
(i)facilitate data-driven, evidence-based improvements in patient access, patient choice, health care quality, and health care cost; and
(ii)promote and improve:
(A)public health; and
(B)the operation, efficiency, value, and quality of care provided by the health care system.
(2)In accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, the department, in consultation with the committee, shall make rules to carry out the provisions of this part when the provisions require action from a person that is not the department.
(a)Except for data collection, analysis, and validation functions described in this section, nothing in this part shall be construed to authorize or permit the department to perform regulatory functions which are delegated by law to other agencies of the state or federal governments or to perform quality assurance or medical record audit functions that health care facilities, health care providers, or third party payors are required to conduct to comply with federal or state law.
(b)The department may not recommend or determine whether a health care provider, health care facility, third party payor, or self-funded employer is in compliance with federal or state laws including federal or state licensure, insurance, reimbursement, tax, malpractice, or quality assurance statutes or common law.
(4)Nothing in this part, shall be construed to require a data supplier to supply identifiable health data beyond that needed to achieve the approved purposes included in a plan described in Subsection (1)(a) .
(5)No request for health data shall be made of health care providers and other data suppliers until a plan for the use of such health data has been adopted.
(a)If a proposed request for health data imposes unreasonable costs on a data supplier, due consideration shall be given by the department to altering the request.
(b)If the request is not altered, the department shall pay the costs incurred by the data supplier associated with satisfying the request that are demonstrated by the data supplier to be unreasonable.
(7)Any data collected by the department shall be done in accordance with state and federal data privacy laws.
(a)The department shall:
(i)create an opt-out system where an individual may choose to have the individual's identifiable health data suppressed or restricted from being accessible for department duties described under this part;
(ii)maintain a list of individuals who have opted out for use in accordance with Subsection (8)(b) ; and
(iii)provide instructions for the opt-out system described in Subsection (8)(a)(i) in a conspicuous location on the department's website.
(b)For an individual who opts out under Subsection (8)(a) , the department may not share, analyze, or use any identifiable health data from the health data obtained under this part for the individual, including data previously obtained under this part.
(a)For identifiable health data, the department shall:
(i)use the minimum necessary data to accomplish the duties described in this part; and
(ii)only use direct identifiers for:
(A)quality assurance;
(B)referential integrity;
(C)complying with breach notification requirements;
(D)calculating the distance between addresses or linking external geographically-based data, provided that the addresses and any geocodes are removed immediately after the process is complete; or
(E)identity resolution.
(b)If the department receives an individual's social security number with data obtained under this part, the department may not share any part of the social security number with any person.
(10)The department shall include information regarding privacy and security requirements of this part in the report described in Section 63A-19-401.3 .
Amended by Chapter 74 , 2026 General Session
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.