26B-8-508. Exceptions to prohibition on disclosure of identifiable health data.
606 words·~3 min read·
/ut/title-26b/chapter-8/26b-8-508A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Effective 5/6/2026
26B-8-508. Exceptions to prohibition on disclosure of identifiable health data.
(1)The department may not disclose any identifiable health data unless:
(a)the individual whose data is being disclosed has authorized the disclosure;
(b)the disclosure is made in accordance with Subsection
(2);
(c)the disclosure complies with the provisions of Subsection
(3);
(d)the disclosure is:
(i)related to insurance enrollment and coordination of benefits; and
(ii)made in accordance with Subsection 26B-8-504(1)(d) ; or
(e)the disclosure is:
(i)related to risk adjusting; and
(ii)made in accordance with Subsection 26B-8-504(1)(b) .
(a)The department may disclose identifiable health data if the disclosure is solely for use:
(i)in the Utah Statewide Immunization Information System operated by the department;
(ii)in the Utah Cancer Registry operated by the University of Utah, in collaboration with the department; or
(iii)by the medical examiner, as defined in Section 26B-8-201 , or the medical examiner's designee.
(b)For a purpose not described in Subsection (2)(a) , the department may disclose identifiable health data within the department or to a local health department, a local mental health authority, or a local substance abuse authority if the disclosure does not contain direct identifiers.
(c)A person that obtains data under this Subsection
(2)and is informed by the department that an individual has opted to suppress or restrict the individual's identifiable health data under Subsection 26B-8-501.1(8) shall delete data about the individual provided by the department that is in the possession of the person.
(3)The department shall consider the following when responding to a request for disclosure of information that may include identifiable health data:
(a)whether the request comes from a person after that person has received approval to do the specific research or statistical work from an institutional review board; and
(b)whether the requesting entity complies with the provisions of Subsection
(4).
(a)A request for disclosure of information that may include identifiable health data shall:
(i)be for a specified period; or
(ii)be solely for bona fide research or statistical purposes.
(b)A requesting entity shall:
(i)demonstrate to the department that the data is required for the research or statistical purposes proposed by the requesting entity; and
(ii)enter into a written agreement satisfactory to the department to protect the data in accordance with this part or other applicable law.
(c)The department shall make rules in accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, to implement this Subsection
(4).
(5)A person accessing identifiable health data in accordance with Subsection
(4):
(a)may not further disclose the identifiable health data:
(i)without prior approval of the department; and
(ii)unless the identifiable health data is disclosed or identified by control number only; and
(b)shall delete any identifiable health data at the earlier of the following:
(i)the day the specified period described in Subsection (4)(a)(i) ends; or
(ii)the day when the person's need for the identifiable health data ceases.
(6)Identifiable health data that has been designated by a data supplier as being subject to regulation under 42 C.F.R. Part 2, Confidentiality of Substance Use Disorder Patient Records, may only be used or disclosed in accordance with applicable federal regulations.
(7)Any person that obtains identifiable health data under this section shall:
(a)adopt safeguards found in 45 C.F.R. Sec. 164.312 and any relevant definitions in 45 C.F.R. Part 160 and 45 C.F.R. Part 164 Subparts A and C; and
(b)encrypt identifiable health data when stored and when transmitted.
Amended by Chapter 74 , 2026 General Session