Section 26B-8-501.1 - Health data authority duties(1) The department shall: (a) in consultation with the committee and in accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, develop and adopt by rule, following public hearing and comment, a health data plan that shall among its elements:(i) identify the key health care issues, questions, and problems amenable to resolution or improvement through better data, more extensive or careful analysis, or improved dissemination of health data:(ii) document existing health data activities in the state to collect, organize, or make available types of data pertinent to the needs identified in Subsection (1)(a)(i):(iii) describe and prioritize the actions suitable for the department to take in response to the needs identified in Subsection (l)(a)(i) in order to obtain or to facilitate the obtaining of needed data, and to encourage improvements in existing data collection, interpretation, and reporting activities, and indicate how those actions relate to the activities identified under Subsection (1)(a)(ii);(iv) detail the types of data needed for the department's work, the intended data suppliers, and the form in which such data are to be supplied, noting the consideration given to the potential alternative sources and forms of such data and to the estimated cost to the individual suppliers as well as to the department of acquiring the data in the proposed manner and reasonably demonstrate that the department has attempted to maximize cost-effectiveness in the data acquisition approaches selected:(v) describe the types and methods of validation to be performed to assure data validity and reliability;(vi) explain the intended uses of and expected benefits to be derived from the data specified in Subsection (1)(a)(iv), including the contemplated tabulation formats and analysis methods: the benefits described shall demonstrably relate to one or more of the following: (A) promoting quality health care;(B) managing health care costs; or(C) improving access to health care services;(vii) describe the expected processes for interpretation and analysis of the data flowing to the department, noting specifically the types of expertise and participation to be sought in those processes; and(viii) describe the types of reports to be made available by the department and the intended audiences and uses;(b) have the authority to collect, validate, analyze, and present health data in accordance with the plan while protecting individual privacy through the use of the best practices of data privacy;(c) evaluate existing identification coding methods and, if necessary, require by rule adopted in accordance with Subsection (2), that health data suppliers use a uniform system for identification of patients, health care facilities, and health care providers on health data they submit under this section and Chapter 8, Part 5, Utah Health Data Authority; and(d) advise, consult, contract, and cooperate with any corporation, association, or other entity for the collection, analysis, processing, or reporting of health data.(2) In accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, the department, in consultation with the committee, may adopt rules to carry out the provisions of this section and Chapter 8, Part 5, Utah Health Data Authority.(3)(a) Except for data collection, analysis, and validation functions described in this section, nothing in this part shall be construed to authorize or permit the department to perform regulatory functions which are delegated by law to other agencies of the state or federal governments or to perform quality assurance or medical record audit functions that health care facilities, health care providers, or third party payors are required to conduct to comply with federal or state law.(b) The department may not recommend or determine whether a health care provider, health care facility, third party payor, or self-funded employer is in compliance with federal or state laws including federal or state licensure, insurance, reimbursement, tax, malpractice, or quality assurance statutes or common law.(4) Nothing in this part, shall be construed to require a data supplier to supply health data identifying a patient by name or describing detail on a patient beyond that needed to achieve the approved purposes included in the plan.(5) No request for health data shall be made of health care providers and other data suppliers until a plan for the use of such health data has been adopted.(6)(a) If a proposed request for health data imposes unreasonable costs on a data supplier, due consideration shall be given by the department to altering the request.(b) If the request is not altered, the department shall pay the costs incurred by the data supplier associated with satisfying the request that are demonstrated by the data supplier to be unreasonable.(7) After a plan is adopted as provided in Section 26B-8-504, the department may require any data supplier to submit fee schedules, maximum allowable costs, area prevailing costs, terms of contracts, discounts, fixed reimbursement arrangements, capitations, or other specific arrangements for reimbursement to a health care provider.(8)(a) The department may not publish any health data collected under Subsection (7) that would disclose specific terms of contracts, discounts, or fixed reimbursement arrangements, or other specific reimbursement arrangements between an individual provider and a specific payer.(b) Nothing in Subsection (7) shall prevent the department from requiring the submission of health data on the reimbursements actually made to health care providers from any source of payment, including consumers.(9) Any data collected by the department shall be done in accordance with state and federal data privacy laws.(10)(a) The department shall: (i) create an opt-out system where an individual may choose to have an individual's identifiable health data suppressed or restricted from being accessible for department duties described under this part:(ii) maintain a list of people who have opted out for use in accordance with Subsection (10)(b); and(iii) provide instructions for the opt-out system described in Subsection (10)(a)(i) in a conspicuous location on the department's website.(b) For an individual who opts out under Subsection (10)(a), the department may not share, analyze, or use any identifiable health data from the health data obtained under this part for the individual, including data previously obtained under this part.(11)(a) For identifiable health data, the department shall:(i) use the minimum necessary data to accomplish the duties described in this part; and(ii) only use personally identifiable information for: (B) referential integrity; or(C) complying with breach notification requirements.(b) If the department receives an individual's social security number with data obtained under this part, the department may not share any part of the social security number with any person.(12) The department shall annually report to the Health and Human Services Interim Committee regarding privacy practices and efforts the department is undertaking to enhance data privacy.(13)(a) Before October 1, 2024, the department shall review all state statutory mandates related to the collection of any form of health data and provide a written report to the Health and Human Services Interim Committee outlining the mandates that are older than 10 years old with: (i) a description regarding how the data is used; and(ii) a recommendation regarding whether the department should continue collecting the data.(b) The department may request assistance from the Office of Legislative Research and General Counsel to determine when statutory mandates were enacted. Added by Chapter TBD, 2024 General Session ,§ 4, eff. 5/1/2024.