Section 26B-8-508 - Exceptions to prohibition on disclosure of identifiable health data(1) The department may not disclose any identifiable health data unless:(a) the individual has authorized the disclosure;(b) the disclosure is to the department or a public health authority in accordance with Subsection (2); or(c) the disclosure complies with the provisions of: (ii) insurance enrollment and coordination of benefits under Subsection 26B-8-504(1)(d); or(iii) risk adjusting under Subsection 26B-8-504(l)(b).(2) The department may disclose identifiable health data to the department or a public health authority under Subsection (1)(b) if: (a) the department or the public health authority has clear statutory authority to possess the identifiable health data; and(b) the disclosure is solely for use: (i) in the Utah Statewide Immunization Information System operated by the department;(ii) in the Utah Cancer Registry operated by the University of Utah, in collaboration with the department; or(iii) by the medical examiner, as defined in Section 26B-8-201, or the medical examiner's designee.(3) The department shall consider the following when responding to a request for disclosure of information that may include identifiable health data:(a) whether the request comes from a person after that person has received approval to do the specific research or statistical work from an institutional review board; and(b) whether the requesting entity complies with the provisions of Subsection (4).(4) A request for disclosure of information that may include identifiable health data shall: (a) be for a specified period; or(b) be solely for bona fide research or statistical purposes as determined in accordance with administrative rules adopted by the department in accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, which shall require:(i) the requesting entity to demonstrate to the department that the data is required for the research or statistical purposes proposed by the requesting entity; and(ii) the requesting entity to enter into a written agreement satisfactory to the department to protect the data in accordance with this part or other applicable law.(5) A person accessing identifiable health data pursuant to Subsection (4) may not further disclose the identifiable health data: (a) without prior approval of the department; and(b) unless the identifiable health data is disclosed or identified by control number only.(6) Identifiable health data that has been designated by a data supplier as being subject to regulation under 42 C.F.R. Part 2, Confidentiality of Substance Use Disorder Patient Records, may only be used or disclosed in accordance with applicable federal regulations.Amended by Chapter TBD, 2024 General Session ,§ 11, eff. 5/1/2024.Renumbered from § 26-33a-109 and amended by Chapter 306, 2023 General Session ,§ 284, eff. 5/3/2023.Amended by Chapter 277, 2021 General Session ,§ 2, eff. 5/5/2021.Amended by Chapter 90, 2020 General Session ,§ 1, eff. 5/12/2020.Amended by Chapter 74, 2016 General Session ,§ 13, eff. 5/10/2016.Amended by Chapter 425, 2014 General Session ,§ 5, eff. 5/13/2014.Amended by Chapter 68, 2010 General SessionAffected by 63I-1-226 on 7/1/2024