R156-37f. Controlled Substance Database Act Rule  


R156-37f-101. Title
Latest version.

This rule shall be known as the "Controlled Substance Database Act Rule".


R156-37f-102. Definitions
Latest version.

  In addition to the definitions in Sections 58-17b-102, 58-37-2 and 58-37f-102, as used in this chapter:

  (1) "ASAP" means the American Society for Automation in Pharmacy system.

  (2) "DEA" means Drug Enforcement Administration.

  (3) "EDS" means "electronic data system" as defined in Subsection 58-37f-303(1)(c).

  (4) "EHR" means electronic health record.

  (5) "HIE" means health information exchange.

  (6) "NABP" means the National Association of Boards of Pharmacy.

  (7) "NCPDP" means National Council for Prescription Drug Programs.

  (8) "NDC" means National Drug Code.

  (9) "Null report" means the same as zero report.

  (10) "ORI" means Originating Agency Identifier Number.

  (11) "Point of sale date", "POS date", or "Date Sold" means the date the prescription drug left the pharmacy (not the date the prescription drug was filled, if the dates differ). ASAP Version 4.2 uses the "DSP17" field to identify the point of sale date.

  (12) "Positive identification" means:

  (a) one of the following photo identifications issued by a foreign or domestic government:

  (i) driver's license;

  (ii) non-driver identification card;

  (iii) passport;

  (iv) military identification; or

  (v) concealed weapons permit; or

  (b) if the individual does not have government-issued identification, alternative evidence of the individual's identity as deemed appropriate by the pharmacist, as long as the pharmacist documents in a prescription record a description of how the individual was positively identified.

  (13) "Research facility" means a facility in which research takes place that has policies and procedures describing such research.

  (14) "Rx" means a prescription.

  (15) "Zero report" means a report containing the data fields required by Subsection R156-37f-203(5), indicating that no controlled substance required to be reported has been dispensed since the previous submission of data.


R156-37f-103. Authority - Purpose
Latest version.

This rule is adopted by the Division under the authority of Subsection 58-1-106(1)(a) to enable the Division to administer Title 58, Chapter 37f.


R156-37f-104. Organization - Relationship to Rule R156-1
Latest version.

The organization of this rule and its relationship to Rule R156-1 is as described in Section R156-1-107.


R156-37f-203. Submission, Collection, and Maintenance of Data
Latest version.

  (1) In accordance with Subsection 58-37f-203(1), each pharmacy or pharmacy group shall submit the data required in this section on a daily basis, either in real time or daily batch file reporting. The submitted data shall be from the point of sale date.

  (a) If the data is submitted by a single pharmacy entity, the data shall be submitted in chronological order according to the date each prescription was sold.

  (b) If the data is submitted by a pharmacy group, the data shall be sorted by individual pharmacy within the group, and the data of each individual pharmacy within the group shall be submitted in chronological order according to the date each prescription was sold.

  (2) In accordance with Subsections 58-37f-203(2), (3), and (6), the data required by this section shall be submitted to the Database through one of the following methods:

  (a) electronic data sent via a secured internet transfer method, including sFTP site transfer;

  (b) secure web base service; or

  (c) any other electronic method approved by the Database administrator prior to submission.

  (3) In accordance with Subsections 58-37f-203(2), (3), and (6), the format used for submission to the Database shall be Version 4.2 of the American Society for Automation in Pharmacy (ASAP) Format for Controlled Substances. The Division may approve alternative formats substantially similar to this standard.

  (4) In accordance with Subsection 58-37f-203(6), the pharmacist-in-charge and the pharmacist identified in Subsections 58-37f-203(2) and (3) shall provide the following data fields to the Division:

  (a) version of ASAP used to send transaction (ASAP 4.2 code = TH01);

  (b) transaction control number (TH02);

  (c) date transaction created (TH05);

  (d) time transaction created (TH06);

  (e) file type (production or test) (TH07);

  (f) segment terminator character (TH09);

  (g) information source identification number (IS01);

  (h) information source entity name (IS02);

  (i) reporting pharmacy's:

  (i) National Provider Identifier (PHA01); and

  (ii) identifier assigned by NCPDP/NABP (PHA02), or if none, then DEA registration number (PHA03);

  (j) patient last name (PAT07);

  (k) patient first name (PAT08);

  (l) patient address (PAT12);

  (m) patient city of residence (PAT14);

  (n) patient zip code (PAT 16);

  (o) patient date of birth (PAT18);

  (p) dispensing status - new, revised, or void (DSP01);

  (q) prescription number (DSP02);

  (r) date prescription written by prescriber (DSP03);

  (s) number of refills authorized by prescriber (DSP04);

  (t) date prescription filled at dispensing pharmacy (DSP05);

  (u) if current dispensed prescription is a refill, the number of the refill being dispensed (DSP06);

  (v) product identification qualifier (DSP07);

  (w) NDC 11-digit drug identification number (DSP08);

  (x) quantity of drug dispensed in metric units (DSP09);

  (y) days supply dispensed (DSP10)

  (z) date drug left the pharmacy, i.e. date sold (DSP17);

  (aa) DEA registration number of prescribing practitioner (PRE02);

  (bb) state that issued identification of individual picking up dispensed drug (AIR03);

  (cc) type of identification used by individual picking up dispensed drug (AIR04);

  (dd) identification number of individual picking up dispensed drug (AIR05);

  (ee) last name of individual picking up dispensed drug (AIR07);

  (ff) first name of individual picking up dispensed drug (AIR08);

  (gg) dispensing pharmacist last name or initial (AIR09);

  (hh) dispensing pharmacist first name (AIR10);

  (ii) number of detail segments included for the pharmacy (TP01);

  (jj) transaction control number (TT01); and

  (kk) total number of segments included in the transaction (TT02).

  (5) In accordance with Subsection 58-37f-203(6), if no controlled substance required to be reported has been dispensed since the previous submission of data, then the pharmacist-in-charge and the pharmacist shall submit a zero report to the Division, which shall include the following data fields:

  (a) version of ASAP used to send transaction (TH01);

  (b) transaction control number (TH02);

  (c) date transaction created (TH05);

  (d) time transaction created (TH06);

  (e) file type (production or test) (TH07);

  (f) segment terminator (TH09);

  (g) information source identification number (IS01);

  (h) information source entity name (IS02);

  (i) date range (IS03);

  (j) reporting pharmacy's:

  (i) National Provider Identifier (PHA01); and

  (ii) identifier assigned by NCPDB/NABP (PHA02), or if none, then DEA registration number (PHA03);

  (k) patient last name = "Report" (PAT07);

  (l) patient first name = "Zero" (PAT08);

  (m) date prescription dispensed at dispensing pharmacy (DSP05);

  (n) number of detail segments included for the pharmacy (TP01);

  (o) transaction control number (TT01); and

  (p) total number of segments included in the transaction (TT02).

  (6) In accordance with Subsection 58-37f-203(2), a Class A, B, D, or E pharmacy or pharmacy group that has a controlled substance license but is not dispensing controlled substances and does not anticipate doing so in the immediate future may request a waiver or submit a certification of such, in a form preapproved by the Division, in lieu of daily zero reports:

  (a) The waiver or certification must be renewed at the end of each calendar year.

  (b) If a pharmacy or pharmacy group that has submitted a waiver or certification under this Subsection dispenses a controlled substance:

  (i) the waiver or certification shall immediately and automatically terminate;

  (ii) the Database reporting requirements of Subsections 58-37f-203(1) and R156-37f-203(1) shall apply to the pharmacy or pharmacy group immediately upon the dispensing of the controlled substance; and

  (iii) the pharmacy or pharmacy group shall notify the Division in writing of the waiver or certification termination within 24 hours or the next business day of the dispensing of the controlled substance, whichever is later.


R156-37f-301. Access to Database Information
Latest version.

  In accordance with Subsections 58-37f-301(1)(a) and (b):

  (1) The Division Director may designate those individuals employed by the Division who may have access to the information in the Database (Database staff).

  (2)(a) An applicant to become a registered user of the Database shall apply for an online account and user name only under the specific subparagraph in Subsection 58-37f-301(2) under which he or she qualifies.

  (b) A registered user shall not permit another person to have knowledge of or use the registered user's assigned password or PIN.

  (3)(a) A request for information from the Database may be made:

  (i) directly to the Database by electronic submission, if the requester is registered to use the Database; or

  (ii) by written submission to the Database staff in accordance with the requirements of this section, if the requester is not registered to use the Database.

  (b) A written request may be submitted by facsimile, email, regular mail, or in person except as otherwise provided herein.

  (c) The Division shall require a requester to verify the requester's identity.

  (4) The following Database information may be disseminated to a verified requester who is permitted to obtain the information:

  (a) dispensing/reporting pharmacy ID number/name;

  (b) subject's birth date;

  (c) date prescription was sold;

  (d) prescription (Rx) number;

  (e) metric quantity;

  (f) days supply;

  (g) NDC code/drug name;

  (h) prescriber ID/name;

  (i) subject's last name;

  (j) subject's first name; and

  (k) subject's street address;

  (5)(a) Federal, state and local law enforcement authorities and state and local prosecutors requesting information from the Database under Subsection 58-37f-301(2)(m) shall provide a valid search warrant authorized by the courts, which may be provided using one of the following methods:

  (i) in person;

  (ii) email to csd@utah.gov;

  (iii) facsimile; or

  (iv) U.S. Mail.

  (b) A search warrant may include the following information to assist in the search:

  (i) for an individual for whom a controlled substance has been prescribed or dispensed, the subject's name and birth date;

  (ii) for a prescriber who is the subject of the investigation, the prescriber's full name; and

  (iii) the date range to be searched.

  (c) Database information provided as a result of the search warrant shall be in accordance with Subsection (4) unless otherwise specified in the search warrant.

  (6) In accordance with Subsection 58-37f-301(2)(n), a probation or parole officer employed by the Department of Corrections or a political subdivision may have access to the database without a search warrant, for supervision of a specific probationer or parolee under the officer's direct supervision, if the following conditions have been met:

  (a) a security agreement signed by the officer is submitted to the Division for access, which contains:

  (i) the agency's:

  (A) name;

  (B) complete address, including city and zip code; and

  (C) ORI number;

  (ii) a copy of the officer's driver's license;

  (iii) the officer's:

  (A) full name;

  (B) contact phone number; and

  (C) agency email address; and

  (b) the online database account includes the officer's:

  (i) full name;

  (ii) agency email address;

  (iii) complete home address, including city and zip code;

  (iv) work title;

  (v) contact phone number;

  (vi) complete work address including city and zip code;

  (vii) work phone number; and

  (viii) driver's license number.

  (7) In accordance with Subsections 58-37f-301(2)(q) and (r):

  (a) An individual may:

  (i) obtain the individual's own information and records contained within the Database; and

  (ii) unless the individual's record is subject to a pending or current investigation authorized under Subsection 58-37f-301(2)(r), receive an accounting of persons or entities that have requested or received Database information about the individual, to include:

  (A) the role of the person that accessed the information;

  (B) the date range of the information that was accessed, if available;

  (C) the name of the person or entity that requested the information; and

  (D) the name of the practitioner on behalf of whom the request was made, if applicable.

  (b) The individual may request the information by submitting an original signed and notarized request as furnished by the Division that includes:

  (i) the individual's:

  (A) full name, including all aliases;

  (B) complete home address;

  (C) telephone number; and

  (D) date of birth;

  (ii) a clearly legible, color copy of government-issued picture identification confirming the individual's identity; and

  (iii) requested date range for the information.

  (c) A third party may request information from the Database on behalf of an individual as provided in Subsection (7)(a), by submitting:

  (i) an original signed and notarized request as furnished by the Division;

  (ii) a clearly legible, color copy of government-issued picture identification confirming the requester's identity; and

  (iii) an original, or certified copy, of properly executed legal documentation acceptable to the Database staff that the requester:

  (A) is the individual's current agent under a power of attorney that:

  (I) authorizes the agent to make health are decisions for the individual;

  (II) allows the agent to have access to the patient's protected health information (PHI) under HIPAA; or

  (III) otherwise grants the agent specific authority to obtain Database information on behalf of the individual;

  (B) is the parent or court-appointed legal guardian of a minor individual;

  (C) is the court-appointed legal guardian of an incapacitated adult individual; or

  (D) has an original, signed, and notarized form for release of records from the individual in a format acceptable to the Database staff, that identifies the purpose of the release with respect to the Database.

  (8) An employee of a licensed practitioner who is authorized to prescribe controlled substances may obtain Database information to the extent permissible under Subsection 58-37f-301(2)(i), if prior to making the request:

  (a) the licensed practitioner has provided to the Division a written designation that includes:

  (i) the practitioner's:

  (A) DEA number; and

  (B) email address account registered with the Database; and

  (ii) the designated employee's:

  (A) full name;

  (B) complete home address;

  (C) e-mail address;

  (D) date of birth;

  (E) driver license number or state identification card number; and

  (F) professional license number, if any; and

  (iii) manual signatures from both the practitioner and designated employee.

  (b) the designated employee has registered for an account for access to the Database and provided a unique user identification;

  (c) the designated employee has passed a Database background check of available criminal court and Database records; and

  (d) the Database has issued the designated employee a user personal identification number (PIN) and activated the employee's Database account.

  (9) An employee of a business that employs a licensed practitioner who is authorized to prescribe controlled substances may obtain Database information to the extent permissible under Subsection 58-37f-301(2)(i), if prior to making the request:

  (a) the licensed practitioner and employing business have provided to the Division a written designation that includes:

  (i) the practitioner's:

  (A) DEA number; and

  (B) email address account registered with the Database;

  (ii) the name of the employing business; and

  (iii) the designated employee's:

  (A) full name;

  (B) complete home address;

  (C) e-mail address;

  (D) date of birth;

  (E) driver license number or state identification card number; and

  (F) professional license number, if any;

  (b) the designated employee has registered for an account for access to the Database and provided a unique user identification and password;

  (c) the designated employee has passed a Database background check of available criminal court and Database records; and

  (d) the Database has issued the designated employee a user personal identification number (PIN) and activated the employee's Database account.

  (10) An individual who is employed in the emergency department of a hospital that employs a licensed practitioner who is authorized to prescribe controlled substances may obtain Database information to the extent permissible under Subsection 58-37f-301(4)(a) if, prior to making the request:

  (a) the practitioner and the hospital operating the emergency department have provided to the Division a written designation that includes:

  (i) the practitioner's:

  (A) DEA number; and

  (B) email address account registered with the Database;

  (ii) the name of the hospital; and

  (iii) the designated employee's:

  (A) full name;

  (B) complete home address;

  (C) e-mail address;

  (D) date of birth;

  (E) driver license number or state identification card number; and

  (F) professional license number, if any;

  (b) the designated employee has registered for an account for access to the Database and provided a unique user identification and password;

  (c) the designated employee has passed a Database background check of available criminal court and Database records; and

  (d) the Database has issued the designated employee a user personal identification number (PIN) and activated the employee's Database account.

  (11) In accordance with Subsection 58-37f-301(5), an individual's requests to the Division regarding third-party notice when a controlled substance prescription is dispensed to that individual, shall be made as follows:

  (a) To request that the Division begin providing notice to a third party, or to request that the Division discontinue providing notice to a third party, the individual shall submit an original signed and notarized request form as furnished by the Division, that includes:

  (i) the individual's:

  (A) full name, including all aliases;

  (B) birth date;

  (C) complete home address including city and zip code;

  (D) email address; and

  (E) contact phone number;

  (ii) a clearly legible, color copy of government-issued picture identification confirming the individual's identity; and

  (iii) the designated third party's:

  (A) full name;

  (B) complete home address, including city and zip code;

  (C) email address; and

  (D) contact phone number.

  (b) After receiving a request to discontinue third-party notice, the Division shall:

  (i) provide notice to the requesting individual that the discontinuation notice was received; and

  (ii) provide notice to the designated third party that the notification has been rescinded.

  (c) An individual may have up to three active designated third parties.

  (12) A licensed pharmacy technician or pharmacy intern employed by a pharmacy may obtain Database information to the extent permissible under Subsection 58-37f-301(2)(l) if, prior to making the request:

  (a) the pharmacist-in-charge (PIC) has provided to the Division a written designation authorizing access to the pharmacy technician or pharmacy intern on behalf of a licensed pharmacist employed by the pharmacy;

  (b) the written designation includes the pharmacy technician's or pharmacy intern's:

  (i) full name;

  (ii) professional license number assigned by the Division;

  (iii) email address;

  (iv) contact phone number;

  (v) pharmacy name and location;

  (vi) pharmacy DEA number;

  (vii) pharmacy phone number;

  (c) the written designation includes the pharmacist-in-charge's (PIC's):

  (i) full name;

  (ii) professional license number assigned by the Division;

  (iii) email address;

  (iv) contact phone number;

  (d) the written designation includes the assigned pharmacist's:

  (i) full name;

  (ii) professional license number assigned by the Division;

  (iii) email address;

  (iv) contact phone number; and

  (e) the written designation includes the following signatures:

  (i) pharmacy technician or pharmacy intern;

  (ii) pharmacist-in-charge (PIC); and

  (iii) assigned pharmacist if different than the PIC.

  (13) The Utah Department of Health may access Database information for purposes of scientific study regarding public health. To access information, the scientific investigator shall:

  (a) demonstrate to the satisfaction of the Division that the research is part of an approved project of the Utah Department of Health;

  (b) provide a description of the research to be conducted, including:

  (i) a research protocol for the project; and

  (ii) a description of the data needed from the Database to conduct that research;

  (c) provide assurances and a plan that demonstrates all Database information will be maintained securely, with access being strictly restricted to the requesting scientific investigator;

  (d) provide for electronic data to be stored on a secure database computer system with access being strictly restricted to the requesting scientific investigator; and

  (e) pay all relevant expenses for data transfer and manipulation.

  (14) Database information that may be disseminated under Section 58-37f-301 may be disseminated by the Database staff either:

  (a) verbally;

  (b) by facsimile;

  (c) by email;

  (d) by U.S. mail; or

  (e) by electronic access, where adequate technology is in place to ensure that a record will not be compromised, intercepted, or misdirected.


R156-37f-302. Other Restrictions on Access to Database
Latest version.

  Subsection 58-37f-302(2), which prohibits any individual or organization with lawful access to the data from being compelled to testify with regard to the data, includes deposition testimony.


R156-37f-303. Access to Opioid Prescription Information Via an Electronic Data System
Latest version.

  In accordance with Subsection 58-37f-301(1) and Section 58-37f-303:

  (1) Pursuant to Subsection 58-37f-303(4)(a)(i), to access opioid prescription information in the database, an electronic data system must:

  (a) interface with the database through the Division-approved Prescription Monitoring Program (PMP) Hub system; and

  (b) comply with all restrictions on database access and use of database information, as established by the Utah Controlled Substances Database Act and the Controlled Substance Database Act Rule.

  (2) Pursuant to Subsection 58-37f-303(4)(a)(ii), to access opioid prescription information in the database via an electronic data system (EDS), an EDS user must:

  (a) register to use the database by creating an approved account established by the Division pursuant to a memorandum of understanding with the Division;

  (b) use the unique user name and password associated with the account created for the EDS user to access database information through the original internet access system;

  (c) comply with all restrictions on database access established by the Utah Controlled Substance Database Act and the Controlled Substance Database Act Rule; and

  (d) use opioid prescription information in the database only for the purposes and uses designated in Section 58-37f-201, and as more particularly described in the Utah Controlled Substances Database Act and the Controlled Substances Database Act Rule.

  (3) The Division may immediately suspend, without notice or opportunity to be heard, an electronic data system's or an EDS user's access to the database, if the Division determines by audit or other means that such access may lead to a violation of Section 58-37f-601 or may otherwise compromise the integrity, privacy, or security of the database's opioid prescription information. This remedy shall be in addition to the criminal and civil penalties imposed by Section 58-37f-601 for unlawful release or use of database information, and the Division's obligation under Subsections 58-37f-303(5) and (6) to immediately suspend or revoke database access and pursue appropriate corrective or disciplinary action against a non-compliant electronic data system or EDS user.