R156-37f-301. Access to Database Information  


Latest version.
  •   In accordance with Subsections 58-37f-301(1)(a) and (b):

      (1) The Division Director may designate those individuals employed by the Division who may have access to the information in the Database (Database staff).

      (2)(a) An applicant to become a registered user of the Database shall apply for an online account and user name only under the specific subparagraph in Subsection 58-37f-301(2) under which he or she qualifies.

      (b) A registered user shall not permit another person to have knowledge of or use the registered user's assigned password or PIN.

      (3)(a) A request for information from the Database may be made:

      (i) directly to the Database by electronic submission, if the requester is registered to use the Database; or

      (ii) by written submission to the Database staff in accordance with the requirements of this section, if the requester is not registered to use the Database.

      (b) A written request may be submitted by facsimile, email, regular mail, or in person except as otherwise provided herein.

      (c) The Division shall require a requester to verify the requester's identity.

      (4) The following Database information may be disseminated to a verified requester who is permitted to obtain the information:

      (a) dispensing/reporting pharmacy ID number/name;

      (b) subject's birth date;

      (c) date prescription was sold;

      (d) prescription (Rx) number;

      (e) metric quantity;

      (f) days supply;

      (g) NDC code/drug name;

      (h) prescriber ID/name;

      (i) subject's last name;

      (j) subject's first name; and

      (k) subject's street address;

      (5)(a) Federal, state and local law enforcement authorities and state and local prosecutors requesting information from the Database under Subsection 58-37f-301(2)(m) shall provide a valid search warrant authorized by the courts, which may be provided using one of the following methods:

      (i) in person;

      (ii) email to csd@utah.gov;

      (iii) facsimile; or

      (iv) U.S. Mail.

      (b) A search warrant may include the following information to assist in the search:

      (i) for an individual for whom a controlled substance has been prescribed or dispensed, the subject's name and birth date;

      (ii) for a prescriber who is the subject of the investigation, the prescriber's full name; and

      (iii) the date range to be searched.

      (c) Database information provided as a result of the search warrant shall be in accordance with Subsection (4) unless otherwise specified in the search warrant.

      (6) In accordance with Subsection 58-37f-301(2)(n), a probation or parole officer employed by the Department of Corrections or a political subdivision may have access to the database without a search warrant, for supervision of a specific probationer or parolee under the officer's direct supervision, if the following conditions have been met:

      (a) a security agreement signed by the officer is submitted to the Division for access, which contains:

      (i) the agency's:

      (A) name;

      (B) complete address, including city and zip code; and

      (C) ORI number;

      (ii) a copy of the officer's driver's license;

      (iii) the officer's:

      (A) full name;

      (B) contact phone number; and

      (C) agency email address; and

      (b) the online database account includes the officer's:

      (i) full name;

      (ii) agency email address;

      (iii) complete home address, including city and zip code;

      (iv) work title;

      (v) contact phone number;

      (vi) complete work address including city and zip code;

      (vii) work phone number; and

      (viii) driver's license number.

      (7) In accordance with Subsections 58-37f-301(2)(q) and (r):

      (a) An individual may:

      (i) obtain the individual's own information and records contained within the Database; and

      (ii) unless the individual's record is subject to a pending or current investigation authorized under Subsection 58-37f-301(2)(r), receive an accounting of persons or entities that have requested or received Database information about the individual, to include:

      (A) the role of the person that accessed the information;

      (B) the date range of the information that was accessed, if available;

      (C) the name of the person or entity that requested the information; and

      (D) the name of the practitioner on behalf of whom the request was made, if applicable.

      (b) The individual may request the information by submitting an original signed and notarized request as furnished by the Division that includes:

      (i) the individual's:

      (A) full name, including all aliases;

      (B) complete home address;

      (C) telephone number; and

      (D) date of birth;

      (ii) a clearly legible, color copy of government-issued picture identification confirming the individual's identity; and

      (iii) requested date range for the information.

      (c) A third party may request information from the Database on behalf of an individual as provided in Subsection (7)(a), by submitting:

      (i) an original signed and notarized request as furnished by the Division;

      (ii) a clearly legible, color copy of government-issued picture identification confirming the requester's identity; and

      (iii) an original, or certified copy, of properly executed legal documentation acceptable to the Database staff that the requester:

      (A) is the individual's current agent under a power of attorney that:

      (I) authorizes the agent to make health are decisions for the individual;

      (II) allows the agent to have access to the patient's protected health information (PHI) under HIPAA; or

      (III) otherwise grants the agent specific authority to obtain Database information on behalf of the individual;

      (B) is the parent or court-appointed legal guardian of a minor individual;

      (C) is the court-appointed legal guardian of an incapacitated adult individual; or

      (D) has an original, signed, and notarized form for release of records from the individual in a format acceptable to the Database staff, that identifies the purpose of the release with respect to the Database.

      (8) An employee of a licensed practitioner who is authorized to prescribe controlled substances may obtain Database information to the extent permissible under Subsection 58-37f-301(2)(i), if prior to making the request:

      (a) the licensed practitioner has provided to the Division a written designation that includes:

      (i) the practitioner's:

      (A) DEA number; and

      (B) email address account registered with the Database; and

      (ii) the designated employee's:

      (A) full name;

      (B) complete home address;

      (C) e-mail address;

      (D) date of birth;

      (E) driver license number or state identification card number; and

      (F) professional license number, if any; and

      (iii) manual signatures from both the practitioner and designated employee.

      (b) the designated employee has registered for an account for access to the Database and provided a unique user identification;

      (c) the designated employee has passed a Database background check of available criminal court and Database records; and

      (d) the Database has issued the designated employee a user personal identification number (PIN) and activated the employee's Database account.

      (9) An employee of a business that employs a licensed practitioner who is authorized to prescribe controlled substances may obtain Database information to the extent permissible under Subsection 58-37f-301(2)(i), if prior to making the request:

      (a) the licensed practitioner and employing business have provided to the Division a written designation that includes:

      (i) the practitioner's:

      (A) DEA number; and

      (B) email address account registered with the Database;

      (ii) the name of the employing business; and

      (iii) the designated employee's:

      (A) full name;

      (B) complete home address;

      (C) e-mail address;

      (D) date of birth;

      (E) driver license number or state identification card number; and

      (F) professional license number, if any;

      (b) the designated employee has registered for an account for access to the Database and provided a unique user identification and password;

      (c) the designated employee has passed a Database background check of available criminal court and Database records; and

      (d) the Database has issued the designated employee a user personal identification number (PIN) and activated the employee's Database account.

      (10) An individual who is employed in the emergency department of a hospital that employs a licensed practitioner who is authorized to prescribe controlled substances may obtain Database information to the extent permissible under Subsection 58-37f-301(4)(a) if, prior to making the request:

      (a) the practitioner and the hospital operating the emergency department have provided to the Division a written designation that includes:

      (i) the practitioner's:

      (A) DEA number; and

      (B) email address account registered with the Database;

      (ii) the name of the hospital; and

      (iii) the designated employee's:

      (A) full name;

      (B) complete home address;

      (C) e-mail address;

      (D) date of birth;

      (E) driver license number or state identification card number; and

      (F) professional license number, if any;

      (b) the designated employee has registered for an account for access to the Database and provided a unique user identification and password;

      (c) the designated employee has passed a Database background check of available criminal court and Database records; and

      (d) the Database has issued the designated employee a user personal identification number (PIN) and activated the employee's Database account.

      (11) In accordance with Subsection 58-37f-301(5), an individual's requests to the Division regarding third-party notice when a controlled substance prescription is dispensed to that individual, shall be made as follows:

      (a) To request that the Division begin providing notice to a third party, or to request that the Division discontinue providing notice to a third party, the individual shall submit an original signed and notarized request form as furnished by the Division, that includes:

      (i) the individual's:

      (A) full name, including all aliases;

      (B) birth date;

      (C) complete home address including city and zip code;

      (D) email address; and

      (E) contact phone number;

      (ii) a clearly legible, color copy of government-issued picture identification confirming the individual's identity; and

      (iii) the designated third party's:

      (A) full name;

      (B) complete home address, including city and zip code;

      (C) email address; and

      (D) contact phone number.

      (b) After receiving a request to discontinue third-party notice, the Division shall:

      (i) provide notice to the requesting individual that the discontinuation notice was received; and

      (ii) provide notice to the designated third party that the notification has been rescinded.

      (c) An individual may have up to three active designated third parties.

      (12) A licensed pharmacy technician or pharmacy intern employed by a pharmacy may obtain Database information to the extent permissible under Subsection 58-37f-301(2)(l) if, prior to making the request:

      (a) the pharmacist-in-charge (PIC) has provided to the Division a written designation authorizing access to the pharmacy technician or pharmacy intern on behalf of a licensed pharmacist employed by the pharmacy;

      (b) the written designation includes the pharmacy technician's or pharmacy intern's:

      (i) full name;

      (ii) professional license number assigned by the Division;

      (iii) email address;

      (iv) contact phone number;

      (v) pharmacy name and location;

      (vi) pharmacy DEA number;

      (vii) pharmacy phone number;

      (c) the written designation includes the pharmacist-in-charge's (PIC's):

      (i) full name;

      (ii) professional license number assigned by the Division;

      (iii) email address;

      (iv) contact phone number;

      (d) the written designation includes the assigned pharmacist's:

      (i) full name;

      (ii) professional license number assigned by the Division;

      (iii) email address;

      (iv) contact phone number; and

      (e) the written designation includes the following signatures:

      (i) pharmacy technician or pharmacy intern;

      (ii) pharmacist-in-charge (PIC); and

      (iii) assigned pharmacist if different than the PIC.

      (13) The Utah Department of Health may access Database information for purposes of scientific study regarding public health. To access information, the scientific investigator shall:

      (a) demonstrate to the satisfaction of the Division that the research is part of an approved project of the Utah Department of Health;

      (b) provide a description of the research to be conducted, including:

      (i) a research protocol for the project; and

      (ii) a description of the data needed from the Database to conduct that research;

      (c) provide assurances and a plan that demonstrates all Database information will be maintained securely, with access being strictly restricted to the requesting scientific investigator;

      (d) provide for electronic data to be stored on a secure database computer system with access being strictly restricted to the requesting scientific investigator; and

      (e) pay all relevant expenses for data transfer and manipulation.

      (14) Database information that may be disseminated under Section 58-37f-301 may be disseminated by the Database staff either:

      (a) verbally;

      (b) by facsimile;

      (c) by email;

      (d) by U.S. mail; or

      (e) by electronic access, where adequate technology is in place to ensure that a record will not be compromised, intercepted, or misdirected.