R380-250. HIPAA Privacy Rule Implementation  

(1) This rule implements provisions required by 45 CFR Part 164, subpart E, dealing with the treatment of certain individually identifiable health information held by the Department of Health.

(2) This rule is authorized by Utah Code Sections 26-1-5 and 26-1-17.

As used in this rule:

(1) "Access" means an eligibility query either telephonically or electronically. This does not include direct access to databases.

(2) "Covered program" means the smallest agency or program unit within the Department responsible for carrying out a covered function as that term is used in 45 CFR 164.501.

(3) "HIPAA Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information found in 45 CFR Part 160 and Subparts A and E of Part 164.

(4) "Individual" means a natural person. In the case of a individual without legal capacity or a deceased person, the personal representative of the individual.

(1) This rule applies only to those functions of the Department that are covered functions as that term is used in 45 CFR Part 164.

(2) Covered programs shall comply with the privacy requirements of 45 CFR Part 164, Subpart E in dealing with individually identifiable health information and the subjects of that information.

The Department reserves the right to alter this rule and its notices of privacy practices required by the HIPAA Privacy Rule.

(1) An employee of a covered program may be disciplined for failure to comply with the HIPAA Privacy Rule requirements found in 45 CFR Part 164, Subpart E. Discipline may include termination and civil or criminal prosecution.

(2) An employee of a covered program may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any person for exercising any right established by the HIPAA Privacy Rule or for opposing in good faith any act or practice made unlawful by the HIPAA Privacy Rule.

A covered program may not require individuals to waive their rights under 45 CFR 160.306 or 45 CFR Part 164, Subpart E as a condition of the provision of treatment, payment, health plan enrollment, or eligibility for benefits.

(1) An individual may seek a review of a covered program's policies and procedures or its compliance with such policies and procedures through informal contact with the covered program.

(2) An individual may file a formal complaint concerning a covered program's policies and procedures implementing 45 CFR Part 164, Subpart E or its compliance with such policies and procedures or the requirements of 45 CFR Part 164, Subpart E by filing with the Office of the Executive Director of the Department a request for program action meeting the requirements of the Utah Administrative Procedures Act.

(1) An individual may request restrictions on use and disclosure of protected health information as permitted in 45 CFR 164.522 by submitting a written request to the designated privacy officer for the covered program.

(2) The decision whether to grant the request, documentation of any restrictions, alternate communication methods, and conditions on providing confidential communications shall be in accordance with 45 CFR 164.522.

(1) An individual may request access to protected health information as permitted in 45 CFR 164.524 by submitting a written request to the designated privacy officer for the covered program.

(2) The right to access, decision whether to grant access, review of denials, timeliness of responses, form of access, time and manner of access, documentation and other required responses shall be in accordance with 45 CFR 164.524.

(1) An individual may request amendment to protected health information about that individual that the individual believes is incorrect as permitted in 45 CFR 164.526 by submitting a written request to the designated privacy officer for the covered program.

(2) The decision whether to grant the request, the time frames for action by the covered program, amendment of the record, requirements for denial, and acting on notices of amendment from third parties shall be in accordance with 45 CFR 164.526.

(1) An individual may request an accounting of disclosures of protected health information as permitted in 45 CFR 164.528 by submitting a written request to the designated privacy officer for the covered program.

(2) The content of the accounting and the provision of the accounting, shall be in accordance with 45 CFR 164.528.

A Medicaid provider or a Children's Health Insurance Program (CHIP) provider shall not access the Medicaid database or the CHIP eligibility database, unless the provider's notice of privacy practices contains a statement that the provider either has, or may submit personally identifiable information about the patient to the Medicaid eligibility database or to the CHIP eligibility database.