How to Comply with Utah HIPAA Laws

Utah HIPAA Laws

To meet the requirements of the HIPAA regulations, healthcare organizations (healthcare providers, healthcare vendors, and MSPs) must implement a HIPAA compliance program. 

Security Risk Assessments, Gap Identification, and Remediation

To be HIPAA compliant, it is crucial to identify where your deficiencies lie. To do so, healthcare organizations must conduct six self-audits annually. These self-audits uncover weaknesses and vulnerabilities in your security practices. You must create remediation plans to ensure that your organization meets HIPAA safeguard requirements. Remediation plans list your identified deficiencies and how you plan to address them, including actions and a timeline.

HIPAA Policies and Procedures

You must implement written policies and procedures to ensure that you meet HIPAA Privacy, Security, and Breach Notification requirements. These policies and procedures must be customized for your practice’s specific needs, applying directly to how your business operates. To account for any changes in your business practices, you must review your policies and procedures annually and make amendments where appropriate.

HIPAA Training Utah

HIPAA imposes employee training requirements that are the same regardless of the state the healthcare organization operates in. HIPAA training in Utah must be provided to each employee who can access PHI. HIPAA training must be provided annually, in which employees must legally attest that they understand and agree to adhere to the training material. 

Business Associate Agreements

Business associate agreements must be signed with each of your business associate vendors. HIPAA defines a business associate as any entity that performs a service for your practice that gives them the potential to access PHI. Common examples of business associates include electronic health records platforms, email service providers, online appointment scheduling software, and cloud storage providers. 

You cannot use any vendor and be HIPAA compliant. They need to be willing and able to sign a business associate agreement (BAA). A BAA is a legal contract that requires each signing party to be HIPAA compliant and be responsible for maintaining their compliance. When a vendor doesn’t sign a BAA, it cannot be used for business associate services.

Incident Management

To comply with the HIPAA Breach Notification Rule, you must have a system to detect, respond to, and report breaches. Employees must also have the means to report incidents anonymously and be aware of what to do if they suspect a breach has occurred.

HIPAA Release Form Utah

A HIPAA release form in Utah is required under certain circumstances. HIPAA regulations outline the uses and disclosures of PHI that require authorization to be obtained from a patient/plan member before that person’s PHI can be shared or used. 

HIPAA authorization forms in Utah are required before:

• The covered entity can use or disclose PHI whose use or disclosure is otherwise not permitted by the HIPAA Privacy Rule
• The covered entity can use or disclose PHI for marketing purposes. If the marketing communication involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved.

The law requires that a HIPAA release form in Utah contain specific “core elements” to be valid. 

These elements include:

• A description of the specific information to be used or disclosed.
• The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
• The name or other specific identification of any third parties (persons or classes of persons) to whom the covered entity may make the requested use or disclosure.
• A description of each purpose of the requested use or disclosure. 
• An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. 
• The signature of the individual, and the date. 

Utah Data Breach Notification Law

Utah data breach notification law requires organizations that are breached, compromising personal information, to report the incident. Entities that are subject to HIPAA and report incidents following HIPAA standards, also meet the requirements of the Utah data breach notification law.

The HIPAA Breach Notification Rule requires healthcare organizations to report breaches that compromise the confidentiality, integrity, or availability of protected health information. 

Incidents that are considered reportable breaches include:

• Hacking or IT incidents
• Unauthorized access or disclosure of PHI
• Theft or loss of an unencrypted device with access to PHI
• Improper disposal of medical records

When a patient’s PHI is potentially affected by one of these incidents, the affected patient must be informed within 60 days of discovery. Breach notification letters must be mailed to affected patients. If ten or more patients cannot be reached by mail, a substitute notice must be available on the organization’s website. If the incident affected 500 or more patients, the breached organization must notify media outlets to ensure that all affected patients are aware of the incident.

Breach notification requirements to the Department of Health and Human Services (HHS) differ depending on how many patients are affected by the incident.

• Breaches affecting 1 – 499 patients: organizations must keep an account of any breach involving less than 500 patients over the calendar year. Organizations have 60 days from the end of the calendar year the breach occurred to report these incidents to the HHS – March 1st.
• Breaches affecting 500+ patients: any incident that affected 500 or more patients must be reported to the HHS within 60 days of discovering the incident. These incidents are posted on the OCR’s online breach portal.

Consequences of HIPAA Violations in Utah

What are the consequences of  HIPAA violations in Utah? While many HIPAA violations occur due to breaches, it is not the breach itself that would conclude that a healthcare organization violated HIPAA. Most HIPAA violations occur when healthcare organizations fail to conduct accurate and thorough risk assessments, provide patients timely access to their medical records, have signed business associate agreements, or report breaches promptly.

How the Utah Consumer Privacy Act Factors In

The Utah Consumer Privacy Act protects Utah residents’ personal information privacy. The Utah Privacy Law defines “personal information” as information “linked or reasonably linkable” to an identified individual or an identifiable individual. This definition is similar to the HIPAA definition of protected health information; however, the Utah Consumer Privacy Act is broader, covering non-health-related information as well as health-related information.

The Utah Consumer Privacy Act applies to data controllers and data processors. Under the Utah privacy law, a data controller is a person or entity doing business in Utah who plays a part in determining the purposes and means by which personal data is processed. In contrast, a data processor is a person or entity who processes personal data on behalf of a controller. The data controller and data processor relationship is akin to the HIPAA relationship between a covered entity and a business associate. In each case, the latter entity processes information on behalf of the former.

The Utah Consumer Privacy Act applies to controllers and processors that conduct business in the state of Utah or produce a product or service that is targeted to Utah residents, have annual revenue amounts of $25,000,000 or more, and:

• Control or process personal data of more than 100,000 consumers per calendar year; or
• Derive over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.

Notably, the Utah Consumer Privacy Act does not apply to covered entities or business associates. If HIPAA already regulates an entity, it will not be additionally regulated by the Utah privacy law. In addition, information that is protected health information under HIPAA is not subject to the provisions of the UCPA. 

The UCPA contains an effective date of December 31, 2023. This means that if the bill becomes law, regulated entities will have until the end of December of 2023 to bring themselves into compliance with the law’s provisions.