1     
PRESCRIPTION DATABASE REVISIONS

2     
2015 GENERAL SESSION

3     
STATE OF UTAH

4     
Chief Sponsor: Todd Weiler

5     
House Sponsor: Brad M. Daw

6     Cosponsors:
7     Jim Dabakis
8     Luz Escamilla
Deidre M. Henderson
Alvin B. Jackson
Peter C. Knudson
Mark B. Madsen
Aaron Osmond
Daniel W. Thatcher
9     

10     LONG TITLE
11     General Description:
12          This bill modifies the Controlled Substance Database Act regarding use of information
13     in the database.
14     Highlighted Provisions:
15          This bill:
16          ▸     provides that a person may request that the division provide to the person his or her
17     records that are in the controlled substance database;
18          ▸     provides a procedure for a patient to correct erroneous information in the database;
19          ▸     requires law enforcement to use a search warrant to gain database information
20     related to a controlled substance investigation and requires specification of the
21     person regarding whom the information is sought;
22          ▸     authorizes a person whose information is in the database to obtain a list of persons
23     who have had access to that person's information, except when the information is
24     subject to an investigation;
25          ▸     provides that a physician employed as medical director for a licensed workers'
26     compensation insurer or an approved self-insured employer may have access to the
27     database regarding requests for workers' compensation; and

28          ▸     adds the standards of negligently or recklessly to the elements of the criminal
29     offense of unlawfully releasing database information.
30     Money Appropriated in this Bill:
31          None
32     Other Special Clauses:
33          None
34     Utah Code Sections Affected:
35     AMENDS:
36          58-37f-203, as last amended by Laws of Utah 2014, Chapter 72
37          58-37f-301, as last amended by Laws of Utah 2014, Chapters 68 and 401
38          58-37f-601, as last amended by Laws of Utah 2014, Chapter 68
39     

40     Be it enacted by the Legislature of the state of Utah:
41          Section 1. Section 58-37f-203 is amended to read:
42          58-37f-203. Submission, collection, and maintenance of data.
43          (1) (a) The pharmacist in charge of the drug outlet where a controlled substance is
44     dispensed shall submit the data described in this section to the division:
45          (i) in accordance with the requirements of this section;
46          (ii) in accordance with the procedures established by the division; and
47          (iii) in the format established by the division.
48          (b) A dispensing medical practitioner licensed under Chapter 17b, Part 8, Dispensing
49     Medical Practitioner and Dispensing Medical Practitioner Clinic Pharmacy, shall comply with
50     the provisions of this section and the dispensing medical practitioner shall assume the duties of
51     the pharmacist under this chapter.
52          (2) The pharmacist described in Subsection (1) shall, for each controlled substance
53     dispensed by a pharmacist under the pharmacist's supervision other than those dispensed for an
54     inpatient at a health care facility, submit to the division the following information:
55          (a) the name of the prescribing practitioner;

56          (b) the date of the prescription;
57          (c) the date the prescription was filled;
58          (d) the name of the individual for whom the prescription was written;
59          (e) positive identification of the individual receiving the prescription, including the
60     type of identification and any identifying numbers on the identification;
61          (f) the name of the controlled substance;
62          (g) the quantity of the controlled substance prescribed;
63          (h) the strength of the controlled substance;
64          (i) the quantity of the controlled substance dispensed;
65          (j) the dosage quantity and frequency as prescribed;
66          (k) the name of the drug outlet dispensing the controlled substance; and
67          (l) the name of the pharmacist dispensing the controlled substance[; and].
68          [(m) other relevant information as required by division rule.]
69          (3) An individual whose records are in the database may obtain those records upon
70     submission of a written request to the division.
71          (4) (a) A patient whose record is in the database may contact the division in writing to
72     request correction of any of the patient's database information that is incorrect. The patient
73     shall provide a postal address for the division's response.
74          (b) The division shall grant or deny the request within 30 days from receipt of the
75     request and shall advise the requesting patient of its decision by mail postmarked within 35
76     days of receipt of the request.
77          (c) If the division denies a request under this Subsection (4) or does not respond within
78     35 days, the patient may submit an appeal to the Department of Commerce, within 60 days
79     after the postmark date of the patient's letter making a request for a correction under this
80     Subsection (4).
81          [(3)] (5) (a) The division shall make rules, in accordance with Title 63G, Chapter 3,
82     Utah Administrative Rulemaking Act, to establish the electronic format in which the
83     information required under this section shall be submitted to the division.

84          (b) The division shall ensure that the database system records and maintains for
85     reference:
86          (i) the identification of each individual who requests or receives information from the
87     database;
88          (ii) the information provided to each individual; and
89          (iii) the date and time that the information is requested or provided.
90          Section 2. Section 58-37f-301 is amended to read:
91          58-37f-301. Access to database.
92          (1) The division shall make rules, in accordance with Title 63G, Chapter 3, Utah
93     Administrative Rulemaking Act, to:
94          (a) effectively enforce the limitations on access to the database as described in this
95     part; and
96          (b) establish standards and procedures to ensure accurate identification of individuals
97     requesting information or receiving information without request from the database.
98          (2) The division shall make information in the database and information obtained from
99     other state or federal prescription monitoring programs by means of the database available only
100     to the following individuals, in accordance with the requirements of this chapter and division
101     rules:
102          (a) personnel of the division specifically assigned to conduct investigations related to
103     controlled substance laws under the jurisdiction of the division;
104          (b) authorized division personnel engaged in analysis of controlled substance
105     prescription information as a part of the assigned duties and responsibilities of their
106     employment;
107          (c) in accordance with a written agreement entered into with the department,
108     employees of the Department of Health:
109          (i) whom the director of the Department of Health assigns to conduct scientific studies
110     regarding the use or abuse of controlled substances, if the identity of the individuals and
111     pharmacies in the database are confidential and are not disclosed in any manner to any

112     individual who is not directly involved in the scientific studies; or
113          (ii) when the information is requested by the Department of Health in relation to a
114     person or provider whom the Department of Health suspects may be improperly obtaining or
115     providing a controlled substance;
116          (d) in accordance with a written agreement entered into with the department, a
117     designee of the director of the Department of Health, who is not an employee of the
118     Department of Health, whom the director of the Department of Health assigns to conduct
119     scientific studies regarding the use or abuse of controlled substances pursuant to an application
120     process established in rule by the Department of Health, if:
121          (i) the designee provides explicit information to the Department of Health regarding
122     the purpose of the scientific studies;
123          (ii) the scientific studies to be conducted by the designee:
124          (A) fit within the responsibilities of the Department of Health for health and welfare;
125          (B) are reviewed and approved by an Institutional Review Board that is approved for
126     human subject research by the United States Department of Health and Human Services; and
127          (C) are not conducted for profit or commercial gain; and
128          (D) are conducted in a research facility, as defined by division rule, that is associated
129     with a university or college in the state accredited by the Northwest Commission on Colleges
130     and Universities;
131          (iii) the designee protects the information as a business associate of the Department of
132     Health; and
133          (iv) the identity of the prescribers, patients, and pharmacies in the database are
134     de-identified, confidential, not disclosed in any manner to the designee or to any individual
135     who is not directly involved in the scientific studies;
136          (e) in accordance with the written agreement entered into with the department and the
137     Department of Health, authorized employees of a managed care organization, as defined in 42
138     C.F.R. Sec. 438, if:
139          (i) the managed care organization contracts with the Department of Health under the

140     provisions of Section 26-18-405 and the contract includes provisions that:
141          (A) require a managed care organization employee who will have access to information
142     from the database to submit to a criminal background check; and
143          (B) limit the authorized employee of the managed care organization to requesting either
144     the division or the Department of Health to conduct a search of the database regarding a
145     specific Medicaid enrollee and to report the results of the search to the authorized employee;
146     and
147          (ii) the information is requested by an authorized employee of the managed care
148     organization in relation to a person who is enrolled in the Medicaid program with the managed
149     care organization, and the managed care organization suspects the person may be improperly
150     obtaining or providing a controlled substance;
151          (f) a licensed practitioner having authority to prescribe controlled substances, to the
152     extent the information:
153          (i) (A) relates specifically to a current or prospective patient of the practitioner; and
154          (B) is provided to or sought by the practitioner for the purpose of:
155          (I) prescribing or considering prescribing any controlled substance to the current or
156     prospective patient;
157          (II) diagnosing the current or prospective patient;
158          (III) providing medical treatment or medical advice to the current or prospective
159     patient; or
160          (IV) determining whether the current or prospective patient:
161          (Aa) is attempting to fraudulently obtain a controlled substance from the practitioner;
162     or
163          (Bb) has fraudulently obtained, or attempted to fraudulently obtain, a controlled
164     substance from the practitioner;
165          (ii) (A) relates specifically to a former patient of the practitioner; and
166          (B) is provided to or sought by the practitioner for the purpose of determining whether
167     the former patient has fraudulently obtained, or has attempted to fraudulently obtain, a

168     controlled substance from the practitioner;
169          (iii) relates specifically to an individual who has access to the practitioner's Drug
170     Enforcement Administration identification number, and the practitioner suspects that the
171     individual may have used the practitioner's Drug Enforcement Administration identification
172     number to fraudulently acquire or prescribe a controlled substance;
173          (iv) relates to the practitioner's own prescribing practices, except when specifically
174     prohibited by the division by administrative rule;
175          (v) relates to the use of the controlled substance database by an employee of the
176     practitioner, described in Subsection (2)(g); or
177          (vi) relates to any use of the practitioner's Drug Enforcement Administration
178     identification number to obtain, attempt to obtain, prescribe, or attempt to prescribe, a
179     controlled substance;
180          (g) in accordance with Subsection (3)(a), an employee of a practitioner described in
181     Subsection (2)(f), for a purpose described in Subsection (2)(f)(i) or (ii), if:
182          (i) the employee is designated by the practitioner as an individual authorized to access
183     the information on behalf of the practitioner;
184          (ii) the practitioner provides written notice to the division of the identity of the
185     employee; and
186          (iii) the division:
187          (A) grants the employee access to the database; and
188          (B) provides the employee with a password that is unique to that employee to access
189     the database in order to permit the division to comply with the requirements of Subsection
190     58-37f-203[(3)](4)(b) with respect to the employee;
191          (h) an employee of the same business that employs a licensed practitioner under
192     Subsection (2)(f) if:
193          (i) the employee is designated by the practitioner as an individual authorized to access
194     the information on behalf of the practitioner;
195          (ii) the practitioner and the employing business provide written notice to the division of

196     the identity of the designated employee; and
197          (iii) the division:
198          (A) grants the employee access to the database; and
199          (B) provides the employee with a password that is unique to that employee to access
200     the database in order to permit the division to comply with the requirements of Subsection
201     58-37f-203[(3)](4)(b) with respect to the employee;
202          (i) a licensed pharmacist having authority to dispense a controlled substance to the
203     extent the information is provided or sought for the purpose of:
204          (i) dispensing or considering dispensing any controlled substance; or
205          (ii) determining whether a person:
206          (A) is attempting to fraudulently obtain a controlled substance from the pharmacist; or
207          (B) has fraudulently obtained, or attempted to fraudulently obtain, a controlled
208     substance from the pharmacist;
209          (j) in accordance with Subsection (3)(a), a licensed pharmacy technician who is an
210     employee of a pharmacy as defined in Section 58-17b-102, for the purposes described in
211     Subsection (2)(h)(i) or (ii), if:
212          (i) the employee is designated by the pharmacist-in-charge as an individual authorized
213     to access the information on behalf of a licensed pharmacist employed by the pharmacy;
214          (ii) the pharmacist-in-charge provides written notice to the division of the identity of
215     the employee; and
216          (iii) the division:
217          (A) grants the employee access to the database; and
218          (B) provides the employee with a password that is unique to that employee to access
219     the database in order to permit the division to comply with the requirements of Subsection
220     58-37f-203[(3)](4)(b) with respect to the employee;
221          (k) pursuant to a valid search warrant, federal, state, and local law enforcement
222     [authorities,] agencies and state and local prosecutors[,] that are engaged [as a specified duty of
223     their employment in enforcing laws:] in an investigation related to:

224          (i) one or more controlled substances; and
225          (ii) a specific person who is a subject of the investigation;
226          [(i) regulating controlled substances;]
227          [(ii) investigating insurance fraud, Medicaid fraud, or Medicare fraud; or]
228          [(iii) providing information about a criminal defendant to defense counsel, upon
229     request during the discovery process, for the purpose of establishing a defense in a criminal
230     case;]
231          (l) employees of the Office of Internal Audit and Program Integrity within the
232     Department of Health who are engaged in their specified duty of ensuring Medicaid program
233     integrity under Section 26-18-2.3;
234          (m) a mental health therapist, if:
235          (i) the information relates to a patient who is:
236          (A) enrolled in a licensed substance abuse treatment program; and
237          (B) receiving treatment from, or under the direction of, the mental health therapist as
238     part of the patient's participation in the licensed substance abuse treatment program described
239     in Subsection (2)(m)(i)(A);
240          (ii) the information is sought for the purpose of determining whether the patient is
241     using a controlled substance while the patient is enrolled in the licensed substance abuse
242     treatment program described in Subsection (2)(m)(i)(A); and
243          (iii) the licensed substance abuse treatment program described in Subsection
244     (2)(m)(i)(A) is associated with a practitioner who:
245          (A) is a physician, a physician assistant, an advance practice registered nurse, or a
246     pharmacist; and
247          (B) is available to consult with the mental health therapist regarding the information
248     obtained by the mental health therapist, under this Subsection (2)(m), from the database;
249          (n) an individual who is the recipient of a controlled substance prescription entered into
250     the database, upon providing evidence satisfactory to the division that the individual requesting
251     the information is in fact the individual about whom the data entry was made;

252          (o) an individual under Subsection (2)(n) for the purpose of obtaining a list of the
253     persons and entities that have requested or received any information from the database
254     regarding the individual, except if the individual's record is subject to a pending or current
255     investigation as authorized under this Subsection (2);
256          [(o)] (p) the inspector general, or a designee of the inspector general, of the Office of
257     Inspector General of Medicaid Services, for the purpose of fulfilling the duties described in
258     Title 63A, Chapter 13, Part 2, Office and Powers; and
259          [(p)] (q) the following licensed physicians for the purpose of reviewing and offering an
260     opinion on an individual's request for workers' compensation benefits under Title 34A, Chapter
261     2, Workers' Compensation Act, or Title 34A, Chapter 3, Utah Occupational Disease Act:
262          (i) a member of the medical panel described in Section 34A-2-601; [or]
263          (ii) a physician employed as medical director for a licensed workers' compensation
264     insurer or an approved self-insured employer; or
265          [(ii)] (iii) a physician offering a second opinion regarding treatment.
266          (3) (a) (i) A practitioner described in Subsection (2)(f) may designate up to three
267     employees to access information from the database under Subsection (2)(g), (2)(h), or (4)(c).
268          (ii) A pharmacist described in Subsection (2)(i) who is a pharmacist-in-charge may
269     designate up to three employees to access information from the database under Subsection
270     (2)(j).
271          (b) The division shall make rules, in accordance with Title 63G, Chapter 3, Utah
272     Administrative Rulemaking Act, to:
273          (i) establish background check procedures to determine whether an employee
274     designated under Subsection (2)(g), (2)(h), or (4)(c) should be granted access to the database;
275     and
276          (ii) establish the information to be provided by an emergency room employee under
277     Subsection (4).
278          (c) The division shall grant an employee designated under Subsection (2)(g), (2)(h), or
279     (4)(c) access to the database, unless the division determines, based on a background check, that

280     the employee poses a security risk to the information contained in the database.
281          (4) (a) An individual who is employed in the emergency room of a hospital may
282     exercise access to the database under this Subsection (4) on behalf of a licensed practitioner if
283     the individual is designated under Subsection (4)(c) and the licensed practitioner:
284          (i) is employed in the emergency room;
285          (ii) is treating an emergency room patient for an emergency medical condition; and
286          (iii) requests that an individual employed in the emergency room and designated under
287     Subsection (4)(c) obtain information regarding the patient from the database as needed in the
288     course of treatment.
289          (b) The emergency room employee obtaining information from the database shall,
290     when gaining access to the database, provide to the database the name and any additional
291     identifiers regarding the requesting practitioner as required by division administrative rule
292     established under Subsection (3)(b).
293          (c) An individual employed in the emergency room under this Subsection (4) may
294     obtain information from the database as provided in Subsection (4)(a) if:
295          (i) the employee is designated by the practitioner as an individual authorized to access
296     the information on behalf of the practitioner;
297          (ii) the practitioner and the hospital operating the emergency room provide written
298     notice to the division of the identity of the designated employee; and
299          (iii) the division:
300          (A) grants the employee access to the database; and
301          (B) provides the employee with a password that is unique to that employee to access
302     the database in order to permit the division to comply with the requirements of Subsection
303     58-37f-203(3)(b) with respect to the employee.
304          (d) The division may impose a fee, in accordance with Section 63J-1-504, on a
305     practitioner who designates an employee under Subsection (2)(g), (2)(h), or (4)(c) to pay for the
306     costs incurred by the division to conduct the background check and make the determination
307     described in Subsection (3)(b).

308          (5) (a) An individual who is granted access to the database based on the fact that the
309     individual is a licensed practitioner or a mental health therapist shall be denied access to the
310     database when the individual is no longer licensed.
311          (b) An individual who is granted access to the database based on the fact that the
312     individual is a designated employee of a licensed practitioner shall be denied access to the
313     database when the practitioner is no longer licensed.
314          Section 3. Section 58-37f-601 is amended to read:
315          58-37f-601. Unlawful release or use of database information -- Criminal and civil
316     penalties.
317          (1) (a) Any person who knowingly and intentionally releases any information in the
318     database or [knowingly and intentionally releases] any information obtained from other state or
319     federal prescription monitoring programs by means of the database in violation of the
320     limitations under Part 3, Access, is guilty of a third degree felony.
321          (b) Any person who negligently or recklessly releases any information in the database
322     or any information obtained from other state or federal prescription monitoring programs by
323     means of the database in violation of the limitations under Title 58, Chapter 37f, Part 3,
324     Access, is guilty of a class C misdemeanor.
325          (2) (a) Any person who obtains or attempts to obtain information from the database or
326     from any other state or federal prescription monitoring programs by means of the database by
327     misrepresentation or fraud is guilty of a third degree felony.
328          (b) Any person who obtains or attempts to obtain information from the database for a
329     purpose other than a purpose authorized by this chapter or by rule is guilty of a third degree
330     felony.
331          (3) (a) Except as provided in Subsection (3)(e), a person may not knowingly and
332     intentionally use, release, publish, or otherwise make available to any other person any
333     information obtained from the database or from any other state or federal prescription
334     monitoring programs by means of the database for any purpose other than those specified in
335     Part 3, Access.

336          (b) Each separate violation of this Subsection (3) is a third degree felony and is also
337     subject to a civil penalty not to exceed $5,000.
338          (c) The procedure for determining a civil violation of this Subsection (3) is in
339     accordance with Section 58-1-108, regarding adjudicative proceedings within the division.
340          (d) Civil penalties assessed under this Subsection (3) shall be deposited in the General
341     Fund as a dedicated credit to be used by the division under Subsection 58-37f-502(1).
342          (e) This Subsection (3) does not prohibit a person who obtains information from the
343     database under Subsection 58-37f-301(2)(f), (g), (i), or (4)(c) from:
344          (i) including the information in the person's medical chart or file for access by a person
345     authorized to review the medical chart or file; or
346          (ii) providing the information to a person in accordance with the requirements of the
347     Health Insurance Portability and Accountability Act of 1996.