1     
CONTROLLED SUBSTANCE DATABASE ACCESS

2     
AMENDMENTS

3     
2020 GENERAL SESSION

4     
STATE OF UTAH

5     
Chief Sponsor: Craig Hall

6     
Senate Sponsor: Evan J. Vickers

7     

8     LONG TITLE
9     General Description:
10          This bill amends the Controlled Substance Database Act.
11     Highlighted Provisions:
12          This bill:
13          ▸     authorizes the Division of Occupational and Professional Licensing to provide
14     information to a managed care organization under certain circumstances;
15          ▸     creates an exception to certain restrictions on access to the controlled substances
16     database; and
17          ▸     makes technical changes.
18     Money Appropriated in this Bill:
19          None
20     Other Special Clauses:
21          None
22     Utah Code Sections Affected:
23     AMENDS:
24          58-37f-301, as last amended by Laws of Utah 2018, Chapter 123
25          58-37f-302, as enacted by Laws of Utah 2010, Chapter 287
26     

27     Be it enacted by the Legislature of the state of Utah:

28          Section 1. Section 58-37f-301 is amended to read:
29          58-37f-301. Access to database.
30          (1) The division shall make rules, in accordance with Title 63G, Chapter 3, Utah
31     Administrative Rulemaking Act, to:
32          (a) effectively enforce the limitations on access to the database as described in this
33     part; and
34          (b) establish standards and procedures to ensure accurate identification of individuals
35     requesting information or receiving information without request from the database.
36          (2) The division shall make information in the database and information obtained from
37     other state or federal prescription monitoring programs by means of the database available only
38     to the following individuals, in accordance with the requirements of this chapter and division
39     rules:
40          (a) (i) personnel of the division specifically assigned to conduct investigations related
41     to controlled substance laws under the jurisdiction of the division; and
42          (ii) the following law enforcement officers, but the division may only provide
43     nonidentifying information, limited to gender, year of birth, and postal ZIP code, regarding
44     individuals for whom a controlled substance has been prescribed or to whom a controlled
45     substance has been dispensed:
46          (A) a law enforcement agency officer who is engaged in a joint investigation with the
47     division; and
48          (B) a law enforcement agency officer to whom the division has referred a suspected
49     criminal violation of controlled substance laws;
50          (b) authorized division personnel engaged in analysis of controlled substance
51     prescription information as a part of the assigned duties and responsibilities of their
52     employment;
53          (c) a board member if:
54          (i) the board member is assigned to monitor a licensee on probation; and
55          (ii) the board member is limited to obtaining information from the database regarding
56     the specific licensee on probation;
57          (d) a member of a diversion committee established in accordance with Subsection
58     58-1-404(2) if:

59          (i) the diversion committee member is limited to obtaining information from the
60     database regarding the person whose conduct is the subject of the committee's consideration;
61     and
62          (ii) the conduct that is the subject of the committee's consideration includes a violation
63     or a potential violation of Chapter 37, Utah Controlled Substances Act, or another relevant
64     violation or potential violation under this title;
65          (e) in accordance with a written agreement entered into with the department,
66     employees of the Department of Health:
67          (i) whom the director of the Department of Health assigns to conduct scientific studies
68     regarding the use or abuse of controlled substances, if the identity of the individuals and
69     pharmacies in the database are confidential and are not disclosed in any manner to any
70     individual who is not directly involved in the scientific studies;
71          (ii) when the information is requested by the Department of Health in relation to a
72     person or provider whom the Department of Health suspects may be improperly obtaining or
73     providing a controlled substance; or
74          (iii) in the medical examiner's office;
75          (f) in accordance with a written agreement entered into with the department, a designee
76     of the director of the Department of Health, who is not an employee of the Department of
77     Health, whom the director of the Department of Health assigns to conduct scientific studies
78     regarding the use or abuse of controlled substances pursuant to an application process
79     established in rule by the Department of Health, if:
80          (i) the designee provides explicit information to the Department of Health regarding
81     the purpose of the scientific studies;
82          (ii) the scientific studies to be conducted by the designee:
83          (A) fit within the responsibilities of the Department of Health for health and welfare;
84          (B) are reviewed and approved by an Institutional Review Board that is approved for
85     human subject research by the United States Department of Health and Human Services; and
86          (C) are not conducted for profit or commercial gain; and
87          (D) are conducted in a research facility, as defined by division rule, that is associated
88     with a university or college accredited by one or more regional or national accrediting agencies
89     recognized by the United States Department of Education;

90          (iii) the designee protects the information as a business associate of the Department of
91     Health; and
92          (iv) the identity of the prescribers, patients, and pharmacies in the database are
93     de-identified, confidential, and not disclosed in any manner to the designee or to any individual
94     who is not directly involved in the scientific studies;
95          (g) in accordance with [the] a written agreement entered into with the department and
96     the Department of Health, authorized employees of a managed care organization, as defined in
97     42 C.F.R. Sec. 438, if:
98          (i) the managed care organization contracts with the Department of Health under the
99     provisions of Section 26-18-405 and the contract includes provisions that:
100          (A) require a managed care organization employee who will have access to information
101     from the database to submit to a criminal background check; and
102          (B) limit the authorized employee of the managed care organization to requesting
103     either the division or the Department of Health to conduct a search of the database regarding a
104     specific Medicaid enrollee and to report the results of the search to the authorized employee;
105     and
106          (ii) the information is requested by an authorized employee of the managed care
107     organization in relation to a person who is enrolled in the Medicaid program with the managed
108     care organization, and the managed care organization suspects the person may be improperly
109     obtaining or providing a controlled substance;
110          (h) a licensed practitioner having authority to prescribe controlled substances, to the
111     extent the information:
112          (i) (A) relates specifically to a current or prospective patient of the practitioner; and
113          (B) is provided to or sought by the practitioner for the purpose of:
114          (I) prescribing or considering prescribing any controlled substance to the current or
115     prospective patient;
116          (II) diagnosing the current or prospective patient;
117          (III) providing medical treatment or medical advice to the current or prospective
118     patient; or
119          (IV) determining whether the current or prospective patient:
120          (Aa) is attempting to fraudulently obtain a controlled substance from the practitioner;

121     or
122          (Bb) has fraudulently obtained, or attempted to fraudulently obtain, a controlled
123     substance from the practitioner;
124          (ii) (A) relates specifically to a former patient of the practitioner; and
125          (B) is provided to or sought by the practitioner for the purpose of determining whether
126     the former patient has fraudulently obtained, or has attempted to fraudulently obtain, a
127     controlled substance from the practitioner;
128          (iii) relates specifically to an individual who has access to the practitioner's Drug
129     Enforcement Administration identification number, and the practitioner suspects that the
130     individual may have used the practitioner's Drug Enforcement Administration identification
131     number to fraudulently acquire or prescribe a controlled substance;
132          (iv) relates to the practitioner's own prescribing practices, except when specifically
133     prohibited by the division by administrative rule;
134          (v) relates to the use of the controlled substance database by an employee of the
135     practitioner, described in Subsection (2)(i); or
136          (vi) relates to any use of the practitioner's Drug Enforcement Administration
137     identification number to obtain, attempt to obtain, prescribe, or attempt to prescribe, a
138     controlled substance;
139          (i) in accordance with Subsection (3)(a), an employee of a practitioner described in
140     Subsection (2)(h), for a purpose described in Subsection (2)(h)(i) or (ii), if:
141          (i) the employee is designated by the practitioner as an individual authorized to access
142     the information on behalf of the practitioner;
143          (ii) the practitioner provides written notice to the division of the identity of the
144     employee; and
145          (iii) the division:
146          (A) grants the employee access to the database; and
147          (B) provides the employee with a password that is unique to that employee to access
148     the database in order to permit the division to comply with the requirements of Subsection
149     58-37f-203[(5)](7) with respect to the employee;
150          (j) an employee of the same business that employs a licensed practitioner under
151     Subsection (2)(h) if:

152          (i) the employee is designated by the practitioner as an individual authorized to access
153     the information on behalf of the practitioner;
154          (ii) the practitioner and the employing business provide written notice to the division of
155     the identity of the designated employee; and
156          (iii) the division:
157          (A) grants the employee access to the database; and
158          (B) provides the employee with a password that is unique to that employee to access
159     the database in order to permit the division to comply with the requirements of Subsection
160     58-37f-203[(5)](7) with respect to the employee;
161          (k) a licensed pharmacist having authority to dispense a controlled substance to the
162     extent the information is provided or sought for the purpose of:
163          (i) dispensing or considering dispensing any controlled substance; or
164          (ii) determining whether a person:
165          (A) is attempting to fraudulently obtain a controlled substance from the pharmacist; or
166          (B) has fraudulently obtained, or attempted to fraudulently obtain, a controlled
167     substance from the pharmacist;
168          (l) in accordance with Subsection (3)(a), a licensed pharmacy technician and pharmacy
169     intern who is an employee of a pharmacy as defined in Section 58-17b-102, for the purposes
170     described in Subsection (2)(j)(i) or (ii), if:
171          (i) the employee is designated by the pharmacist-in-charge as an individual authorized
172     to access the information on behalf of a licensed pharmacist employed by the pharmacy;
173          (ii) the pharmacist-in-charge provides written notice to the division of the identity of
174     the employee; and
175          (iii) the division:
176          (A) grants the employee access to the database; and
177          (B) provides the employee with a password that is unique to that employee to access
178     the database in order to permit the division to comply with the requirements of Subsection
179     58-37f-203(5) with respect to the employee;
180          (m) pursuant to a valid search warrant, federal, state, and local law enforcement
181     officers and state and local prosecutors who are engaged in an investigation related to:
182          (i) one or more controlled substances; and

183          (ii) a specific person who is a subject of the investigation;
184          (n) subject to Subsection (7), a probation or parole officer, employed by the
185     Department of Corrections or by a political subdivision, to gain access to database information
186     necessary for the officer's supervision of a specific probationer or parolee who is under the
187     officer's direct supervision;
188          (o) employees of the Office of Internal Audit and Program Integrity within the
189     Department of Health who are engaged in their specified duty of ensuring Medicaid program
190     integrity under Section 26-18-2.3;
191          (p) a mental health therapist, if:
192          (i) the information relates to a patient who is:
193          (A) enrolled in a licensed substance abuse treatment program; and
194          (B) receiving treatment from, or under the direction of, the mental health therapist as
195     part of the patient's participation in the licensed substance abuse treatment program described
196     in Subsection (2)(p)(i)(A);
197          (ii) the information is sought for the purpose of determining whether the patient is
198     using a controlled substance while the patient is enrolled in the licensed substance abuse
199     treatment program described in Subsection (2)(p)(i)(A); and
200          (iii) the licensed substance abuse treatment program described in Subsection
201     (2)(p)(i)(A) is associated with a practitioner who:
202          (A) is a physician, a physician assistant, an advance practice registered nurse, or a
203     pharmacist; and
204          (B) is available to consult with the mental health therapist regarding the information
205     obtained by the mental health therapist, under this Subsection (2)(p), from the database;
206          (q) an individual who is the recipient of a controlled substance prescription entered into
207     the database, upon providing evidence satisfactory to the division that the individual requesting
208     the information is in fact the individual about whom the data entry was made;
209          (r) an individual under Subsection (2)(q) for the purpose of obtaining a list of the
210     persons and entities that have requested or received any information from the database
211     regarding the individual, except if the individual's record is subject to a pending or current
212     investigation as authorized under this Subsection (2);
213          (s) the inspector general, or a designee of the inspector general, of the Office of

214     Inspector General of Medicaid Services, for the purpose of fulfilling the duties described in
215     Title 63A, Chapter 13, Part 2, Office and Powers;
216          (t) the following licensed physicians for the purpose of reviewing and offering an
217     opinion on an individual's request for workers' compensation benefits under Title 34A, Chapter
218     2, Workers' Compensation Act, or Title 34A, Chapter 3, Utah Occupational Disease Act:
219          (i) a member of the medical panel described in Section 34A-2-601;
220          (ii) a physician employed as medical director for a licensed workers' compensation
221     insurer or an approved self-insured employer; or
222          (iii) a physician offering a second opinion regarding treatment; [and]
223          (u) members of Utah's Opioid Fatality Review Committee, for the purpose of
224     reviewing a specific fatality due to opioid use and recommending policies to reduce the
225     frequency of opioid use fatalities[.]; and
226          (v) a licensed pharmacist who is authorized by a managed care organization as defined
227     in Section 31A-1-301 to access the information on behalf of the managed care organization, if:
228          (i) the managed care organization believes that an enrollee of the managed care
229     organization has obtained or provided a controlled substance in violation of a medication
230     management program contract between the enrollee and the managed care organization; and
231          (ii) the managed care organization included a description of the medication
232     management program in the enrollee's outline of coverage described in Subsection
233     31A-22-605(7).
234          (3) (a) (i) A practitioner described in Subsection (2)(h) may designate one or more
235     employees to access information from the database under Subsection (2)(i), (2)(j), or (4)(c).
236          (ii) A pharmacist described in Subsection (2)(k) who is a pharmacist-in-charge may
237     designate up to five employees to access information from the database under Subsection (2)(l).
238          (b) The division shall make rules, in accordance with Title 63G, Chapter 3, Utah
239     Administrative Rulemaking Act, to:
240          (i) establish background check procedures to determine whether an employee
241     designated under Subsection (2)(i), (2)(j), or (4)(c) should be granted access to the database;
242     and
243          (ii) establish the information to be provided by an emergency department employee
244     under Subsection (4); and

245          (iii) facilitate providing controlled substance prescription information to a third party
246     under Subsection (5).
247          (c) The division shall grant an employee designated under Subsection (2)(i), (2)(j), or
248     (4)(c) access to the database, unless the division determines, based on a background check, that
249     the employee poses a security risk to the information contained in the database.
250          (4) (a) An individual who is employed in the emergency department of a hospital may
251     exercise access to the database under this Subsection (4) on behalf of a licensed practitioner if
252     the individual is designated under Subsection (4)(c) and the licensed practitioner:
253          (i) is employed in the emergency department;
254          (ii) is treating an emergency department patient for an emergency medical condition;
255     and
256          (iii) requests that an individual employed in the emergency department and designated
257     under Subsection (4)(c) obtain information regarding the patient from the database as needed in
258     the course of treatment.
259          (b) The emergency department employee obtaining information from the database
260     shall, when gaining access to the database, provide to the database the name and any additional
261     identifiers regarding the requesting practitioner as required by division administrative rule
262     established under Subsection (3)(b).
263          (c) An individual employed in the emergency department under this Subsection (4)
264     may obtain information from the database as provided in Subsection (4)(a) if:
265          (i) the employee is designated by the practitioner as an individual authorized to access
266     the information on behalf of the practitioner;
267          (ii) the practitioner and the hospital operating the emergency department provide
268     written notice to the division of the identity of the designated employee; and
269          (iii) the division:
270          (A) grants the employee access to the database; and
271          (B) provides the employee with a password that is unique to that employee to access
272     the database in order to permit the division to comply with the requirements of Subsection
273     58-37f-203(5) with respect to the employee.
274          (d) The division may impose a fee, in accordance with Section 63J-1-504, on a
275     practitioner who designates an employee under Subsection (2)(i), (2)(j), or (4)(c) to pay for the

276     costs incurred by the division to conduct the background check and make the determination
277     described in Subsection (3)(b).
278          (5) (a) (i) An individual may request that the division provide the information under
279     Subsection (5)(b) to a third party who is designated by the individual each time a controlled
280     substance prescription for the individual is dispensed.
281          (ii) The division shall upon receipt of the request under this Subsection (5)(a) advise
282     the individual in writing that the individual may direct the division to discontinue providing the
283     information to a third party and that notice of the individual's direction to discontinue will be
284     provided to the third party.
285          (b) The information the division shall provide under Subsection (5)(a) is:
286          (i) the fact a controlled substance has been dispensed to the individual, but without
287     identifying the controlled substance; and
288          (ii) the date the controlled substance was dispensed.
289          (c) (i) An individual who has made a request under Subsection (5)(a) may direct that
290     the division discontinue providing information to the third party.
291          (ii) The division shall:
292          (A) notify the third party that the individual has directed the division to no longer
293     provide information to the third party; and
294          (B) discontinue providing information to the third party.
295          (6) (a) An individual who is granted access to the database based on the fact that the
296     individual is a licensed practitioner or a mental health therapist shall be denied access to the
297     database when the individual is no longer licensed.
298          (b) An individual who is granted access to the database based on the fact that the
299     individual is a designated employee of a licensed practitioner shall be denied access to the
300     database when the practitioner is no longer licensed.
301          (7) A probation or parole officer is not required to obtain a search warrant to access the
302     database in accordance with Subsection (2)(n).
303          (8) The division shall review and adjust the database programming which
304     automatically logs off an individual who is granted access to the database under Subsections
305     (2)(h), (2)(i), (2)(j), and (4)(c) to maximize the following objectives:
306          (a) to protect patient privacy;

307          (b) to reduce inappropriate access; and
308          (c) to make the database more useful and helpful to a person accessing the database
309     under Subsections (2)(h), (2)(i), (2)(j), and (4)(c), especially in high usage locations such as an
310     emergency department.
311          Section 2. Section 58-37f-302 is amended to read:
312          58-37f-302. Other restrictions on access to database.
313          (1) A person who is a relative of a deceased individual is not entitled to access
314     information from the database relating to the deceased individual based on the fact or claim
315     that the person is:
316          (a) related to the deceased individual; or
317          (b) subrogated to the rights of the deceased individual.
318          (2) Except as provided in Subsection (3), data provided to, maintained in, or accessed
319     from the database that may be identified to, or with, a particular person is not subject to
320     discovery, subpoena, or similar compulsory process in [any] a civil, judicial, administrative, or
321     legislative proceeding, nor shall [any] an individual or organization with lawful access to the
322     data be compelled to testify with regard to the data.
323          (3) The restrictions described in Subsection (2) do not apply to a civil, judicial, or
324     administrative action brought:
325          (a) to enforce the provisions of this chapter[.]; or
326          (b) against a managed care organization, as defined in 42 C.F.R. Sec. 438.2, if:
327          (i) the action is related to Medicaid coverage;
328          (ii) the managed care organization has entered into a written agreement with the
329     Department of Health as described in Subsection 58-37f-301(2)(g); and
330          (iii) the division and the Department of Health agree in writing not to apply the
331     restrictions described in Subsection (2).