1
2
3
4
5
6
7 LONG TITLE
8 General Description:
9 This bill creates requirements for a person who collects, processes, shares, or provides
10 individually identifiable social care information.
11 Highlighted Provisions:
12 This bill:
13 ▸ defines terms;
14 ▸ enacts requirements that certain entities must follow when obtaining consent to
15 access or share individually identifiable social care information;
16 ▸ requires consent to share an individual's individually identifiable social care
17 information; and
18 ▸ requires a person who collects, processes, shares, or provides individually
19 identifiable social care information to meet certain information privacy and security
20 requirements with respect to that information.
21 Money Appropriated in this Bill:
22 None
23 Other Special Clauses:
24 None
25 Utah Code Sections Affected:
26 ENACTS:
27 63G-26-201, Utah Code Annotated 1953
28 REPEALS:
29 63G-24-101, as enacted by Laws of Utah 2020, Chapter 373
30
31 Be it enacted by the Legislature of the state of Utah:
32 Section 1. Section 63G-26-201 is enacted to read:
33 63G-26-201. Requirements for collection, sharing, processing, and use of social
34 care information.
35 (1) As used in this section:
36 (a) "Individually identifiable social care information" means information about an
37 individual that:
38 (i) identifies the individual receiving social care; or
39 (ii) can be used to identify the individual receiving social care.
40 (b) (i) "Social care" means care, services, goods, or supplies related to an individual's
41 social needs.
42 (ii) "Social care" includes support and assistance for an individual's food stability and
43 nutritional needs, housing, transportation, economic stability, employment, education access
44 and quality, child care and family relationship needs, or environmental and physical safety.
45 (2) This section applies to a person:
46 (a) that collects, processes, shares, or provides individually identifiable social care
47 information with one or more providers of social care; or
48 (b) provides social care.
49 (3) Individually identifiable social care information may only be shared between social
50 care providers if the individual about whom the individually identifiable social care
51 information relates:
52 (a) provides consent for the person to share the individual's individually identifiable
53 social care information separately for each provider of social care;
54 (b) specifies the providers of social care who are able to view the individual's
55 individually identifiable social care information; and
56 (c) retains the right to revoke the consent provided under Subsection (3)(a) and (b) at
57 any time.
58 (4) (a) A provider of social care shall maintain policies and controls necessary for
59 referrals and provision of social care in accordance with this section.
60 (b) The policies described in Subsection (4)(a) shall:
61 (i) allow any individual about whom individually identifiable social care information
62 relates to access the information to ensure uninterrupted and efficient delivery of services and
63 care coordination;
64 (ii) restrict access to individually identifiable social care information to those
65 individuals who need access to the individually identifiable social care information to complete
66 their duties; and
67 (iii) prohibit staff, volunteers, and other individuals from accessing to individually
68 identifiable social care information when those individuals do not need to access this
69 information to complete their duties.
70 (5) (a) A provider of social care may not condition the provision, extent, or amount of
71 social care services on an individual's willingness to consent to sharing the individual's
72 individually identifiable social care information with employees, partner organizations, or other
73 persons that are not necessary for the provision of the social care services.
74 (b) A provider of social care may not sell or license individually identifiable social care
75 information without the explicit written consent of each individual about whom the
76 individually identifiable social care information relates.
77 (c) The consent required under Subsection (5)(b):
78 (i) shall include, at a minimum, an affirmative act that clearly and conspicuously
79 communicates that the person is requesting the individual's authorization to share or sell the
80 individual's individually identifiable social care information; and
81 (ii) may not be obtained solely through the checking of a box or a radio button on a
82 website.
83 (6) (a) A person described in Subsection (2) shall, upon request, provide to the
84 requesting individual any personally identifiable social care information about the requesting
85 individual.
86 (b) The information described in Subsection (6)(a) shall be provided to the requesting
87 individual in a portable, readily usable format to the extent that this is technically feasible for
88 the person providing the individually identifiable social care information.
89 (7) This section does not apply to the extent that the requirements in this section are
90 duplicative of or inconsistent with the requirements in:
91 (a) the Health Insurance Portability and Accountability Act of 1996, Pub. L. No.
92 104-191, 110 Stat. 1936, as amended;
93 (b) regulations regarding the confidentiality of substance use disorder patient records
94 under 42 C.F.R. Part 2; or
95 (c) any other applicable provision of state or federal law.
96 Section 2. Repealer.
97 This bill repeals:
98 Section 63G-24-101, Title.