Can I prioritize privacy compliance to gain a competitive advantage, reduce the possibility of regulatory issues, and help secure valuable partnerships in Utah? What are the requirements?

Privacy Compliance in Utah

Yes, prioritizing privacy compliance can give you a competitive advantage, reduce the possibility of regulatory issues, and help secure valuable partnerships in Utah. To comply with privacy regulations in Utah, you need to follow the requirements outlined in the relevant documents.

General Compliance

Covered entities shall comply with the privacy requirements of 45 CFR Part 164, Subpart E in dealing with individually identifiable health information and the subjects of that information ^[1.1][2.1].

Agency Privacy Policies

A State agency may issue a privacy policy that provides additional detail to, but does not conflict with the terms of this rule. An agency may not substitute its own privacy policy for this rule, unless a state law, federal regulation or federal statute requires an agency to treat personally identifiable information in a way that is inconsistent with this rule. In this case, the specific provision or provisions of this rule that conflict with the state statute, federal regulation or federal statute does not apply. If that occurs, the remainder of the provisions of this rule shall apply to the agency ^[3.1][4.1].

Consumer Privacy Restricted Account

The Consumer Privacy Account is a restricted account created to fund investigation and administrative costs incurred by the division in investigating consumer complaints alleging violations of this chapter, recovery of costs and attorney fees accrued by the attorney general in enforcing this chapter, and providing consumer and business education regarding consumer rights under this chapter and compliance with the provisions of this chapter for controllers and processors. If the balance in the account exceeds $4,000,000 at the close of any fiscal year, the Division of Finance shall transfer the amount that exceeds $4,000,000 into the General Fund ^[5.1].

Privacy Risk Assessment for Online Applications

Each state agency shall complete a “Privacy Risk Assessment” that is authorized by the CIO, for all online applications. The agency shall maintain a copy of each completed assessment for a period of four years for the purpose of providing audit documentation ^[4.2][3.2].

Notification and Posting Requirements

If either of the exceptions listed in R895-5-6 Subsection (1)(a) or (b) apply or if the State agency issues an agency privacy policy for its website as permitted under this rule, then the agency shall conspicuously post that information on the Web pages where personally identifiable information is collected or on the home page of its Website. The agency privacy policy shall indicate the name of the issuing agency, a statement that the agency privacy policy applies to its own website only, a statement about what personally identifiable information the policy specifically applies to, and a statement defining how its agency privacy policy differs from this rule. ^[4.3][3.3].

In summary, to prioritize privacy compliance in Utah, you need to comply with the privacy requirements of 45 CFR Part 164, Subpart E, issue an agency privacy policy that does not conflict with the relevant rules, complete a Privacy Risk Assessment for all online applications, and post relevant information on your website.

Source(s):

• [1.1] General Compliance.
• [2.1] General Compliance.
• [3.1] Agency Privacy Policies.
• [4.1] Agency Privacy Policies.
• [5.1] Consumer Privacy Restricted Account. (Effective 12/31/2023)
• [4.2] Privacy Risk Assessment for Online Applications.
• [3.2] Privacy Risk Assessment for Online Applications.
• [4.3] Notification and Posting Requirements.
• [3.3] Notification and Posting Requirements.

Jurisdiction

Utah

• Privacy