Utah Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in Utah.
Utah healthcare compliance is anchored to Utah Code §13-44 (Protection of Personal Information Act), which requires breach notification within 60 days of discovery — matching the federal HIPAA outer limit rather than tightening it — and to the Utah Consumer Privacy Act and the Health Insurance Information Privacy Act of 1995 (Utah Code §31A-22-617), which together provide the state's overlay on health-related personal information. Civil penalties under the Consumer Protection Act run up to $2,500 per violation with a $100,000 aggregate cap — meaningfully lower than the active-enforcement states like Colorado or New Mexico. Medical records retention is governed by Utah Admin. Code R380-200, requiring seven years from last encounter. The Utah Division of Occupational and Professional Licensing (DOPL) administers the Utah Controlled Substance Database (CSD), and the Utah Department of Health and Human Services, Division of Disease Control and Prevention, handles communicable-disease reporting on a 24-hour clock. For a Salt Lake City, Provo, or Ogden practice, the regulatory profile is HIPAA-aligned on breach timing, modest on AG enforcement, and notable mostly for the CSD's broad every-Rx check requirement.
Breach Notification Rules
Notification deadline
60 calendar days
Notification must be made within 60 days of discovery of the breach.
AG notification threshold
Not explicitly required
Harm analysis required
Penalty range
Up to $2,500 per violation, $100,000 aggregate under Consumer Protection Act
Enforcement Posture
The Utah Attorney General has historically taken a more reactive posture on healthcare-adjacent breach enforcement — pursuing actions under the Consumer Protection Act when a complaint is filed or when a multi-state coalition forms, rather than running proactive audits of breach-notification timing. Civil-penalty exposure tops out at $2,500 per violation with a $100,000 aggregate cap, which is well below the Colorado or New Mexico ranges and reduces practical settlement leverage. The Utah Division of Consumer Protection has been more active recently on the consumer-data side under the Utah Consumer Privacy Act, with healthcare-adjacent businesses occasionally swept in. DOPL pursues Controlled Substance Database noncompliance through licensing discipline, with willful noncompliance treated as a Class B misdemeanor. Practices that document contemporaneous harm analysis and notify within 60 days are seldom the target of standalone state action.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 7 years | Last treatment |
Controlled-Substance Prescription Monitoring (Utah Controlled Substance Database)
The Utah Controlled Substance Database (CSD), administered by DOPL at dopl.utah.gov/controlled-substance-database, requires a check on every controlled-substance prescription, with delegation permitted to clinical staff registered under the supervising prescriber. Carve-outs apply for hospice patients, active cancer treatment, ≤3-day emergency supplies, and inpatient hospital or long-term care administration. Willful noncompliance is treated as a Class B misdemeanor in addition to DOPL licensing discipline and civil penalties up to $5,000 per violation. The CSD's one-business-day dispensing-data submission requirement is one of the strictest in the country.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board discipline; civil penalty up to $5,000 per violation; Class B misdemeanor for willful noncompliance
Exemptions
Hospice patients, cancer treatment, ≤3 day supply in ER, inpatient hospital or long-term care administration
How Utah Rules Hit by Specialty
Pharmacy/compounding
Utah's Controlled Substance Database requires dispensing data submission within one business day, faster than many states' weekly cadence. Compounding pharmacies and dispensing practitioners in Salt Lake City and Provo should align internal workflows to that one-business-day reporting cadence — DOPL audits dispensing-data lag, and Class B misdemeanor exposure attaches to willful noncompliance.
Behavioral health
Utah behavioral health practices face overlapping Utah Code §13-44 breach notification, federal 42 CFR Part 2 substance-use rules, and Utah Code §62A-3-305 elder-abuse reporting (which sweeps in cognitively impaired adults). The 60-day notification window aligns with HIPAA baseline, but a breach involving Part 2 records still requires federal re-disclosure analysis on top of the state notification.
Telehealth providers
Telehealth providers prescribing to Utah residents must register with the Utah Controlled Substance Database regardless of physical location, and any breach affecting Utah residents triggers the 60-day Utah Code §13-44 clock. The Utah Consumer Privacy Act adds consumer-data obligations for telehealth platforms with sufficient Utah-resident user counts — a layer that frequently surprises out-of-state providers.
Mandatory Reporting Obligations
Mandated reporters
Physicians, nurses, dentists, psychologists, social workers, and all healthcare professionals
Report to
Division of Child and Family Services (DCFS) or local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Class B misdemeanor; Class A misdemeanor for subsequent offenses
Immunity provision
Good faith reporters immune from civil and criminal liability under Utah Code 80-2-602
Mandated reporters
All persons including healthcare professionals
Report to
Adult Protective Services, Department of Human Services
Timeline
Immediately / as soon as possible
Penalty for failure
Class B misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers treating injuries from suspected domestic violence
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, laboratories, and healthcare facility administrators
Report to
Utah Department of Health and Human Services, Division of Disease Control and Prevention
Timeline
Within 24 hours
Penalty for failure
Class B misdemeanor
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All healthcare providers treating gunshot wounds or stab wounds
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Class B misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Utah Compliance FAQs
Utah's Protection of Personal Information Act requires notification within 60 days of discovery of the breach — matching the federal HIPAA outer limit. No AG notification threshold is set in statute, but harm-analysis documentation is required. Civil penalties under the Consumer Protection Act run up to $2,500 per violation with a $100,000 aggregate cap. The Utah Consumer Privacy Act adds consumer-data obligations on top of the standard breach framework.
Utah requires seven years from last encounter under Utah Admin. Code R380-200. The seven-year rule covers adult, pediatric, and most specialty records — Utah's framework is unusual in not setting a separate pediatric overlay, so the seven-year clock starts from last encounter regardless of patient age. Practices should still consider federal pediatric retention recommendations and state-of-practice norms when destroying pediatric charts.
Yes. The Utah CSD permits delegation to clinical staff — medical assistants, registered nurses, and licensed practical nurses — provided each delegate registers under the supervising prescriber at dopl.utah.gov. The prescriber remains accountable for the every-Rx check, with carve-outs for hospice, cancer treatment, ≤3-day ER supplies, and inpatient/long-term-care administration. Willful noncompliance is a Class B misdemeanor in addition to DOPL licensing discipline and civil penalties up to $5,000 per violation.
Failing to file a mandated gunshot-wound report in Utah is a Class B misdemeanor under Utah Code §26B-8-505. All healthcare providers treating gunshot wounds or stab wounds must report to local law enforcement. Good-faith reporters are immune from civil and criminal liability. The reporting trigger is the treatment encounter rather than the prescription or admission decision — meaning urgent-care and ER providers carry the bulk of practical reporting volume in Utah.
The Utah Consumer Privacy Act primarily targets businesses processing consumer data of 100,000+ Utah residents or earning 50%+ revenue from consumer-data sales. Most small healthcare practices fall below those thresholds and remain governed by HIPAA and Utah Code §13-44. However, healthcare-adjacent businesses — telehealth platforms, wellness apps, patient-engagement vendors — frequently meet the UCPA thresholds and must layer UCPA obligations on top of HIPAA and state breach notification.
Guides & Articles
Neighboring State Compliance Guides
Stay audit-ready in Utah
GuardWell tracks Utah-specific breach deadlines, retention periods, Utah Controlled Substance Database PDMP queries, and mandatory reporting obligations automatically.