DHHS website privacy notice

Overview of our privacy practices


We take your privacy seriously at the Utah Department of Health and Human Services (DHHS). We work hard to respect your privacy rights and let you know how we may use your personal data. This privacy notice describes our general privacy practices. 

We may provide other notices, and may seek your consent to use your personal data on forms, posted signs, and other webpages. These other notices and consents may be more specific than this privacy notice and address requirements under specific privacy laws.

Who uses our services


As a state of Utah department, our website and services are intended for people who live in Utah or plan to live in Utah. We do not intend to provide services to people who are located in other countries. And we do not intend to monitor these people’s behavior or collect their personal data. We also do not intend to provide our website and services to under-age children (e.g. 13 in US, 14 in China, 16 in the EU, etc.) without the permission of their parents or legal guardians.

If you are located in another country, you should know that your personal data will be treated the same as the personal data we collect from people located in Utah. And we do not know if you are under-age. That is, until we become aware that you are located in another country or a child who is under-age. If you let us know that we have collected your personal data while you have been in another country or under-age, we will work to comply with the privacy laws that apply.

Back to top

What website tracking technology do we use and why


Our service provider, the Utah Division of Technology Services, uses Google Analytics and Qualtrics XM to track web traffic. Both of these services may put cookies on your browser when you visit our website. We may embed videos in our website which may introduce cookies from streaming platforms like YouTube. Cookies are small text files that gather information about your visit to our website. Cookies can make our website more helpful to you and provide us with information so that we can better engage you. Other web tracking technologies like beacons can perform similar functions as cookies.

For your personal data that we may collect from you on our website using tracking technologies like cookies, we have adopted the Utah General Retention Schedule (GRS) 1720. After the cookies expire, this GRS requires that we retain your personal data at most for a year or until we meet our business needs, whichever is for less time. We then delete this personal data.

In the table below, we list the cookies that are enabled in Google Analytics and Qualtrics XM, the information the cookies collect, the purposes and uses of the information, and with whom we share the information.

CookiesPersonal dataPurpose and usesShared with
_gaA unique ID and session timestampsGoogle Analytics: used to distinguish usersGoogle and its subprocessors
_ga_A unique ID and session timestampsGoogle Analytics: used to persist session stateGoogle and its subprocessors
_gat_A unique IDGoogle Analytics: used to throttle request rateGoogle and its subprocessors
_gat_gtag_UA_5219135_14A unique IDGoogle Analytics: used to throttle request rateGoogle and its subprocessors
_gat_UA-xxxxxxx-xA unique IDGoogle Analytics: used to throttle request rateGoogle and its subprocessors
_gidA unique ID and session timesampsGoogle Analytics: used to distinguish usersGoogle and its subprocessors
Q_INTERSession ID and timestampQualtrics XM: used to decide whether to show another interceptQualtrics and its subprocessors
QSI_ActionSetHistoryA unique ID and and timestampsQualtrics XM: used to learn how users interact with surveys and websiteQualtrics and its subprocessors
_utmaA unique ID, timestamps of visits, total number of visits, first and previous visit timesGoogle Analytics: used to distinguish users and sessionsGoogle and its subprocessors
_utmbIP address, timestamp of the current visit, and session start timeGoogle Analytics: used to calculate new sessionsGoogle and its subprocessors
_utmcIP address and timestamp of exiting websiteGoogle Analytics: used to detect if a new visit to the site occursGoogle and its subprocessors
_utmtDoes not collect personal dataGoogle Analytics: used to calculate website speed.Google and its subprocessors
_utmzIP address and stores the traffic source or campaignGoogle Analytics: used to measure traffic to and navigation on the websiteGoogle and its subprocessors

Back to top

What personal data we collect


We collect and use different types of your personal data depending on your relationship and how you interact with us. For example, we may request or collect the following types of personal data:

  • Names: like given names, middle names, family names (e.g. paternal names, maiden names, married names), and preferred names;
  • Contact information: like mailing addresses for where you live, where you are from, or post office boxes; fax, pager, telephone, and SMS device numbers; uniform resource locators (URLs); and email addresses;
  • Location information: like geographic subdivisions including state, street address, city, county, precinct, ZIP code, census tracks, or metropolitan statistical areas; for state owned or managed devices, location information such as from GPS, information from device’s sensors, and devices’ connections to our networks; and location associated with other geocodes;
  • Identification numbers: like social security, account, insurance, driver license, license plate, patient account, medical record, vehicle identification, device identifier, and device serial numbers.
  • Digital information: like authenticators and identifiers (usernames, passwords, passcodes, security questions, etc.); browser histories; IP addresses; browser and device types and settings; operating systems; mobile network information; application version numbers; interactions between your apps, browsers, and devices and our networks and IT services; crash reports; information system, software, and device activities; and associated metadata.
  • Demographic information: like birth and death dates, birth and death places, ages, ethnicities, race, personal, family, work histories, family and tribal relationships, languages spoken, adoptions, custody, guardianship, competency, housing insecurity, homelessness, military service, and participation in our services;
  • Health information: like medical records and histories that describe physical, mental, and drug related health conditions and treatments; enrollment, treatment and discharge dates; payments owed, amounts, and dates; insurance information; public health, laboratory test, and genetic information; and causes of death.
  • Financial information: like credit and debit card numbers, federal and state tax information, tax identification numbers, transaction histories, child support payment and default histories, medical reimbursement information, and business information.
  • Research information: like answers to surveys, interviews, ethnographic information, field notes, interventions, quality improvement projects, research journals, photographs, videos, and audio recordings.
  • License information: like information about licensed programs and individuals, inspections, assessments, and penalties. 
  • Background information: like biometric, identity history, biographic, property, case, and incident data.
  • Employment or volunteer information: like applications, written interviews, job titles, work hours, personnel files, work history, background checks, personal references, communications, requests for accommodations or leave, disciplinary complaints, conduct hearings and dispositions, and investigations

Back to top

Why we collect personal data


We are the largest Utah department and have many reasons why we use personal data. We work hard to only collect personal data that the law allows us to collect and that we need to do our job as a health and human services agency. For example, we use personal data for the following reasons:

  • Consent or notice: We use your personal data if you provide us with your consent or we provide you with notice. Different countries and activities have different privacy laws that may apply to notice and consent requirements. We work hard to provide lawful notice and consent before we collect and use your personal data. And we work hard to only use or share your personal data consistent with our notices and consents. Some privacy laws allow you to change your mind about permitting us to collect your personal data. Let us know in writing if you change your mind.
  • Our core mission: We use personal data to perform our health and human service responsibilities for the state of Utah. These responsibilities include: 
    • Health planning 
    • Medical assistance 
    • Social services 
    • Alcohol and drug related mental health programs 
    • Child welfare 
    • Elderly services 
    • Public health, maternal and child health 
    • Services for individuals with a disability
    • Administering federal-assisted-state plans and programs and block grants
    • Enforcing and implementing our core mission policies and procedures
  • IT management: We use personal data to manage our IT resources. For example, we may use personal data to:
    • Provide you with our IT services which may include access to our information systems
    • Take steps to protect the security and privacy  of our information systems and your personal data which may require that we monitor, log, respond to, recover from, and learn from your digital activities
    • Track your activities on our webpages for data analytics purposes
    • Enforce and implement our IT management policies and procedures
  • Outreach and engagement services: We use personal data to provide outreach and community services. For example, we use personal data to:
    • Recruit, evaluate applications, and admit and register people in our programs or other events
    • Evaluate applications for services and to administer the services
    • Conduct in-person outreach and community events
    • Learn about the community's needs and interests
    • Improve experiences on our webpages and information systems
    • Communicate, provide information, and respond to requests for information
    • Enforce and implement our outreach and engagement policies and procedures
  • Research and grant management: We use personal data to research and manage grants. For example, we use personal data to: 
    • Review proposed research, do research, and respond to research concerns
    • Apply for, receive, and manage grants
  • Human resources management: We use personal data for human resources (HR) management. For example, we use  personal data to:
    • Screen, interview, rank, background check, hire, pay, provide benefits to, manage, and end relationships with our potential employees and our employees
    • Enroll and manage our volunteers
    • Provide due process, resolve disputes, and address employee conduct issues
    • Provide reasonable accommodations
    • Manage employee wellness programs
    • Manage vacation and sick leave
    • Enforce and implement our HR policies
  • Operations: We use personal data for our operations. For example, we use personal data to:
    • Perform our legal, administrative, and financial functions
    • Secure and use services from a separate service provider
    • Make or receive payments
    • Review, negotiate, enter into, manage and end contracts
    • Perform quality improvement and evaluation activities
    • Comply with laws including required disclosures
    • Protect our community
    • Provide facility management services
    • Manage and reserve facilities and equipment
    • Enforce and implement our business operations’ policies and procedures

Back to top

How we collect personal data


We collect personal data in a number of ways given our mission. For example, we collect personal data in the following ways:

  • From you: You can provide us with your personal data in a number of different ways. For example, you may provide us with your personal data when:
    • You visit our websites
    • You communicate with us
    • You create accounts or use our information systems
    • You apply for, enroll in, and use our services
    • You pay us or we pay you
    • You respond to a request for proposal for goods and services
    • You enter into agreements with us
    • You participate in quality improvement projects and research projects
    • You apply to work and work for us
    • You volunteer or participate in our internship opportunities
    • You enroll and attend events sponsored by us
    • You otherwise interact with us
  • From others: We may receive your personal data from others in a number of different ways. For example, we may receive your personal data from:
    • Legal guardians and representatives
    • Federal government
    • Divisions and departments of the state of Utah and local entities from Utah, and other US states
    • Our service providers and partners such as through required reporting (e.g. communicable disease)
  • From automatic means: We may receive your personal data from a number of automatic means. For example, we may receive your personal data from:
    • Cookies, beacons, and similar web tracking technologies
    • Social media tools, widgets, or plug-ins to connect you to your social media accounts

Back to top

With whom do we share personal data


We share personal data with others in a number of situations. We strive to only share personal data allowed under the law. For example, we share personal data in the following circumstances: 

  • When you share: Our services and information systems may let you share your personal data with other people. In this situation, you have control over what and how you share your personal data. For example, you may share your personal data with other people by:
    • Using the email system that we manage
    • Posting messages on systems that we manage
    • Sharing electronic folders and files in digital storage systems that we manage
  • Our workforce: We may share your personal data with our employees, volunteers, members of our committees, or other agents for our business purposes as a public health and human services agency.
  • When we share with others: We work hard to follow the law and do not share your personal data with other state agencies, outside companies, organizations, or individuals except:
    • With your consent: We share your personal data when we have your consent.
    • For outside use: We share your personal data with service providers, partnerships with other state and federal entities, and volunteers who have obligations to not further share your personal data except with their service providers. For example, we use service providers to provide data centers, software as a service, deliver our products and services, improve our internal business processes, and offer additional support. We also work with universities and other public health entities to do research and perform grant activities. Sometimes, these research and grant activities involve the sharing of personal data with our partners and the granting organization.
    • For legal reasons: We share your personal data to others when access, use, preservation, or disclosure of your personal data is necessary to: 
      • Meet any applicable law, regulation, legal process, or enforceable governmental request
      • Enforce our policies and procedures including investigation of potential violations
      • Detect, prevent, or otherwise address fraud, security, or technical issues
      • Protect against harm to the rights, property or safety of our agency community as required or permitted by law

Back to top

We do not sell personal data


We do not sell your personal data as those key terms are used in this policy or Utah law.

Back to top

How we protect personal data and breach notice


We work hard to protect personal data. We carefully consider who we trust with personal data. We obligate many of our service providers to protect personal data, and we turn on and use security features in service providers’ products and services. Our workforce is trained to follow our privacy and security policies. These policies help our workforce make better privacy and security decisions. When we find a security problem, we work hard to fix it. This includes breaches of personal data. If a breach of your personal data occurs, we work hard to let you know. We continually consider how we can better protect personal data and then make changes to do better in the future.

Back to top

Transfers of personal data


We generally require our service providers to use data storage locations in the US. If we unintentionally collect your personal data in another country, it is likely that we will transfer your personal data to the US. If transferring your personal data requires that we enter into agreements (Standard Contractual Clauses), we will work to legally transfer your personal data. 

Back to top

What happens if you do not provide us with your personal data


There may be different consequences if you do not provide us with your personal data. For example, the following consequences may occur:

  • Our core mission: If you do not provide us with your personal data, you may not be able to receive services relating to our core mission to provide health and human services. This is because we often determine eligibility for our services using personal data. And personal data like health information is often necessary to provide certain services like our health care services.  
  • IT management: Many of our information systems require that you have a UtahID to log into these systems. To create a UtahID, you need to provide certain personal data (see UtahID creation). Our information systems often track your activities in the systems. If you do not wish to share your personal data with us, you may not be able to use many of our information systems. 
  • Outreach and engagement services: We do not always collect personal data to provide our outreach and community services. However some community events may require that you sign up for these events. If you do not want to provide the personal data needed to sign up for these events, you may not be able to participate in these events.  
  • Research: If you do not want to share your personal data for research purposes, you may not be able to participate in the research activities.
  • Human resources management: We need your personal data to consider your application for employment. If you are hired by us, we will need your personal data as your employer. If you do not want to share your personal data with us for employment purposes, you will not be able to be our employee. 

Operations: We may not be able to have certain relationships with you relating to operation functions if you do not want to provide us with your personal data. For example, we would not be able to enter into a contract with you or pay you as a service provider if we do not have certain personal data.

Back to top

How long we keep personal data


We keep personal data for different periods of time depending on what it is and how we use it. Many of our record retention schedules can be found at the Utah Division of Archives and Record Services’ website. Here is a direct link to look up record series according to our department’s divisions. At the point of collection, we work hard to provide the relevant record series so you can be informed about how long we keep your personal data.

Here is a direct link to the retention schedules for the state of Utah which apply if we do not have a retention schedule for the type of records in our retention schedules. Once you have navigated to the Utah Division of Archives, you can find the relevant retention schedule through a key word search.

Back to top

Your privacy rights


When privacy rights apply: You have different privacy rights depending on:

  • Where you are physically located when we collect your personal data
  • What activities we are doing
  • What relationship you have with us
  • What types of services you receive from us

Different privacy rights: If you contact us to exercise your privacy rights, we work hard to identify what privacy rights apply. Here are examples of different privacy rights:

    • Utah law: Under Utah law, you have the right to:
      • Request to correct: You have the right to request that we correct our records that contain your personal data. To do this, you will need to provide us with your name, mailing address, and telephone number. And you will need to briefly explain the reasons why we should correct your personal data.
      • Request to access: You have the right to request access to our records that contain your personal data. To do this, you will need to provide us with your name, mailing address, email address (optional if you want to receive responses to your email), and telephone number. And you will need to provide a specific description of the record that contains your personal data. You can make this request through the Open Records Portal or by contacting the DHHS program from where you received services.
      • File a complaint: You have the right to file a complaint to the data privacy ombudsperson. To do so, you need to go to the following link and follow the instructions located there.  
  • For at-risk-employees, request personal data to be private: If you are an at-risk employee under Utah law, you can request that our records that contain your personal data be classified as private. Contact [email protected] to initiate this request. 
  • Health laws: There are several health related laws with which we comply. One of them is the Health Insurance Portability and Accountability Act (HIPAA). We provide a notice of privacy practices (NPP) to people who receive services from us governed by HIPAA (e.g. our Medicaid NPP). Our NPPs address our uses and disclosures of protected health information (PHI) and our business duties under HIPAA. The NPPs also provide notice of the following privacy rights:
  • Copies: You have a right to access and obtain an electronic or paper copy of your medical record containing your PHI.
      • Request to correct: You have a right to ask us to correct your medical record that contains PHI.
      • Request confidential communications: You have a right to request that we contact you in specific ways that are reasonably confidential for our services governed by HIPAA.
      • Request restriction: You have a right to ask us to limit what we use or share of your PHI.
      • Records of disclosures: You can get a list of those with whom we’ve shared your PHI.
      • Copy of NPP: You can get a paper copy for the relevant NPPs when you ask for them.
      • Legal representative: You have a right to choose someone to act for you, such as to receive your PHI and make health decisions for you.
  • File a compliant: You can file a complaint about us if you feel we have violated your rights. And we will not retaliate against you. You can file a complaint by directly contacting us. You can also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights (OCR) by: 
  • Sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, 
  • Calling 1-877-696- 6775, or 

Other countries: If you are in another country, we are not offering you services. We do not intend to monitor your behavior or collect your personal data. That being said, it is possible that we may need to provide you with the privacy rights provided by your country’s privacy laws. In some countries, you have a right to: withdraw your consent any time from us using your personal data; opt-out of automated decision making; limit the use of your personal data; access and request copies of your personal data; transfer your personal data at your request; request correction or deletion of your personal data; request an explanation of the rules governing our use of your personal data; and manage your deceased next of kin’s privacy rights.

Back to top

How you can contact us


When you contact us be ready to address the following:

  • Identify yourself (e.g. your name, IP address, email address, ID number, etc.)
  • Help us to verify that the applicable law applies to you
  • Identify the type of personal data that you are concerned about
  • State what questions you have or rights you wish to exercise
  • Identify where the personal data was collected if known (e.g. website)

If you would like to contact us about this privacy notice, you may do so by emailing us at [email protected].

Back to top

Key terms


We use key terms in the following way:

  • "Automated decision making" means using personal data to make a decision about an individual through automated processing, without human review or intervention.
  • “Utah Department of Health and Human Services” or “DHHS” means a Utah agency  who determines the purpose and means of processing your personal data. In the state of Utah, DHHS is responsible for the state of Utah’s health planning, medical assistance, social services, alcohol and drug related mental health programs, child welfare, elderly services, public health, maternal and child health, services for individuals with a disability, and administering federal-assisted-state plans and programs and block grants. DHHS is referred to in this privacy notice as “we,” “our,” or “us.” 
  • “Individual” means “you” as the reader of this privacy policy if you are a real human being and not some corporate entity. You are referred to in this privacy notice as “you” or “your.”
  • “Personal data" means information that is linked or can be reasonably linked to an identified individual or an identifiable individual.
  • "Use" or "Using” means any operation or set of operations performed on personal data, including collection, recording, organization, structuring, storage, adaptation, alteration, access, retrieval, consultation, use, disclosure by transmission, transfer, dissemination, alignment, combination, restriction, erasure, or destruction.
  • “Sell" means an exchange of personal data for monetary consideration by us to a third party. "Sell" does not include a fee charged by a governmental entity for access under the Government Records Access and Management Act; or assessed in accordance with an approved fee schedule.

Back to top