AI Healthcare Regulations in Utah: A Comprehensive Guide

Quick Answer: Current State of AI Healthcare Regulation in Utah

Utah does not have a dedicated AI-in-healthcare statute. AI use by Utah providers is governed by a combination of existing state health and privacy law, federal medical device regulation, and HIPAA. Agency guidance and professional licensing standards supplement these rules.

The state's general posture toward AI has been cautiously permissive. Utah passed the Utah Artificial Intelligence Policy Act (Utah Code §13-73) in 2024. This law focuses on generative AI disclosure obligations for businesses but does not specifically address clinical AI tools or patient safety. Healthcare-specific AI oversight comes primarily from:

• Federal level: FDA regulation of AI/ML as Software as a Medical Device (SaMD), HIPAA Privacy and Security Rules (45 CFR Parts 160, 162, and 164), and FTC consumer protection authority.
• State level: Utah Health Code (Utah Code Title 26B), professional licensing requirements administered by the Utah Division of Professional Licensing (DOPL), and the Utah Consumer Privacy Act (Utah Code §13-61).

Regulators and enforcement bodies prioritize patient safety, data privacy, and equitable deployment. Adherence to these principles positions providers for compliance as state-specific AI legislation evolves.

Utah's Legislative Framework for AI in Healthcare

Existing State Statutes That Touch AI

No Utah statute explicitly addresses "artificial intelligence" in a healthcare-specific context with binding clinical requirements. Instead, existing law regulates the activity, not the technology.

Utah Consumer Privacy Act (UCPA), Utah Code §13-61-101 et seq. Effective December 31, 2023, this law grants consumers rights over personal data, including sensitive health data processed by covered entities. If an AI system processes identifiable patient data outside a HIPAA-covered transaction, the UCPA may apply. Controllers must conduct data protection assessments for processing that presents heightened risk, including profiling with legal or similarly significant effects on consumers (Utah Code §13-61-302).

Utah Health Code, Utah Code Title 26B. Licensing requirements for hospitals, clinics, and health professionals under Title 26B do not mention AI directly. However, they impose standards of care and facility operation requirements that AI tools must meet. A diagnostic AI tool producing clinical output is subject to the same standard-of-care expectations as any other clinical decision support.

Utah Artificial Intelligence Policy Act, Utah Code §13-73-201 et seq. Passed in 2024 and amended in 2025, this act requires certain businesses using generative AI to interact with consumers to disclose that fact. The healthcare carve-out question is not fully resolved. Providers should consult the Utah Division of Consumer Protection for current guidance on whether patient-facing AI chatbots trigger disclosure obligations.

Utah Consumer Protection Act, Utah Code §13-11-1 et seq. Deceptive or misleading claims about AI capabilities in healthcare products or services could trigger enforcement under this act. This is particularly relevant for vendors marketing AI diagnostic tools to Utah providers.

State-Level Task Forces and Legislative Activity

Utah's Legislature has shown broad interest in AI. The 2024 session produced HB 452 (the AI Policy Act). As of the 2025 session, legislators introduced additional bills addressing AI transparency and liability, though none had passed with healthcare-specific clinical AI provisions at the time of this writing. Consult the Utah Legislature's website (le.utah.gov) and the Utah Office of Artificial Intelligence Policy for current bill status.

The Utah Office of Artificial Intelligence Policy, established under the 2024 legislation, serves as a sandbox coordinator. Healthcare organizations can apply for regulatory mitigation through this office. This office can provide limited liability protection during AI pilot programs (Utah Code §13-73-301). This is a meaningful tool for providers testing novel AI clinical applications.

Role of Utah DHHS and DOPL

The Utah Department of Health and Human Services (DHHS) oversees facility licensing, Medicaid program integrity, and public health data systems. While DHHS has not issued AI-specific administrative rules under the Utah Administrative Code (UAC) R380 series as of this writing, its existing authority over clinical operations means AI tools embedded in licensed facilities fall under DHHS oversight indirectly. Consult DHHS directly for current rulemaking activity.

The Utah Division of Professional Licensing (DOPL) licenses physicians, nurses, and other clinicians under Utah Code Title 58. Professional discipline for substandard care caused or contributed to by AI misuse would flow through DOPL. Clinicians remain personally accountable for clinical decisions, regardless of whether an AI system informed them. DOPL administrative rules are codified in UAC R156.

Federal Regulations Impacting AI in Utah Healthcare

FDA Oversight of AI/ML Medical Devices

The FDA is the primary regulator for AI tools that meet the definition of a medical device under the Federal Food, Drug, and Cosmetic Act (FD&C Act, 21 U.S.C. §321(h)). AI/ML software intended to diagnose, treat, mitigate, cure, or prevent disease is regulated as Software as a Medical Device (SaMD).

Premarket pathways depend on risk classification. Most AI diagnostic tools go through 510(k) clearance, demonstrating substantial equivalence to a predicate device. Others may use De Novo classification for novel low-to-moderate risk devices. High-risk AI tools require Premarket Approval (PMA). The FDA's 2021 action plan for AI/ML-based SaMD and subsequent draft guidance documents outline the agency's expectations for algorithm transparency, performance testing, and change management protocols.

A 2026 cross-sectional analysis of FDA-authorized oncology AI/ML devices found that the clinical evidence supporting these authorizations varies substantially in study design, patient population, and outcome measures (Litt H et al., Journal of Cancer Policy, PMID 42025919). Utah oncology providers evaluating AI diagnostic tools should scrutinize the specific clinical evidence package submitted for FDA authorization, not just the clearance status.

Generalizability is a documented challenge. Research on wearable-based algorithms demonstrated that models trained on one patient population may not perform reliably on another without transfer learning or revalidation (Tangolar D et al., Computers in Biology and Medicine, PMID 41955753). This finding has direct implications for Utah providers: FDA clearance does not guarantee performance in your specific patient population. Local validation is a clinical and risk management imperative.

Postmarket surveillance requirements under 21 CFR Part 822 and the FDA's Real-World Performance monitoring framework require manufacturers to track device performance after market entry. Providers who identify performance issues have a pathway to report through MedWatch (FDA Form 3500A).

HIPAA Compliance

HIPAA governs any AI system that creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a covered entity or business associate (45 CFR §160.103). Key requirements for AI deployments: