Utah AI Policy Act (stack — SB 149 + 2025 + 2026 amendments)

Yes. Utah AI Policy Act (stack — SB 149 + 2025 + 2026 amendments) addresses Data Governance through 1 provision.

Does Utah AI Policy Act (stack — SB 149 + 2025 + 2026 amendments) require Data Governance?

Utah • enforcing

Yes — 1 provision

This regulation imposes 3 specific requirements for Data Governance across 1 provision:

No sale/sharing — May not sell or share identifiable health information or user input with third parties
Health care exception — Permitted when user-consented or user-requested to health care provider or health plan
HIPAA-equivalent controls — Third-party sharing for functionality requires HIPAA Parts 160 + 164 Subparts A/E compliance as if supplier were a covered entity

Obligation:

enforcing

Effective:

May 7, 2025

Risk tier:

high-risk

Scope:

mental health chatbot suppliers

Requirement	Details
No sale/sharing	May not sell or share identifiable health information or user input with third parties
Health care exception	Permitted when user-consented or user-requested to health care provider or health plan
HIPAA-equivalent controls	Third-party sharing for functionality requires HIPAA Parts 160 + 164 Subparts A/E compliance as if supplier were a covered entity

Violation	Fine
Same as chatbot disclosure	$2,500 admin / court / $5,000 order violation