PubLedge

A mental health chatbot supplier must draft, file with Utah's Division of Consumer Protection, and operationally comply with a fifteen-element written safety policy covering purposes, clinical practices, testing, risk protocols, user reporting, HIPAA posture, and more. Compliance with the filed policy at the time of an alleged violation provides an affirmative defense against §58-1-501(1)-(2) unauthorized-practice actions.

Before performing any RMA-authorized procedure, a Dentacor-employed hygienist must obtain patient informed consent that explicitly discloses the absence of dentist supervision and explains that a hygienist does not have the full training or scope of practice of a dentist.

A supplier engaged in a "high-risk AI interaction" in a regulated occupation must proactively disclose GenAI use before the interaction begins — verbally at the start of an oral exchange, and in writing before a written exchange. The high-risk tier is statutorily defined and narrower than general consumer interactions.

A consumer-facing GenAI service must display a clear, prominent disclosure that the consumer is interacting with an AI system at the start of each session.

A supplier using generative AI in a consumer transaction must disclose that fact when the consumer makes a clear and unambiguous request. A safe harbor is available: a clear and conspicuous disclosure at the outset and throughout the interaction eliminates enforcement exposure, regardless of whether a request is made.

ElizaChat must be released in three sequential phases — OAIP trusted-tester cohort, OAIP-reviewed limited student cohort, and full Utah-district student availability — with written OAIP approval required before advancing to each subsequent phase.

Before granting any user access to ElizaChat app functionality, the participant must present a five-element disclosure — participant identity, GenAI use notice, testing-risk notice, data use and sharing practices, and OAIP complaint channel — in clear and conspicuous form, and must secure user acknowledgment before access is granted.

An RMA participant must implement data security measures conforming to Utah Code §63A-19-102 and maintain a cybersecurity framework that is updated on an ongoing basis to address emerging threats and vulnerabilities. No statutory or common-law cybersecurity obligation is waived by the RMA.

Within thirty days after the end date of an RMA, the participant must file a written report with OAIP summarizing the demonstration, any incidents of harm, any legal actions, and any complaints filed against the participant in connection with the mitigation period.

An RMA participant agrees to hold OAIP, the relevant Division, and their agents, officers, and employees harmless from any claims, liabilities, damages, losses, or expenses arising from the participant's work performed under the mitigation.

An RMA participant must notify OAIP within 24 hours of any incident that results in harm to the health, safety, or financial well-being of a user of the mitigated technology.

Each Learning Lab RMA participant submits a monthly report to OAIP at `ai@utah.gov` covering user data, incidents, complaints, research findings, and any other information specified by the Office. The report is the primary ongoing accountability mechanism between participant and regulator during the mitigation period.

A participant operating AI-assisted prescription renewal must adhere to Utah's telehealth provider requirements in §26B-4-704, with specific subsections deemed satisfied by following the patient-journey and escalation protocols described in the participant's Proposal (Schedule B). Certain subsections (e.g., the patient-records portability default) are inapplicable; others are substituted by Proposal-section conformance.

Utah removed "the AI did it" as a defense in both civil and criminal contexts. A principal who uses, prompts, or acts through generative AI remains liable for the resulting statement or act. The criminal rule (§76-2-107, SB 149, effective 2024-05-01) and the civil mirror (§13-75-102, SB 226, effective 2025-05-07) together eliminate the doctrine across Utah consumer-protection and criminal law.

A debt collector subject to the Fair Debt Collection Practices Act may not charge a pay-to-pay convenience fee for online or phone payments unless the fee is either expressly authorized by the agreement creating the debt or affirmatively permitted by a specific law. Silence, absence of prohibition, and third-party payment-processor routing do not cure the violation.

A mental health chatbot supplier may not sell or share identifiable health information or user inputs with third parties. Narrow exceptions exist for user-consented or user-requested transfers to a health care provider or plan. Third-party sharing for functionality requires HIPAA-equivalent controls (45 CFR Parts 160 and 164, Subparts A and E) as if the supplier were a covered entity.

An organization fails §501(c)(3) exemption where its Articles of Incorporation neither limit purposes to exempt activities nor dedicate assets to exempt purposes on dissolution, and where a substantial portion of its activities consists of unrestricted commercial leasing coupled with fundraising that benefits a for-profit entity controlled by one of its own Directors. Bylaws containing the required provisions do not cure deficient Articles; a single substantial non-exempt purpose is disqualifying regardless of any exempt purposes present.

An RMA participant may not reference the existence of the agreement in advertising, media, or promotional materials. The mitigation is a regulatory posture, not a marketable endorsement by the State of Utah.

During the mitigation period, a participant may use its AI technology to authorize the renewal of a verified prescription for a Utah resident and issue such prescriptions to a pharmacist licensed under Utah Code §58-17b. Mitigation applies solely to the renewal workflow described in the Proposal; it does not extend to new prescriptions, other services, or products outside the authorized scope.

A registered FCM, swap dealer, or introducing broker that qualifies for the CTA exclusion or exemption does not lose that status solely because it begins receiving a separate unbundled fee for commodity trading advice. The "solely incidental" or "solely in connection with" test continues to govern under a facts-and-circumstances analysis; separate compensation is one factor but is not dispositive.

During the Dentacor demonstration period, the Utah Division of Professional Licensing (DOPL) forgoes enforcement of unlawful and unprofessional-conduct actions under Utah Code §58-69-5 solely for conduct authorized by the RMA. Enforcement remains in full force for any conduct outside the mitigation scope.

Licensed Utah dental hygienists employed by Dentacor may diagnose periodontal disease, complete edentulism, and complete anodontia using an AI-assisted radiograph diagnostic tool in place of general dentist supervision. Diagnosis requires concurrence of both the hygienist and the AI system, and is limited to the procedures authorized under the companion permission (scaling and root planing; fitting of full dentures).

On the facts represented, an incentive-fee management contract between a §501(c)(3) bond issuer and a hotel manager — where the incentive fee is calculated on gross revenue subject to an adjustment contingent on a net-profit-variant metric — does not constitute sharing of net profits under Rev. Proc. 2017-13 §5.02(2) and therefore does not cause private business use under IRC §141. The ruling applies only to the requesting taxpayer on the specific facts presented.

A person deploying AI in Utah may enter either a Regulatory Mitigation Agreement (RMA) — which waives specified law in exchange for safeguards, data sharing, and disclosures — or a Joint Interpretation Agreement (JIA) — which clarifies how existing statute applies to a specific AI use without waiver. Agreements run for an initial twelve months with up to two twelve-month extensions, counterparties include OAIP plus the relevant state agency (or judiciary, higher-ed, or political subdivision under HB 320), and participants must satisfy five statutory eligibility prongs.

DOPL forgoes unlawful-conduct and unprofessional-conduct enforcement under §58-1-501(1)-(2) and related professional-licensing provisions against any provider who (1) acts solely as the named prescriber for AI-authorized renewals, (2) does not interact directly with a patient or other provider, and (3) complies with the RMA terms. Forbearance applies only to conduct authorized by the agreement.

An issuer conducting a Rule 506(c) offering satisfies the "reasonable steps to verify" accredited-investor requirement when it (1) imposes a minimum investment amount high enough that only accredited investors would reasonably be expected to meet it, (2) obtains written representations of accredited status and that the investment is not financed by a third party for purposes of the investment, and (3) has no actual knowledge of contradictory facts. The position restates the principles-based standard; it does not create an exclusive verification method.