StacksVerified U.S. regulatory reference

42 CFR §422.118

Verified against eCFR.gov as of June 20, 2026View official text on eCFR.gov
For any medical records or other health and enrollment information it maintains with respect to enrollees, an MA organization must establish procedures to do the following:
  1. (a)Abide by all Federal and State laws regarding confidentiality and disclosure of medical records, or other health and enrollment information. The MA organization must safeguard the privacy of any information that identifies a particular enrollee and have procedures that specify—
    1. (1)For what purposes the information will be used within the organization; and
    2. (2)To whom and for what purposes it will disclose the information outside the organization.
  2. (b)Ensure that medical information is released only in accordance with applicable Federal or State law, or pursuant to court orders or subpoenas.
  3. (c)Maintain the records and information in an accurate and timely manner.
  4. (d)Ensure timely access by enrollees to the records and information that pertain to them.