§ 14-138. Disclosure of medical or claims information  


Latest version.



  •    (a) Prohibited. -- Except as provided in subsection (b), (c), or (d) of this section, a nonprofit health service plan or Blue Cross or Blue Shield plan may not disclose specific medical information contained in a subscriber's or certificate holder's medical or claims records.

    (b) Exception -- Disclosure to or authorized by subscriber or certificate holder. -- A nonprofit health service plan or Blue Cross or Blue Shield plan may disclose specific medical information or medical data contained in a subscriber's or certificate holder's medical or claims records:

       (1) to the individual or individual's agent or representative; or

       (2) if the individual authorizes the disclosure.

    (c) Exception -- Disclosure without authorization of subscriber or certificate holder. -- A nonprofit health service plan or Blue Cross or Blue Shield plan may disclose specific medical information contained in a subscriber's or certificate holder's medical records without the authorization of the subscriber or certificate holder:

       (1) to a medical review committee, accreditation board, or commission, if the information is requested by or is in furtherance of the purpose of the committee, board, or commission;

       (2) in response to legal process;

       (3) to another nonprofit health service plan, Blue Cross or Blue Shield plan, or insurer to coordinate benefit payments under multiple sickness and accident, dental, or hospital medical contracts;

       (4) to a government agency performing its lawful duties as authorized by an act of the General Assembly or United States Congress;

       (5) to a researcher, on request, for medical and health care research in accordance with a protocol approved by an institutional review board;

       (6) in accordance with a cost containment contractual obligation to verify that benefits paid by the nonprofit health service plan were proper contractually;

       (7) to a third party payor if:

          (i) the third party payor does not further disclose the specific medical or claims information; and

          (ii) the information is required for an audit of the billing made by the plan to the payor;

       (8) to evaluate and adjust a claim for benefits under a policy or to evaluate and calculate provider fiscal incentives or other types of provider payments; or

       (9) to the individual's treating providers for the sole purposes of enhancing or coordinating patient care or assisting the treating providers' clinical decision making, provided that:

          (i) a disclosure under this item is subject to the additional limitations in § 4-307 of the Health - General Article on disclosure of a medical record developed primarily in connection with the provision of mental health services;

          (ii) medical information or medical data contained in an insured's medical or claims records may be disclosed only in accordance with the federal Health Insurance Portability and Accountability Act of 1996, any regulations adopted under the Act, and any other applicable federal privacy laws, and disclosures under this item may not be made in violation of the prohibited uses or disclosures under the federal Health Insurance Portability and Accountability act of 1996;

          (iii) a nonprofit health service plan or Blue Cross or Blue Shield plan that discloses medical information or medical data contained in an insured's medical or claims records in accordance with this item shall provide a notice consistent with the requirements of 45 C.F.R. § 164.520 specifying the information to be shared, with whom it will be shared, and the specific types of uses and disclosures that the nonprofit health service plan or Blue Cross or Blue Shield plan may make in accordance with this item;

          (iv) the notice required by item (iii) of this item shall include an opportunity for the individual to opt-out of the sharing of the individual's medical information or medical data contained in an individual's medical or claims records with the individual's treating providers for the purposes identified in this item; and

          (v) if a nonprofit health service plan or Blue Cross or Blue Shield plan discloses medical information or medical data through an infrastructure that provides organizational and technical capabilities for the exchange of protected health information, as defined in § 4-301 of the Health - General Article, among entities not under common ownership, the nonprofit health service plan or Blue Cross or Blue Shield plan is subject to the requirements of § 4-302.2 and 4-302.3 of the Health - General Article.

    (d) Exception -- Identity of subscriber or certificate holder not disclosed. -- This section does not prohibit the use of medical records, data, or statistics if the use does not disclose the identity of a particular subscriber or certificate holder.

    (e) Liability for damages. -- A nonprofit health service plan that knowingly violates this section is liable to a plaintiff for any damages recoverable in a civil action, including reasonable attorney's fees.


HISTORY: An. Code 1957, art. 48A, § 354-O; 1997, ch. 35, § 2; 1998, ch. 21, § 1; 2012, ch. 326.