(a) Except as provided in subsection (b), (c), or (d) of this section, an insurer, or an insurance service organization whose functions include the collection of medical data, may not disclose the contents of an insured’s medical or claims records.
(b) (1) An insurer may disclose specific medical information or medical data contained in an insured’s medical or claims records to:
(i) the insured;
(ii) the insured’s agent or representative; or
(iii) on request of the insured, a physician of the insured’s choice.
(2) An insurer, or an insurance service organization whose functions include the collection of medical data, may disclose specific medical information or medical data contained in an insured’s medical or claims records if the insured authorizes the disclosure.
(c) An insurer, or an insurance service organization whose functions include the collection of medical data, may disclose specific medical information or medical data contained in an insured’s medical or claims records without the authorization of the insured:
(1) to a medical review committee, accreditation board, or commission, if the information is requested by or is in furtherance of the purpose of the committee, board, or commission;
(2) in response to legal process;
(3) to a nonprofit health service plan or Blue Cross or Blue Shield plan to coordinate benefit payments under multiple sickness and accident, dental, or hospital medical contracts;
(4) to investigate possible insurance fraud;
(5) for reinsurance purposes;
(6) in the normal course of underwriting, to an insurer information exchange that may not redisclose the information unless expressly authorized by the person to whom the information pertains;
(7) to evaluate an application for or renewal of insurance;
(8) to evaluate and adjust a claim for benefits under a policy or to evaluate and calculate provider fiscal incentives or other types of provider payments;
(9) to evaluate, settle, or defend a claim or suit for personal injury;
(10) in accordance with a cost containment contractual obligation to verify that benefits paid by the insurer were proper contractually;
(11) to a policyholder if:
(i) the policyholder does not further disclose the specific medical information; and
(ii) the information is required for an audit of the billing made by the insurer to the policyholder; or
(12) to the insured’s treating providers for the sole purposes of enhancing or coordinating patient care or assisting the treating providers’ clinical decision making, provided that:
(i) a disclosure under this item is subject to the additional limitations in § 4–307 of the Health – General Article on disclosure of a medical record developed primarily in connection with the provision of mental health services;
(ii) medical information or medical data contained in an insured’s medical or claims records may be disclosed only in accordance with the federal Health Insurance Portability and Accountability Act of 1996, any regulations adopted under the Act, and any other applicable federal privacy laws, and disclosures under this item may not be made in violation of the prohibited uses or disclosures under the federal Health Insurance Portability and Accountability Act of 1996;
(iii) an insurer or an insurance service organization that discloses medical information or medical data contained in an insured’s medical or claims records in accordance with this item shall provide a notice consistent with the requirements of 45 C.F.R. § 164.520 specifying the information to be shared, with whom it will be shared, and the specific types of uses and disclosures that the insurer or insurance service organization may make in accordance with this item;
(iv) the notice required by item (iii) of this item shall include an opportunity for the insured to opt–out of the sharing of the insured’s medical information or medical data contained in the insured’s medical or claims records with the insured’s treating providers for the purposes identified in this item; and
(v) if an insurer or an insurance service organization discloses medical information or medical data through an infrastructure that provides organizational and technical capabilities for the exchange of protected health information, as defined in § 4–301 of the Health – General Article, among entities not under common ownership, the insurer is subject to the requirements of §§ 4–302.2 and 4–302.3 of the Health – General Article.
(d) This section does not prohibit the use of medical records, data, or statistics if the use does not disclose the identity of a particular insured or covered person.
(e) An insurer that knowingly violates this section is liable to a plaintiff for any damages recoverable in a civil action, including reasonable attorney’s fees.
Structure Maryland Statutes
Title 4 - General Requirements for Insurers
Subtitle 4 - Disclosure Requirements for Insurers
Section 4-401 - Reporting Medical Malpractice Claims or Actions
Section 4-402 - Inspection of Medical Files on Applicants and Claimants
Section 4-403 - Disclosure of Insured's Medical or Claims Records
Section 4-404 - Disclosure of Medical Examination Results by Life Insurer
Section 4-405 - Additional Reporting Requirements; Regulations; Confidentiality