Managed care plans and utilization review entities in Pennsylvania must ensure that all identifiable information regarding an enrollee’s health, diagnosis and treatment remains confidential in compliance with applicable laws, regulations and professional ethical standards.1  Information regarding an enrollee’s health or treatment must be made available to the enrollee, his designee, and others as is necessary to prevent death or serious injury.2  If a managed care plan maintains medical records, it must ensure that enrollees have timely access to their records unless otherwise prohibited by law.3  Plans must also annually submit to the Department of Health a detailed report of its activities, including utilization statistics, the number, type and disposition of all complaints and grievances, and a copy of the plan’s quality assurance program.4

        A managed care plan can disclose personal information under certain circumstances, including for internal quality review, to determine coverage, review complaints, conduct utilization review, for patient care management, and other reasons.5  Other licensed insurers may disclose nonpublic personal health information about a consumer under various circumstances as well, including upon authorization from the consumer, and for the performance of certain insurance functions such as auditing, quality assurance, utilization review, underwriting, etc.6