42 CFR § 423.136 - Privacy, confidentiality, and accuracy of enrollee records.

---
identifier: "/us/cfr/t42/s423.136"
source: "ecfr"
legal_status: "authoritative_unofficial"
title: "42 CFR § 423.136 - Privacy, confidentiality, and accuracy of enrollee records."
title_number: 42
title_name: "Public Health"
section_number: "423.136"
section_name: "Privacy, confidentiality, and accuracy of enrollee records."
chapter_name: "CENTERS FOR MEDICARE & MEDICAID SERVICES, DEPARTMENT OF HEALTH AND HUMAN SERVICES"
subchapter_number: "B"
subchapter_name: "MEDICARE PROGRAM"
part_number: "423"
part_name: "VOLUNTARY MEDICARE PRESCRIPTION DRUG BENEFIT"
positive_law: false
currency: "2026-04-05"
last_updated: "2026-04-05"
format_version: "1.1.0"
generator: "[email protected]"
authority: "42 U.S.C. 1302, 1306, 1395w-101 through 1395w-152, and 1395hh."
regulatory_source: "70 FR 4525, Jan. 28, 2005, unless otherwise noted."
cfr_part: "423"
---


# 423.136 Privacy, confidentiality, and accuracy of enrollee records.

For any medical records or other health and enrollment information it maintains with respect to enrollees, a PDP sponsor must establish procedures to do the following—

(a) Abide by all Federal and State laws regarding confidentiality and disclosure of medical records, or other health and enrollment information. The PDP sponsor must safeguard the privacy of any information that identifies a particular enrollee and have procedures that specify—

(1) For what purposes the information is used within the organization; and

(2) To whom and for what purposes it discloses the information outside the organization.

(b) Ensure that medical information is released only in accordance with applicable Federal or State law, or under court orders or subpoenas.

(c) Maintain the records and information in an accurate and timely manner.

(d) Ensure timely access by enrollees to the records and information that pertain to them.