42 CFR § 457.1110 - Privacy protections.
The State must ensure that, for individual medical records and any other health and enrollment information maintained with respect to enrollees, that identifies particular enrollees (in any form), the State establishes and implements procedures to—
(a) Abide by all applicable Federal and State laws regarding confidentiality and disclosure, including those laws addressing the confidentiality of information about minors and the privacy of minors, and privacy of individually identifiable health information;
(b) Comply with subpart F of part 431 of this chapter;
(c) Maintain the records and information in a timely and accurate manner;
(d) Specify and make available to any enrollee requesting it—
(1) The purposes for which information is maintained or used; and
(2) To whom and for what purposes the information will be disclosed outside the State;
(e) Except as provided by Federal and State law, ensure that each enrollee may request and receive a copy of records and information pertaining to the enrollee in a timely manner and that an enrollee may request that such records or information be supplemented or corrected.