Skip to Content

Complete Overview of Regulations: 42 CFR Part 2
Disclosures Without Patient Consent: Audit and Evaluation Activities


c.) Audit and Evaluation Activities

Patient identifying information may be disclosed to entities performing an audit or evaluation activity of the program, whether or not the records containing the patient identifying information will be copied or removed from program premises, only if the entity:

  • Agrees in writing to comply with limitations on re-disclosure and use;139 and
  • Is performing the audit or evaluation on behalf of:
    • Any governmental agency that provides financial assistance to the program or is authorized by law to regulate its activities;140 or
    • Any private entity that provides financial assistance to the program, is a third party payer covering patients in the program, or is a quality improvement organization performing a utilization or quality control review.141

If the patient records will not be copied or removed from program premises, the information may also be disclosed to any entity qualified to conduct the audit or evaluation activities, as determined by the program director.142  If the records will be copied or removed from program premises, the entity performing the audit or evaluation activity must agree in writing to:

  • Maintain the patient identifying information in accordance with the security requirements discussed above in Section 2(c)(3) (or more stringent requirements);143 and
  • Destroy all patient identifying information upon completion of the audit or evaluation.144
  1. Limitations on Disclosure and Use

Unless it is for a Medicare or Medicaid audit or evaluation activity, patient identifying information may only be re-disclosed back to the program from which it was obtained and may only be used for an audit or evaluation purpose or to investigate or prosecute activities as authorized by an appropriate court order.145

  1. Medicare or Medicaid Audit and Evaluation Activities

A Medicare or Medicaid audit or evaluation is a civil or administrative investigation of the program by any agency overseeing the Medicare or Medicaid program and includes administrative enforcement of any remedy imposed as a result of the investigation against the program146 or an employee of, or provider of medical services under, the program.147 Any entity (including a quality improvement organization) that obtains patient identifying information during an audit or evaluation may disclose that information to an authorized person for purposes of a Medicare or Medicaid audit or evaluation.148



  • 139. 42 CFR § 2.53(a)(1), (b)(1)(iii).
  • 140. 42 CFR § 2.53(a)(1)(i), (b)(2)(i)..
  • 141. 42 CFR § 2.53(a)(1)(ii), (b)(2)(ii).
  • 142. 42 CFR § 2.53(a)(1)(iii)
  • 143. 42 CFR § 2.53(b)(1)(i).
  • 144. 42 CFR § 2.53(b)(1)(ii).
  • 145. 42 CFR § 2.53(d).
  • 146. 42 CFR § 2.53(c)(1).
  • 147. 42 CFR § 2.53(c)(2).
  • 148. 42 CFR § 2.53(c)(3).