2.53—Audit and evaluation activities.
(a) Records not copied or removed.
If patient records are not copied or removed, patient identifying information may be disclosed in the course of a review of records on program premises to any person who agrees in writing to comply with the limitations on redisclosure and use in paragraph (d) of this section and who:
(i)
Any Federal, State, or local governmental agency which provides financial assistance to the program or is authorized by law to regulate its activities; or
(ii)
Any private person which provides financial assistance to the program, which is a third party payer covering patients in the program, or which is a quality improvement organization performing a utilization or quality control review; or
(2)
Is determined by the program director to be qualified to conduct the audit or evaluation activities.
(b) Copying or removal of records.
Records containing patient identifying information may be copied or removed from program premises by any person who:
(i)
Maintain the patient identifying information in accordance with the security requirements provided in § 2.16 of these regulations (or more stringent requirements);
(ii)
Destroy all the patient identifying information upon completion of the audit or evaluation; and
(i)
Any Federal, State, or local governmental agency which provides financial assistance to the program or is authorized by law to regulate its activities; or
(ii)
Any private person which provides financial assistance to the program, which is a third part payer covering patients in the program, or which is a quality improvement organization performing a utilization or quality control review.
(c) Medicare or Medicaid audit or evaluation.
(1)
For purposes of Medicare or Medicaid audit or evaluation under this section, audit or evaluation includes a civil or administrative investigation of the program by any Federal, State, or local agency responsible for oversight of the Medicare or Medicaid program and includes administrative enforcement, against the program by the agency, of any remedy authorized by law to be imposed as a result of the findings of the investigation.
(2)
Consistent with the definition of program in § 2.11, program includes an employee of, or provider of medical services under, the program when the employee or provider is the subject of a civil investigation or administrative remedy, as those terms are used in paragraph (c)(1) of this section.
(3)
If a disclosure to a person is authorized under this section for a Medicare or Medicaid audit or evaluation, including a civil investigation or administrative remedy, as those terms are used in paragraph (c)(1) of this section, then a quality improvement organization which obtains the information under paragraph (a) or (b) may disclose the information to that person but only for purposes of Medicare or Medicaid audit or evaluation.
(4)
The provisions of this paragraph do not authorize the agency, the program, or any other person to disclose or use patient identifying information obtained during the audit or evaluation for any purposes other than those necessary to complete the Medicare or Medicaid audit or evaluation activity as specified in this paragraph.
(d) Limitations on disclosure and use.
Except as provided in paragraph (c) of this section, patient identifying information disclosed under this section may be disclosed only back to the program from which it was obtained and used only to carry out an audit or evaluation purpose or to investigate or prosecute criminal or other activities, as authorized by a court order entered under § 2.66 of these regulations.