38 CFR 1.489 - Audit and evaluation activities.
Subject to the provisions of 38 U.S.C. 5701, 38 38 CFR 1.500- 1.527 500-1.527, the Privacy Act ( 5 U.S.C. 552a), 38 CFR 1.575- 1.584 575-1.584, and the following paragraphs, patient medical records covered by §§ 1.460 through 1.499 of this part may be disclosed outside VA for the purposes of conducting audit and evaluation activities.
(a)Records not copies. If patient records covered by §§ 1.460 through 1.499 of this part are not copied, patient identifying information may be disclosed in the course of a review of records on VA facility premises to any person who agrees in writing to comply with the limitations on redisclosure and use in paragraph (d) of this section and:
(1) Where audit or evaluation functions are performed by a State or Federal governmental agency on behalf of VA; or
(2) Who is determined by the VA facility director to be qualified to conduct the audit or evaluation activities.
(1) Agrees in writing to:
(ii) Destroy all the patient identifying information upon completion of the audit or evaluation; and
(iii) Comply with the limitations on disclosure and use in paragraph (d) of this section.
(2) The VA medical facility director determines to be qualified to conduct the audit or evaluation activities.
(c)Congressional oversight. Records subject to §§ 1.460 through 1.499 of this part upon written request may be released to congressional committees or subcommittees for program oversight and evaluation if such records pertain to any matter within the jurisdiction of such committee or subcommittee.
(d)Limitation on disclosure and use. Records containing patient identifying information disclosed under this section may be disclosed only back to VA and used only to carry out an audit or evaluation purpose, or, to investigate or prosecute criminal or other activities as authorized by a court order entered under § 1.494 of this part.