42 CFR § 2.53 - Management audits, financial audits, and program evaluation.
(a) Records not copied or removed. If patient records are not downloaded, copied or removed from the premises of a part 2 program or other lawful holder, or forwarded electronically to another electronic system or device, patient identifying information, as defined in § 2.11, may be disclosed in the course of a review of records on the premises of a part 2 program or other lawful holder to any person who agrees in writing to comply with the limitations on use and redisclosure in paragraph (f) of this section and who:
(1) Performs the audit or evaluation on behalf of:
(i) Any federal, state, or local governmental agency that provides financial assistance to a part 2 program or other lawful holder, or is authorized by law to regulate the activities of the part 2 program or other lawful holder;
(ii) Any person which provides financial assistance to the part 2 program or other lawful holder, which is a third-party payer or health plan covering patients in the part 2 program, or which is a quality improvement organization (QIO) performing a QIO review, or the contractors, subcontractors, or legal representatives of such person or quality improvement organization; or
(iii) An entity with direct administrative control over the part 2 program or lawful holder.
(2) Is determined by the part 2 program or other lawful holder to be qualified to conduct an audit or evaluation of the part 2 program or other lawful holder.
(b) Copying, removing, downloading, or forwarding patient records. Records containing patient identifying information, as defined in § 2.11, may be copied or removed from the premises of a part 2 program or other lawful holder or downloaded or forwarded to another electronic system or device from the part 2 program's or other lawful holder's electronic records by any person who:
(1) Agrees in writing to:
(i) Maintain and destroy the patient identifying information in a manner consistent with the policies and procedures established under § 2.16;
(ii) Retain records in compliance with applicable federal, state, and local record retention laws; and
(iii) Comply with the limitations on use and disclosure in paragraph (f) of this section; and
(2) Performs the audit or evaluation on behalf of:
(i) Any federal, state, or local governmental agency that provides financial assistance to the part 2 program or other lawful holder, or is authorized by law to regulate the activities of the part 2 program or other lawful holder; or
(ii) Any person which provides financial assistance to the part 2 program or other lawful holder, which is a third-party payer or health plan covering patients in the part 2 program, or which is a quality improvement organization performing a QIO review, or the contractors, subcontractors, or legal representatives of such person or quality improvement organization; or
(iii) An entity with direct administrative control over the part 2 program or lawful holder.
(c) Activities included. Audits and evaluations under this section may include, but are not limited to:
(1) Activities undertaken by a Federal, state, or local governmental agency, or a third-party payer or health plan, in order to:
(i) Identify actions the agency or third-party payer or health plan can make, such as changes to its policies or procedures, to improve care and outcomes for patients with substance use disorders who are treated by part 2 programs;
(ii) Ensure that resources are managed effectively to care for patients; or
(iii) Determine the need for adjustments to payment policies to enhance care or coverage for patients with SUD.
(2) Reviews of appropriateness of medical care, medical necessity, and utilization of services.
(d) Quality assurance entities included. Entities conducting audits or evaluations in accordance with paragraphs (a) and (b) of this section may include accreditation or similar types of organizations focused on quality assurance.
(e) Medicare, Medicaid, Children's Health Insurance Program (CHIP), or related audit or evaluation.
(1) Patient identifying information, as defined in § 2.11, may be disclosed under paragraph (e) of this section to any person for the purpose of conducting a Medicare, Medicaid, or CHIP audit or evaluation, including an audit or evaluation necessary to meet the requirements for a Centers for Medicare & Medicaid Services (CMS)-regulated accountable care organization (CMS-regulated ACO) or similar CMS-regulated organization (including a CMS-regulated Qualified Entity (QE)), if the person agrees in writing to comply with the following:
(i) Maintain and destroy the patient identifying information in a manner consistent with the policies and procedures established under § 2.16;
(ii) Retain records in compliance with applicable federal, state, and local record retention laws; and
(iii) Comply with the limitations on use and disclosure in paragraph (f) of this section.
(2) A Medicare, Medicaid, or CHIP audit or evaluation under this section includes a civil or administrative investigation of a part 2 program by any federal, state, or local government agency with oversight responsibilities for Medicare, Medicaid, or CHIP and includes administrative enforcement, against the part 2 program by the government agency, of any remedy authorized by law to be imposed as a result of the findings of the investigation.
(3) An audit or evaluation necessary to meet the requirements for a CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE) must be conducted in accordance with the following:
(i) A CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE) must:
(A) Have in place administrative and/or clinical systems; and
(B) Have in place a leadership and management structure, including a governing body and chief executive officer with responsibility for oversight of the organization's management and for ensuring compliance with and adherence to the terms and conditions of the Participation Agreement or similar documentation with CMS; and
(ii) A CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE) must have a signed Participation Agreement or similar documentation with CMS, which provides that the CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE):
(A) Is subject to periodic evaluations by CMS or its agents, or is required by CMS to evaluate participants in the CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE) relative to CMS-defined or approved quality and/or cost measures;
(B) Must designate an executive who has the authority to legally bind the organization to ensure compliance with 42 U.S.C. 290dd-2 and this part and the terms and conditions of the Participation Agreement in order to receive patient identifying information from CMS or its agents;
(C) Agrees to comply with all applicable provisions of 42 U.S.C. 290dd-2 and this part;
(D) Must ensure that any audit or evaluation involving patient identifying information occurs in a confidential and controlled setting approved by the designated executive;
(E) Must ensure that any communications or reports or other documents resulting from an audit or evaluation under this section do not allow for the direct or indirect identification (e.g., through the use of codes) of a patient as having or having had a substance use disorder; and
(F) Must establish policies and procedures to protect the confidentiality of the patient identifying information consistent with this part, the terms and conditions of the Participation Agreement, and the requirements set forth in paragraph (e)(1) of this section.
(4) Program, as defined in § 2.11, includes an employee of, or provider of medical services under the program when the employee or provider is the subject of a civil investigation or administrative remedy, as those terms are used in paragraph (e)(2) of this section.
(5) If a disclosure to a person is authorized under this section for a Medicare, Medicaid, or CHIP audit or evaluation, including a civil investigation or administrative remedy, as those terms are used in paragraph (e)(2) of this section, the person may further use or disclose the patient identifying information that is received for such purposes to its contractor(s), subcontractor(s), or legal representative(s), to carry out the audit or evaluation, and a quality improvement organization which obtains such information under paragraph (a) or (b) of this section may use or disclose the information to that person (or, to such person's contractors, subcontractors, or legal representatives, but only for the purposes of this section).
(6) The provisions of this paragraph (e) do not authorize the part 2 program, the Federal, state, or local government agency, or any other person to use or disclose patient identifying information obtained during the audit or evaluation for any purposes other than those necessary to complete the audit or evaluation as specified in this paragraph (e).
(f) Limitations on use and disclosure. Except as provided in paragraph (e) of this section, patient identifying information disclosed under this section may be disclosed only back to the part 2 program or other lawful holder from which it was obtained and may be used only to carry out an audit or evaluation purpose or to investigate or prosecute criminal or other activities, as authorized by a court order entered under § 2.66.
(g) Audits and evaluations mandated by statute or regulation. Patient identifying information may be disclosed to federal, state, or local government agencies, and the contractors, subcontractors, and legal representatives of such agencies, in the course of conducting audits or evaluations mandated by statute or regulation, if those audits or evaluations cannot be carried out using deidentified information.
(h) Disclosures for health care operations. With respect to activities described in paragraphs (c) and (d) of this section, a part 2 program, covered entity, or business associate may disclose records in accordance with a consent that includes health care operations, and the recipient may redisclose such records as permitted under the HIPAA regulations if the recipient is a covered entity or business associate.