Can the North Carolina State Auditor audit the books of hospitals and other Medicaid vendors to verify that DHR paid them correctly, and can the auditor see records that are confidential under state public-assistance law?
Plain-English summary
State Auditor Henry L. Bridges asked the AG whether his office could audit the records of hospitals and other vendors of medical services to confirm that the Division of Medical Assistance (the State's Medicaid agency, then part of the Department of Human Resources) was paying them correctly. He also asked whether he could see records that are confidential under G.S. 108-45.
The 1979 AG said yes to both questions, with a structural caveat tied to a Memorandum of Understanding the State Auditor and DHR had signed in December 1979.
On the first question, the AG read G.S. 147-58(16) as a straightforward grant of authority. The statute lets the State Auditor and authorized agents examine the books of any individual, firm, or corporation insofar as they relate to transactions with a State agency, limited to matters that might relate to irregularities by the agency. Medicaid payments to vendors are transactions with the State (the Division of Medical Assistance is part of DHR), so the vendor books are fair game.
The second question was harder because G.S. 108-45(a) makes it unlawful to obtain or disclose information about public-assistance applicants and recipients except for "purposes directly connected with the administration of the program of public assistance." Federal law (42 U.S.C.A. § 1396a(a)(7)) imposes the same restriction on State Medicaid plans.
The AG concluded that a financial audit of vendor payments fits within "purposes directly connected with the administration" of the program. The Memorandum of Understanding between the State Auditor and the Secretary of DHR did two things that nailed the conclusion down: it limited the Auditor's audits to State-administered funds and operational review, and it expressly subjected the Auditor's staff to the same federal and state confidentiality regulations as DHR personnel. With those structural protections, the audit qualifies as administration of the program.
The practical upshot for vendors: a State Audit could examine their books and could see otherwise-confidential patient information without breaching the confidentiality wall.
Currency note
This opinion was issued in 1979. Subsequent statutory amendments, court decisions, or later AG opinions may have changed the analysis. Treat this page as historical context, not current legal advice. Verify current law before relying on any specific rule, deadline, or remedy mentioned here. The Department of Human Resources has been reorganized (it is now the Department of Health and Human Services), HIPAA has added a federal privacy overlay that did not exist in 1979, and Medicaid program integrity audits are now conducted under additional federal frameworks. Any modern audit question should be addressed under current state and federal law.
Historical context: what the AG concluded
The opinion's structure is the textbook public-law analysis of an intersecting statutes problem. Two statutes are both in force; their texts pull in different directions; the question is how to reconcile them.
G.S. 147-58(16) gives the Auditor broad access. G.S. 108-45(a) restricts access to public-assistance records. The reconciliation route is the exception built into G.S. 108-45 itself: access is permitted for purposes directly connected with administration of the program. If the audit qualifies as administration, both statutes are satisfied.
The AG's path to that conclusion goes through two pieces. First, the audit's content qualifies. Financial review of payments to vendors is operational oversight, and operational oversight is part of administration. The federal corollary in 42 U.S.C.A. § 1396a(a)(7) uses the same "directly connected with the administration" phrasing, and federal program integrity audits routinely involve patient information. The audit is consistent with how the program is administered.
Second, the structural protections make the answer cleaner. The Memorandum of Understanding limited the Auditor's audit scope and subjected the Auditor's staff to the same confidentiality regulations as DHR staff. That structure makes the Auditor essentially an extension of DHR for confidentiality purposes. Information that DHR could see for administration purposes, the Auditor can see for administration purposes, under the same legal duties of confidentiality.
The MOU approach is generally useful for any State agency that needs access to another agency's confidential records. Build a written agreement that limits the scope of access and binds the receiving agency to the same confidentiality regime. That makes the access lawful and creates an audit trail of how the boundaries were drawn.
The opinion does not address what would happen if the State Auditor wanted to audit something outside the MOU scope, or if the Auditor's staff breached the confidentiality regime. Those questions would require their own analysis.
Background and statutory framework
G.S. 147-58 is the general authority statute for the North Carolina State Auditor. Subsection (16) is the access provision, granting authority to examine books and accounts of private parties insofar as they relate to transactions with State agencies. The provision is limited to matters that might relate to irregularities on the part of the State agency, which is the textual hook for the legitimate-purpose requirement.
G.S. 108-45 is the confidentiality statute for public-assistance records in North Carolina. Subsection (a) prohibits obtaining, disclosing, or using information about applicants for or recipients of public assistance, with two relevant exceptions: subsection (b) (which the opinion notes is not pertinent), and the broader "purposes directly connected with the administration of the programs of public assistance in accordance with the rules and regulations of the Social Services Commission" exception.
The federal hook is 42 U.S.C.A. § 1396a(a)(7), the Social Security Act Medicaid provision that requires state Medicaid plans to safeguard applicant and recipient information. The federal text uses "purposes directly connected with the administration of the plan." The state statute mirrors the federal language, deliberately, to ensure state law compliance with federal requirements.
The Memorandum of Understanding referenced in the opinion was dated December 3, 1979 and signed by both the State Auditor and the Secretary of Human Resources. Its purpose section limited audit effort to "such records which are related to the State administration of funds for the purpose of financial and operational review as they relate to State Administered Programs." Its confidentiality section bound the Auditor to "the same State and Federal regulations concerning release of Recipient and Provider information as is the Department of Human Resources."
Common questions
Could a vendor refuse to provide records to the State Auditor?
The opinion does not address resistance. G.S. 147-58(16) on its face authorizes examination, so a vendor that refuses would put itself in conflict with the statute. A vendor with a confidentiality concern (third-party patient records, for example) could try to negotiate scope or seek a protective order, but the statutory authority is broad.
What if the Auditor's staff inadvertently disclosed confidential information?
The Memorandum of Understanding binds the Auditor's staff to the same confidentiality obligations as DHR staff. A breach would be a violation of G.S. 108-45(a) and could trigger the state-law penalties for unauthorized disclosure, in addition to any consequences under the MOU itself.
Could a private auditor hired by DHR also see confidential records?
Under the same logic, yes, if the auditor's role qualifies as program administration and the engagement establishes equivalent confidentiality obligations. The principle is portable.
Did this opinion authorize random audits, or only specific investigations?
The opinion authorizes the State Auditor's audits in general, governed by the MOU scope. Random vendor audits, targeted audits, and investigations triggered by specific allegations would all be within the framework, provided each individual audit fits the MOU scope and the administration purpose.
How does HIPAA change the picture?
HIPAA was enacted in 1996, well after this opinion. HIPAA adds a federal privacy overlay with its own definitions of permissible disclosure (treatment, payment, operations, and various public health and oversight functions). Health Oversight Agency is a defined HIPAA category that generally includes state auditors performing program integrity work. So the modern answer is likely the same in substance, but the analysis would route through HIPAA's permitted disclosures provisions rather than through G.S. 108-45 alone.
Source
Citations
- G.S. 147-58
- G.S. 147-58(16)
- N.C.G.S. 108-45(a)
- 42 U.S.C.A. § 1396a(a)(7)
Original opinion text
Requested By: The Honorable Henry L. Bridges State Auditor
Questions: Does the Department of State Auditor have the authority to examine the documentation and files of vendors of hospital services to determine that payments by the Division of Medical Assistance of the Department of Human Resources were in accordance with State and federal statutes, regulations and policy?
- May the Department of State Auditor, in the course of such an examination, examine files of vendors of hospital services that contain information which is confidential under the provisions of N.C.G.S. 108-45?
Conclusion: Yes.
- Yes, when as here, the examination is directly connected with the administration of programs of public assistance.
G.S. 147-58 specifies the duties and authority of the State Auditor. G.S. 147-58(16) states, in pertinent part:
"The Auditor and his authorized agents are authorized to examine all books and accounts of any individual, firm, or corporation only insofar as it relates to transactions with any department, board, officer, commission, institution, or other agency of the State; provided that such examination shall be limited to those things which might relate to irregularities on the part of any State agency."
The above-quoted statute clearly grants general authority to the State Auditor to examine the records of vendors of hospital services to determine if any irregularities are involved in the payments made by the State agency to the vendors.
A further question of the authority of the State Auditor arises when the records to be examined contain information that is deemed confidential by law.
The confidentiality of records of the Department of Human Resources pertaining to persons applying for or receiving public assistance is established by G.S. 108-45(a), which provides: "(a) Except as provided in (b) below (which exception is not pertinent here), it shall be unlawful for any persons to obtain, disclose or use, or to authorize, permit, or acquiesce in the use of any list of names or other information concerning persons applying for or receiving public assistance that may be directly or indirectly derived from the records, files or communications of the Department of Human Resources or the county boards of social services or acquired in the course of performing official duties except for purposes directly connected with the administration of the program of public assistance in accordance with the rules and regulations of the Social Services Commission."
The foregoing statute is in conformity with the requirement of 42 U.S.C.A. § 1396a(a)(7) that State plans for medical assistance involving federal funds must:
"(7) provide safeguards which restrict the use of disclosure of information concerning applicants and recipients to purposes directly connected with the administration of the plan;"
A Memorandum of Understanding Between the Department of State Auditor and the Department of Human Resources, dated December 3, 1979, and signed by the State Auditor and the Secretary of Human Resources, describes the scope and purpose of audits by the Department of State Auditor as:
"Purpose: Audit effort by the Department of State Auditor is restricted to only such records which are related to the State administration of funds for the purpose of financial and operational review as they relate to State Administered Programs."
With regard to confidentiality of records, the Memorandum states:
"Confidentiality of Information: The State Auditor's exposure to confidential information as provided by State and Federal Statute will be subject to the same State and Federal regulations concerning release of Recipient and Provider information as is the Department of Human Resources."
The scope of audits by the Department of State Auditor, as described in the Memorandum of Understanding, brings such audits within ". . . purposes directly connected with the administration of the programs of public assistance . . ." (G.S. 108-45(a)) and ". . . purposes directly connected with the administration of the plan;" (42 U.S.C.A § 1396a (a)(7)). Further, the Department of State Auditor specifically acknowledges that it is subject to the same confidentiality provisions of State and Federal Statutes and regulations as is the Department of Human Resources.
Under these circumstances, the State Auditor is authorized by G.S. 147-58 (16) to conduct audits described in the Memorandum of Understanding of records of individuals, firms, and corporations relating to transactions with the Department of Human Resources, including vendors of hospital services.
Rufus L. Edmisten
Attorney General
Henry T. Rosser
Assistant Attorney General