Can the North Dakota State Auditor audit the state's Protection and Advocacy agency, including records that are confidential under federal disability-rights laws and state attorney-client privilege rules?

Plain-English summary

State Auditor Joshua Gallion asked the AG whether his office can audit the North Dakota Protection and Advocacy Project (P&A), the state agency that exists under federal disability-rights law to protect the rights of individuals with disabilities. P&A keeps records that are confidential under both federal law (DD Act, PAIMI Act, PAIR Act) and state law (N.D.C.C. § 25-01.3-10), and P&A's lawyers handle client matters under Rule 1.6 of the Rules of Professional Conduct.

The AG concluded that P&A is auditable. Two reasons.

First, the state-audit statute overrides confidentiality. Section 54-10-22.1 begins with the phrase "notwithstanding any other specific sections of law" and gives the State Auditor access to "all information relating to operations" of audited entities. The same statute requires auditors to "guard the secrecy" of confidential information. A 1994 AG opinion and the Eighth Circuit's U.S. v. Lester (2024) interpret "notwithstanding" as "in spite of," meaning state confidentiality statutes (including § 25-01.3-10) bend to give the auditor access for audit purposes.

Second, federal law expressly contemplates audits. The DD Act, PAIMI Act, and PAIR Act all anticipate state and federal audits of P&A records. The PAIMI Act regulation, 42 C.F.R. § 51.45(c), specifically allows "authorized Federal or State officials" access to "client records or other records of the P&A system when deemed necessary for audit purposes."

On Rule 1.6 (attorney-client confidentiality), a 1995 AG opinion already addressed the same issue: P&A's records about whom it served are available to the State Auditor for performance-audit purposes; the State Auditor must keep them confidential. The current opinion follows the 1995 precedent.

What this means for you

If you are a State Auditor or audit professional in North Dakota

You have access. Section 54-10-22.1 is unusually direct: it says you can access "all information relating to operations" of audited entities, "notwithstanding" other confidentiality statutes. You inherit a strict obligation to guard the confidentiality of what you see. The opinion does not authorize disclosure to anyone outside the audit; it just lets you obtain the records to do the audit.

Practical workflow:

• Ask P&A for the records you need.
• If P&A objects, cite this opinion and the 1994 and 1995 prior opinions.
• Establish protocols for handling the records (secure storage, limited access by audit staff, redaction of identifying information in reports).
• Destroy photostatic copies after the audit, per 42 C.F.R. § 51.45(c).

If you are a P&A administrator or attorney

You can comply with audit requests. The federal P&A statutes expressly anticipate state audits. The Rule 1.6 confidentiality obligation does not block disclosure to the State Auditor, because the disclosure is to a fellow government office bound by its own confidentiality obligation, and the federal regulation expressly authorizes audit access.

A few practical points:

• Identify the specific records before producing them. Some records may genuinely be outside the audit scope (e.g., truly attorney-only mental impressions on a particular case).
• For sensitive client identifying information, work with the auditor on redaction protocols if appropriate.
• Document the audit-access decisions in your file so future P&A staff understand the precedent.

If you are an attorney advising a state agency about whether the State Auditor can access confidential records

Section 54-10-22.1 is broad. The "notwithstanding any other specific sections of law" language is doing real work. Even when a state confidentiality statute is otherwise robust (as § 25-01.3-10 is), the audit-access provision overrides it for audit purposes.

The federal-law overlay matters too. For programs receiving federal funding (like P&A under DD/PAIMI/PAIR), check the federal regulations for state-audit carve-outs before resisting the auditor's access. In most cases, the federal scheme also contemplates state audits.

If you are a P&A client or family member of a client

This opinion does not allow your records to be made public. The State Auditor's access is for audit purposes only, and the auditor is statutorily required to keep your information confidential. The audit is about whether P&A is doing its job (compliance, internal controls, financial transactions), not about you.

Common questions

Q: What is P&A?
A: The Protection and Advocacy Project, a state agency required by federal law to protect the rights of individuals with disabilities. North Dakota's P&A operates under federal authority (DD Act, PAIMI Act, PAIR Act) and is also a state agency under N.D.C.C. ch. 25-01.3.

Q: What does "notwithstanding any other specific sections of law" mean?
A: "In spite of" or "regardless of" any other state law. The Eighth Circuit interpreted the same word in U.S. v. Lester (2024). Where a state statute uses this language, it overrides conflicting confidentiality provisions for the limited purpose stated in the statute.

Q: Doesn't Rule 1.6 of the attorney conduct rules forbid disclosing client information?
A: Generally yes, but Rule 1.6 has carve-outs for disclosures required by law. The State Auditor's statutory access fits that carve-out for the limited purpose of the audit. Even more directly, the federal P&A audit regulations expressly authorize the auditor's access.

Q: What about HIPAA or other federal medical privacy laws?
A: The opinion focuses on the DD Act, PAIMI Act, and PAIR Act framework. HIPAA may have separate considerations for medical records, but the AG concluded the federal framework anticipates state audits and includes implementing regulations that authorize them.

Q: Can the State Auditor publish what they find in a public audit report?
A: Not the confidential underlying records. The report can address compliance, controls, and findings in general terms. Specific client identifying information must remain confidential.

Background and statutory framework

Section 54-10-22.1 is the heart of the analysis. It begins:

Notwithstanding any other specific sections of law, the state auditor and persons employed by the state auditor, when necessary in conducting an audit, shall have access to all information relating to operations of all governmental units or component units subject to audit.... The state auditor and persons employed by the state auditor examining any information, which is confidential by law, shall guard the secrecy of such information except when otherwise directed by judicial order or as is otherwise provided by law.

A 1994 AG opinion (94-L-305) read the "notwithstanding" language as overriding state confidentiality laws (specifically § 25-01.3-10) for audit purposes. The same opinion held federal regulations did not "preempt state law nor prohibit limited disclosure of such records for state performance audit purposes." A 1995 opinion (95-L-01) addressed Rule 1.6 specifically and held that performance-audit access to billing records (with names attached) does not violate the rule.

The federal P&A statutes (DD Act, PAIMI Act, PAIR Act) all give P&A access to client records and contemplate audits as part of grant administration. The PAIMI Act regulation, 42 C.F.R. § 51.45(c), is explicit:

[The federal Secretary] shall not require the P&A system to disclose the identity, or any other personally identifiable information, of any individual requesting assistance under a program. This requirement does not restrict access by the Department or other authorized Federal or State officials to client records or other records of the P&A system when deemed necessary for audit purposes and for monitoring P&A system compliance with applicable Federal or State laws and regulations.

So the federal framework permits state audit access. The state framework requires state audit access. P&A is auditable.

Citations and references

Statutes:
- N.D.C.C. § 54-10-22.1 (audit access)
- N.D.C.C. § 25-01.3-10 (P&A confidentiality)
- 42 U.S.C. §§ 15001 et seq. (DD Act)
- 42 U.S.C. §§ 10801 et seq. (PAIMI Act)
- 29 U.S.C. § 794e (PAIR Act)
- 42 C.F.R. § 51.45(c) (PAIMI audit regulation)

Cases:
- Disabilities Rts. Wis., Inc. v. State of Wis. Dep't of Pub. Instruction, 463 F.3d 719 (2006)
- Lapland v. Stearns, 54 N.W.2d 748 (N.D. 1952) (presumption of awareness)
- U.S. v. Lester, 92 F.4th 740 (8th Cir. 2024) ("notwithstanding" definition)
- State ex rel. Johnson v. Baker, 21 N.W.2d 355 (N.D. 1946) (AG opinion authority)

Prior AG opinions:
- N.D.A.G. 94-L-305 (audit access overrides confidentiality)
- N.D.A.G. 95-L-01 (Rule 1.6 does not block audit access)

Source

• Landing page: https://attorneygeneral.nd.gov/the-north-dakota-attorney-general-issued-an-opinion-to-the-nd-state-auditor/
• Original PDF: https://attorneygeneral.nd.gov/wp-content/uploads/2026/03/2026-L-01.pdf

Original opinion text

STATE OF NORTH DAKOTA
OFFICE OF ATTORNEY GENERAL
Drew H. Wrigley, ATTORNEY GENERAL

LETTER OPINION 2026-L-01

Mr. Joshua C. Gallion
State Auditor
Office of the State Auditor
600 E. Boulevard Ave. Dept. 117
Bismarck, ND 58505

State Auditor Gallion:

Thank you for your letter asking whether North Dakota Century Code, N.D.C.C. § 54-10-22.1, authorizes the State Auditor and the Auditor's employees to conduct an audit of the North Dakota Protection and Advocacy Project (P&A) even when the agency has records in its possession that are made confidential by state or federal law. It is my understanding that you plan to conduct a performance audit of P&A to test its internal controls, compliance, and financial transactions. One objective of this audit is to review whether reports of suspected abuse, neglect, or exploitation are being investigated according to P&A policy, and it may be necessary to access certain records that contain confidential information to complete this objective. P&A believes it cannot participate in an audit because it was created by federal law and possesses records that are confidential under state and federal laws. P&A also expressed concern that Rule 1.6 of the North Dakota Rules of Professional Conduct for licensed attorneys and the National Association of Social Workers Code of Ethics prohibit them from disclosing the contents of client files to the Auditor's office. The Auditor's office and P&A have met to discuss the audit and P&A objected to allowing an audit.

ANALYSIS

P&A is a state agency, in accordance with the Developmental Disabilities and Bill of Rights Act (DD Act), the Protection and Advocacy for Mentally Ill Individuals Act of 1986 (PAIMI Act), and the Protection and Advocacy of Individuals Rights Act (PAIR Act), to establish an effective protection and advocacy system to respond to allegations of abuse and neglect and generally protect the rights of individuals with disabilities. "The core requirement of the federal P&A statutes is that, in order to receive federal funding, each state must establish an effective protection and advocacy system" to fulfill those responsibilities. In North Dakota, P&A serves this function and is governed by the Committee on Protection and Advocacy which "operate[s] independently of the governor and any state agency that provides treatment, services or habilitation to persons with disabilities or mental illnesses." Federal statutes give P&A investigative power and the ability to "'have access to all records of any individual' with disabilities or mental illness" who is a client of the system P&A is authorized to investigate. This means that P&A may have records in its possession that are confidential under state and federal law.

Although federal law mandated that states create independent agencies to protect the rights of individuals with disabilities, P&A is also created by state statute and is a state agency. The State Auditor is authorized by law to perform audits, including performance audits, of state agencies. To facilitate the audits, state law authorizes the Auditor to receive otherwise confidential records, in order to complete an audit of a state agency. N.D.C.C. § 54-10-22.1, states:

Notwithstanding any other specific sections of law, the state auditor and persons employed by the state auditor, when necessary in conducting an audit, shall have access to all information relating to operations of all governmental units or component units subject to audit.... [T]he state auditor may inspect any state agency's books, papers, accounts, or records that may be relevant to an ongoing audit of any other state agency or computer system audit. The state auditor and persons employed by the state auditor examining any information, which is confidential by law, shall guard the secrecy of such information except when otherwise directed by judicial order or as is otherwise provided by law.

In 1994, this office analyzed this section and found that the phrase "notwithstanding any other specific sections of law" used in N.D.C.C. § 54-10-22.1 meant that, in spite of and without prevention by other sections of state law that may make records confidential, records of audited entities "are available to the State Auditor and the Auditor's employees for audit purposes." The 1994 opinion, issued to P&A, further found that disclosure of confidential information for a state audit was consistent with federal law and rules. The opinion said that federal rules "[did] not preempt state law nor prohibit limited disclosure of such records for state performance audit purposes." In fact, the opinion that found that language in the DD Act that allowed P&A to protect the identity of clients from the Secretary of Health and Human Services, did not foreclose P&A from disclosing the same information to the State Auditor. The federal acts that regulate P&A anticipate state and federal audits with access to P&A records. For example, with regard to audits of P&A programs, the federal PAIMI Act states:

For purposes of any periodic audit, report, or evaluation of the performance of the P&A system, the Secretary shall not require the P&A system to disclose the identity, or any other personally identifiable information, of any individual requesting assistance under a program. This requirement does not restrict access by the Department or other authorized Federal or State officials to client records or other records of the P&A system when deemed necessary for audit purposes and for monitoring P&A system compliance with applicable Federal or State laws and regulations. The purpose of obtaining such information is solely to determine that P&A systems are spending their grant funds awarded under the Act on serving individuals with mental illness. Officials that have access to such information must keep it confidential to the maximum extent permitted by law and regulations. If photostatic copies of materials are provided, then the destruction of such evidence is required once such reviews have been completed.

42 C.F.R. § 51.45(c) (emphasis added).

Accordingly, it is my opinion that federal law does not prevent the state from auditing P&A and even though P&A possesses confidential records, N.D.C.C. § 54-10-22.1 and 42 C.F.R. § 51.45(c) authorize the state auditor and the employees of the auditor's office, to review the records without detriment to P&A.

You also ask whether Rule 1.6 of the North Dakota Rules of Professional Conduct for licensed attorneys prohibits P&A from disclosing to the State Auditor the contents of a client file for the purpose of conducting a non-financial performance audit under N.D.C.C. ch. 54-10 when the requested file includes information about individuals and businesses in the private sector who chose to contact P&A.

This issue was already addressed in a 1995 opinion of this office regarding P&A. The 1995 opinion highlighted that P&A has authority to contract with private attorneys to represent private individuals. During that performance audit, auditors asked to see billings from the contracted attorneys. P&A redacted the names of the individuals represented by the contract attorneys under the rules for attorney-client privilege or attorney-client confidentiality. The names of individuals seeking services of P&A are protected under N.D.C.C. § 25-01.3. The opinion stated:

Thus, P&A's records which indicate to whom its services were provided are available to the State Auditor for performance audit purposes. The State Auditor has been given access by P&A to its records other than the attorney's billings. Therefore, the State Auditor already has access to the names of the persons to whom P&A provides services. State law requires that the State Auditor and his employees must keep such information confidential.

Here, P&A has not identified a specific record. Given that, I rely on the past opinions declaring that records made confidential by N.D.C.C. § 25-01.3-10 are available under N.D.C.C. § 54-10-22 to the State Auditor and the Auditor's employees for audit purposes.

With regards,

Drew H. Wrigley
Attorney General

This opinion is issued pursuant to N.D.C.C. § 54-12-01. It governs the actions of public officials until such time as the question presented is decided by the courts.