Are auditors allowed to access medical records?

During a recent Falmouth class, someone raised a question about allowing auditors access to medical-related records when they are conducting single audits. The main concern was how allowing the auditor access to medical records would square with HIPAA Act privacy requirements.

 When testing grants or contracts for A-133 Major Program compliance in the Health and Social Services functions, a level of access is required.  In the course of testing, an auditor usually encounters information considered confidential under HIPAA. According to John Friel CPA and Falmouth consultant, who conducts single audits for tribal organizations, auditors are required to sign a HIPAA disclosure agreement when they are going to be reviewing health records. In addition, they are bound by the Code of Conduct of the American Institute of Certified Public Accountant to keep all records, particularly health records, locked in a secure place.  

So an auditor would have access to health records, but only to certify compliance to federal regulations.