You need to be vary careful about identifying who "they" really is. "They" will be providers, payors or what are known as business associates of either, all of whom are covered under the HIPAA privacy rules and are significantly constrained as to how they may use individually identifiable medical information and to whom, and for what purposes, it may be disclosed.
Chart audits are done in various ways to protect the identity of patients. Much information is not individually identifiable. Charts for things such as accreditation and QA audit are numbered, and access to the keys to matching chart number to patient identity is strictly controlled.
Such blinded audits are very common. The names of patients to be included in an audit sample would be reviewed to assure that they were all participants in the program and therefore should be included in the audit population. The charts audited would be a randomly selected from the audit population, and the identity of the patient coded so that the patient was not identifiable.
Billing audits are conducted by payor intermediaries or their contractor, and those organizations are subject to HIPAA. Information is heavily compartmentalized, and access to patient identifiable information is severely restricted in accordance with HIPAA.
In the years following the adoption of HIPAA confidentiality and data integrity rules, the medical care industry spent billions of dollars implementing procedures necessary to comply.