This seems to grant institutions permission to share PII for purpose of an audit, not compel them to do so.