42 CFR § 414.1390 - Data validation and auditing.
(a) General. CMS will selectively audit MIPS eligible clinicians and groups on a yearly basis. If a MIPS eligible clinician or group is selected for audit, the MIPS eligible clinician or group will be required to do the following in accordance with applicable law and timelines CMS establishes:
(1) Comply with data sharing requests, providing all data as requested by CMS or our designated entity. All data must be shared with CMS or our designated entity within 45 days of the data sharing request, or an alternate timeframe that is agreed to by CMS and the MIPS eligible clinician or group. Data will be submitted via email, facsimile, or an electronic method via a secure Web site maintained by CMS.
(2) Provide substantive, primary source documents as requested. These documents may include: Copies of claims, medical records for applicable patients, or other resources used in the data calculations for MIPS measures, objectives, and activities. Primary source documentation also may include verification of records for Medicare and non-Medicare beneficiaries where applicable.
(b) Certification. All MIPS eligible clinicians and groups that submit data and information to CMS for purposes of MIPS must certify to the best of their knowledge that the data submitted to CMS is true, accurate, and complete. Such certification must accompany the submission and be made at the time of submission.
(d) Record retention. All MIPS eligible clinicians and groups that submit data and information to CMS for purposes of MIPS must retain such data and information for 6 years from the end of the MIPS performance period.