42 CFR 401.717 – Provider and supplier requests for error correction
(a) A qualified entity must confidentially share measures, measurement methodologies, and measure results with providers and suppliers at least 60 calendar days before making reports public. The 60 calendar days begin on the date on which qualified entities send the confidential reports to providers and suppliers. A qualified entity must inform providers and suppliers of the date the reports will be made public at least 60 calendar days before making the reports public.
(b) Before making the reports public, a qualified entity must allow providers and suppliers the opportunity to make a request for the data, or to make a request for error correction, within 60 calendar days after sending the confidential reports to providers or suppliers.
(c) During the 60 calendar days between sending a confidential report on measure results and releasing the report to the public, the qualified entity must, at the request of a provider or supplier and with appropriate privacy and security protections, release the Medicare claims data and beneficiary names to the provider or supplier. Qualified entities may only provide the Medicare claims and/or beneficiary names relevant to the particular measure or measure result the provider or supplier is appealing.
(d) A qualified entity must inform providers and suppliers that reports will be made public, including information related to the status of any data or error correction requests, after the date specified to the provider or supplier when the report is sent for review and, if necessary, error correction requests (at least 60 calendar days after the report was originally sent to the providers and suppliers), regardless of the status of any requests for error correction.
(e) If a provider or supplier has a data or error correction request outstanding at the time the reports become public, the qualified entity must, if feasible, post publicly the name of the appealing provider or supplier and the category of the appeal request.
(f) A qualified entity must comply with the following requirements before disclosing non-public analyses, as defined at § 401.716, which contain information that individually identifies a provider or supplier:
(1) A qualified entity must confidentially notify a provider or supplier that non-public analyses that individually identify the provider or supplier are going to be released to an authorized user at least 65 calendar days before disclosing the analyses. This confidential notification must include a short summary of the analyses (including the measures calculated), the process for the provider or supplier to request the analyses, the authorized users receiving the analyses, and the date on which the qualified entity will release the analyses to the authorized user.
(2) A qualified entity must allow providers and suppliers the opportunity to opt-in to the review and correction process as defined in paragraphs (a) through (e) of this section, anytime during the 65 calendar days. If a provider or supplier chooses to opt-in to the review and correction process more than 5 days into the notification period, the time for the review and correction process is shortened from 60 days to the number of days between the provider or supplier opt-in date and the release date specified in the confidential notification.