(a) Each issuer subject to the reporting requirement of this part must allow access and entry to its premises, facilities and records, including computer and other electronic systems, to HHS, the Comptroller General, or their designees to evaluate, through inspection, audit, or other means, compliance with the requirements for reporting and calculation of data submitted to HHS, and the timeliness and accuracy of rebate payments made under this part.
(b) Each issuer must also allow access and entry to the facilities and records, including computer and other electronic systems, of its parent organization, subsidiaries, related entities, contractors, subcontractors, agents, or a transferee that pertain to any aspect of the data reported to HHS or to rebate payments calculated and made under this part. To the extent that the issuer does not control access to the facilities and records of its parent organization, related entities, or third parties, it will be the responsibility of the issuer to contractually obligate any such parent organization, related entities, or third parties to grant said access.
(c) The Comptroller General, HHS, or their designees may inspect, evaluate, and audit through 6 years from the date of the filing of a report required by this part or through 3 years after the completion of the audit and for such longer period set forth below provided that any of the following occur:
(1) HHS determines there is a special need to retain a particular record or group of records for a longer period and notifies the issuer at least 30 days before the disposition date.
(2) There has been a dispute, or allegation of fraud or similar fault by the issuer, in which case the retention may be extended to 6 years from the date of any resulting final resolution of the dispute, fraud, or similar fault.
(3) HHS determines that there is a reasonable possibility of fraud or similar fault, in which case HHS may inspect, evaluate, and audit the issuer at any time.