Frequently Asked Questions

Certification is required for any new implementation, whether it is a custom- developed module that is transferred from another state, or a commercial off-the-shelf module that is being configured and integrated. The certification process looks at the state’s implementation of the solution to ensure the state has met all federal requirements.

States may reuse system documentation and other supporting evidence from a previous state certification if it is available and applicable to their systems and has been reconfirmed by independent verification and validation.

FAQ ID:93656

APDs must demonstrate a reuse-friendly design that includes the sharing of systems, modules, code, and any other developed artifacts. States could include language describing their efforts to find and learn from or reuse components from similar systems, or efforts the state is making to ensure that other states more easily can reuse the proposed system once it is developed.

FAQ ID:93661

From an intellectual property standpoint, reuse is supported by the general grant conditions for Federal Financial Participation (FFP) under 45 CFR 95.617, which require states to "include a clause in all procurement instruments that provides that the State or local government will have all ownership rights in software or modifications thereof and associated documentation designed, developed, or installed with FFP under this subpart."

Further, according to 42 CFR 433.112(6), CMS has "a royalty free, non-exclusive, and irrevocable license to reproduce, publish, or otherwise use and authorize others to use, for Federal Government purposes, software, modifications to software, and documentation that is designed, developed, installed or enhanced with 90 percent FFP."

In practice, this means that vendors retain ownership rights to software and other products they have developed under their own initiative and funding, while states and CMS have ownership rights to and may share any software, customizations, configurations, or add-ons funded with FFP.

FAQ ID:93666

Applicants that indicate they have a disability, need long-term care or are over age 65 are always referred to the Medicaid agency for a determination on a non-MAGI basis, regardless of income and household composition, since the FFM is evaluating eligibility for MAGI-based eligibility groups only. Additionally, applicants may always request a full Medicaid determination at the end of the application process. In assessment states, the Medicaid agency will do a final determination of eligibility for these applicants, whereas in determination states, the Medicaid agency just needs to follow up for a non-MAGI determination. The expanded flat file will contain a specific indicator showing if the applicant requested a full determination.

Supplemental Links:

• This FAQ was released as part of a larger set. View the full set. (PDF, 198.3 KB)

FAQ ID:92136

The total UPL gap by ownership category can be shown by inserting a new tab in the file with these calculations, unless a summary worksheet is already included in the workbook. If there are any questions about how to add this tab, please reach out to your CMS Regional Office or send a follow-up question (with your template) to the UPL mailbox and additional guidance will be provided.

FAQ ID:92281

Yes, states may use UPL methodologies that are different from their payment methodologies. For example, a state may pay for inpatient hospital services using a Medicaid APR-DRG methodology, but use a cost methodology to compute the Medicare upper payment limit for its UPL demonstration.

FAQ ID:92386

No, an upper payment limit demonstration considers all Medicaid payments (base and supplemental). States must conduct UPL demonstrations for the applicable services described in State Medicaid Director Letter (SMDL) 13-003 regardless of whether a state makes supplemental payments under the Medicaid state plan for the services.

FAQ ID:92191

State laws determine what information is required of the health plans. A health plan's disclosure and use of information that is required to be submitted under state law - such as, information from insurer eligibility files sufficient to determine during what period any individual may be, or have been, covered by a health insurer and the nature of the coverage that is or was provided by the health insurer — is consistent with the HIPAA privacy provisions.

Under HIPAA, both the state Medicaid agency and most health insurers are covered entities and must comply with the HIPAA Privacy Rule in 45 CFR Part 160 and Part 164, Subparts A and E. In their capacities as covered entities under HIPAA, the state Medicaid agency and health insurers are restricted from using and disclosing protected health information (PHI), as that term is defined in 45 CFR section 160.103, other than as permitted or required by the HIPAA Privacy Rule. However, as relevant here:

1. A covered entity may use or disclose PHI to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of the law. (45 CFR 164.512(a)(1)) Under this provision, each covered entity must be limited to disclosing or using only the PHI necessary to meet the requirements of the law that compels the use or disclosure. Anything required to be disclosed by a law can be disclosed without violating HIPAA under the "required by law" provisions. Therefore, health insurers may disclose data elements in addition to the four minimum data elements, up to and including submission of an entire insurer eligibility file, to the extent such information is required to be submitted by state law. (45 CFR 164.512(a))
2. Separately, a covered entity may use or disclose PHI, without the consent of an individual, for payment activities, including to facilitate payment. (45 CFR 164.502(a)(1) and 164.506) Under HIPAA, the term payment includes activities undertaken by a health plan to determine or fulfill its responsibility for coverage and provision of benefits under the health plan. These activities include determinations of eligibility or coverage, adjudication or subrogation of health benefits claims, and collection activities. (45 CFR 164.501) To the extent plans are releasing this information to the Medicaid program for payment purposes; this is a separate basis for disclosure under HIPAA.
3. The HIPAA Privacy Rule generally requires covered entities to take reasonable steps to limit the use and disclosure of PHI to the minimum necessary to accomplish the intended purpose. (45 CFR 164.502(b)(1)) However, among other limited exceptions, the minimum necessary requirements do not apply to uses or disclosures that are required by law under 45 CFR 164.512(a).

Supplemental Links:

• This FAQ was released as part of a larger set. View the full set. (PDF, 252.32 KB)

FAQ ID:91216

Yes. There is a significant amount of third party coverage derived from health plans licensed in a different state than where the Medicaid beneficiary resides. This can commonly happen when the policyholder works in one state and lives in another state. For example, there may be policyholders who are enrolled in Medicaid coverage in Maryland, or have dependents that are enrolled, who work in Delaware, the District of Columbia, Pennsylvania, Virginia, or West Virginia and also have coverage through their employer in that state. This highlights the need for Medicaid agencies to obtain plan eligibility information from contiguous states in addition to collecting information in their respective state.

Another example is when Medicaid-eligible children are covered by the insurance plan of non-custodial parents who live in a different state than their child(ren). This example is not limited to contiguous states because non-custodial parents could reside in any state in the country. Depending on the size, it may be beneficial for the state to obtain the plan's entire eligibility file. The specific geographical areas to be included in the data exchange should be negotiated with the plans. We recommend use of a Trading Partner Agreement in the exchange of electronic data.

Finally, section 1902(a)(25)(I)(i) of the Social Security Act directs states, as a condition of receiving federal financial participation (FFP) for Medicaid, to have laws in effect that require health insurers doing business in their state to provide the state with the requisite information with respect to individuals who are eligible for, or are provided medical assistance, i.e., Medicaid beneficiaries. State law cannot reach beyond the entities that are "doing business" in their states.

Supplemental Links:

• This FAQ was released as part of a larger set. View the full set. (PDF, 252.32 KB)

FAQ ID:91221

Yes. State Medicaid programs may enter into data matching agreements directly with third parties or may obtain the services of a contractor to complete the required matches. Such arrangements should comply with Health Insurance Portability and Accountability Act of 1996 (HIPAA)'s "Business Associate" requirements, where applicable. When the state Medicaid program chooses to use a contractor to complete data matches, including matches as required by the Deficit Reduction Act of 2005 (DRA), the program delegates its authority to obtain the desired information from third parties to the contractor.

Third parties should generally treat a request from the contractor as a request from the state Medicaid agency. Third parties may request verification from the state Medicaid agency that the contractor is working on behalf of the agency and the scope of the delegated work.

Supplemental Links:

• This FAQ was released as part of a larger set. View the full set. (PDF, 252.32 KB)

FAQ ID:91226