Frequently Asked Questions

In most cases once they are created, the documents will simply be updated to account for the additional modules being planned or developed. A new document is not necessarily created for each module. If a state calls a document by a different name, the state should inform CMS of the name difference.

FAQ ID:95076

Granting CMS direct access to the state's evidence repository is the preferred method for making evidence available to CMS. If that is not possible, the state may make other secure arrangements with CMS, such as using encrypted File Transfer Protocol (FTP). It is critical to follow all Health Insurance Portability and Accountability Act (HIPAA) regulations when submitting evidence that contains personal health information (PHI) and personally identifiable information (PII).

FAQ ID:95081

No. Only the checklists pertaining to the modules undergoing review need to be included, and that only for the report created in preparation for a milestone review. However, the IV&V progress report should include risks and recommendations for the entire project--not just those about to undergo a milestone review.

FAQ ID:95086

When streamlining the core checklists (IA, TA and S&C checklists), we found that some criteria fit better in other checklists, so they were moved. To keep traceability simple for the states, we chose to keep the original identifiers for any criteria that were moved. The same holds true for criteria moved to the programmatic tab of the IV&V progress report template.

FAQ ID:95091

No, E&E systems are not subject to certification. Though the Medicaid Eligibility and Enrollment Toolkit (MEET) was based on the MMIS toolkit, the MEET was created as a way to align how CMS reviews Medicaid enterprise systems and is a means for CMS to provide technical assistance to the states.

FAQ ID:95096

IV&V contractor activities must still be performed such as checklist evaluation, artifact review and preparation of IV&V Progress Reports. The state should provide a plan and timeline for how these activities will be supported and performed until the proper IV&V contract can be either procured or aligned with updated CMS guidance on IV&V.

FAQ ID:94866

MARS-E 2.0 compliance is not required by CMS for states' MMIS, but CMS recommends that states follow applicable national privacy and security standards and practices for their MMIS. MARS-E 2.0 compliance is required for states' Medicaid/CHIP Eligibility and Enrollment (E&E) systems in order to maintain their Authority to Connect with CMS. Link for more information about MARS-E 2.0: https://www.medicaid.gov/federal-policy-guidance/downloads/cib-09-23-2015.pdf (PDF, 105.5 KB).

FAQ ID:94871

For E&E and MMIS, enhanced FFP funding is available at 90 percent via the usual Advanced Planning Document process.

FAQ ID:94876

Section 1902(a) (25) (I) of the Act defines ""health insurers"" to include self-insured plans, group health plans (as defined in section Medicaid Management Information Systems (MMIS)(l) of the Employee Retirement Income Security Act of 1974 (ERISA)), service benefit plans, managed care organizations (MCOs), pharmacy benefit managers (PBMs), and ""other parties that are, by statute, contract, or agreement, legally responsible for payment of a claim for a health care item or service."" Workers' compensation, automobile insurance, and liability insurance plans all are included within the definition of ""health insurer"" for purposes of this section and the requisite state laws which must be enacted pursuant to it.

The CMS interprets ""other parties that are, by statute, contract, or agreement, legally responsible for payment of a claim"" to include:

1. Prepaid Inpatient Health Plans (PIHPs) and Prepaid Ambulatory Health Plans (PAHPs). For purposes of Medicaid managed care, PIHPs and PAHPs are entities that contract with the state to deliver Medicaid-covered services; in that context, they would also be considered ""other parties that are, by contract, legally responsible for payment of a claim for a health care item or service;"" and,
2. Such entities as third party administrators (TPAs), fiscal intermediaries, and managed care contractors, which administer benefits on behalf of the riskbearing plan sponsor (e.g., an employer with a self-insured health plan). CMS recognizes that entities such as PBMs and TPAs do not necessarily have ultimate financial liability, but, to the extent that they are required, by contract or otherwise, to review claims and authorize payment by the plan sponsor, they are included within the definition of ""third party"" and ""health insurer"" for purposes of section 1902(a) (25) of the Act.

Nothing in revisions to the Social Security Act made by the Deficit Reduction Act of 2005 (DRA) imposes new liability to pay claims on entities that do not otherwise bear such liability. Nor does section 1902(a) (25) of the Act negate any right of indemnification against a plan sponsor or other entity with ultimate liability for health care claims by a contracting party that pays the claims.

Supplemental Links:

• This FAQ was released as part of a larger set. View the full set. (PDF, 252.32 KB) 

FAQ ID:94021

Indemnity policies may be considered third party resources if the policies meet certain criteria. Federal Medicaid regulations at 42 CFR 433.136 define a third party as ""any individual, entity, or program that is or may be liable to pay all or part of the expenditures for medical assistance furnished under a state plan."" This includes private insurance. Section 433.136 also defines private insurer to include ""any commercial insurance company offering health or casualty insurance to individuals or groups (including both experience-related insurance contracts and indemnity contracts)."" Private insurers are required to comply with the Deficit Reduction Act of 2005 (DRA) and related state enactments.

Indemnity plans may include a variety of insurance policies such as accident, cancer/specified disease, dental, hospital confinement indemnity, hospital confinement sickness indemnity, hospital intensive care, long-term care, short-term disability, specified health event, and vision. An individualized review of the various policy terms would be necessary to determine if they should be considered a third party resource for purposes of Medicaid. If this review determines that the policy provides for payment of health care items and services, the policy is a third party resource and payments would be assigned to the Medicaid agency.

An indemnity policy may be designed to pay a cash benefit to policyholders, unless the policyholder chooses otherwise. The policy may state that these payments may be used to cover medical expenses or living expenses such as rent, child care, or groceries. However, the insurance company may condition payment upon the occurrence of a medical event. Whenever payments are linked to specific medical events, these payments should be considered third party payments. Thus, the state could seek to recover Medicaid payments from the policy benefits.

Where indemnity policies do not qualify as a third party resource, any payments made to a Medicaid beneficiary may be countable as income for Medicaid eligibility purposes.

Supplemental Links:

• This FAQ was released as part of a larger set. View the full set. (PDF, 252.32 KB) 

FAQ ID:94026