Frequently Asked Questions are used to provide additional information and/or statutory guidance not found in State Medicaid Director Letters, State Health Official Letters, or CMCS Informational Bulletins. The different sets of FAQs as originally released can be accessed below.Frequently Asked Questions are used to provide additional information and/or statutory guidance not found in State Medicaid Director Letters, State Health Official Letters, or CMCS Informational Bulletins. The different sets of FAQs as originally released can be accessed below.
Frequently Asked Questions
What is reuse?
The Centers for Medicare & Medicaid Services expects states receiving Federal Financial Participation to share with other states project artifacts, documents and other related materials, and systems components and code for leverage and reuse.
Read the state Medicaid director letter (SMD #18-005) on reuse (PDF, 70.77 KB). Reuse can be accomplished through sharing or acquiring:
- An entire set of business services or systems, including shared hosting of a system or shared acquisition and management of a turnkey service
- A complete business service or a stand-alone system module
- Subcomponents such as code segments, rule bases, configurations, customizations, and other parts of a system or module that are designed for reuse
How do states get started with reuse?
To get started with reuse, a state can:
- Review the state Medicaid director letter (SMD #18-005) on reuse (PDF, 70.77 KB)
- View the introductory video to get familiar with the concept and framework of reuse
- Contact the Medicaid Enterprise Systems (MES) at MES@cms.hhs.gov to request access to the MES Reuse Repository
What is the Reuse Repository, and how can states access it?
The Centers for Medicare & Medicaid Services (CMS) established the Medicaid Enterprise Systems (MES) Reuse Repository to support states’ ability to share and reuse project life cycle artifacts. The repository is available on the CMS zONE (Opportunity to Network and Engage). States must have a CMS Enterprise Identity Management login to access the Reuse Repository.
View complete instructions for accessing the Reuse Repository.
Contact MES at MES@cms.hhs.gov for additional assistance in accessing the repository.
Is training available for reuse concepts and tools?
The reuse webpage on Medicaid.gov features an introductory video and more information about reuse. The webpage also has policy guidance documents.
The Medicaid Enterprise Systems Reuse Repository has instructions on how to use its features. These include how to add artifacts, search for artifacts, use the discussion forum features, and more.
How do states share?
States can share reusable artifacts with others in several ways. States can participate in workgroups such as the Medicaid Management Information System Cohort, State Technical Advisory Group, and any other relevant state groups to facilitate knowledge sharing, partnerships, and collaboration. States with access to the Reuse Repository also may add their reusable artifacts directly to the repository.
View complete instructions for accessing the Medicaid Enterprise Systems (MES) Reuse Repository. Contact MES at MES@cms.hhs.gov for additional assistance in accessing the repository or participating in workgroups.
If a state is reusing a system or module already certified in another state, do they still need to go through certification review and decision?
Certification is required for any new implementation, whether it is a custom- developed module that is transferred from another state, or a commercial off-the-shelf module that is being configured and integrated. The certification process looks at the state’s implementation of the solution to ensure the state has met all federal requirements.
States may reuse system documentation and other supporting evidence from a previous state certification if it is available and applicable to their systems and has been reconfirmed by independent verification and validation.
What aspects of reuse do states need to be aware of when developing advance planning documents (APDs)?
APDs must demonstrate a reuse-friendly design that includes the sharing of systems, modules, code, and any other developed artifacts. States could include language describing their efforts to find and learn from or reuse components from similar systems, or efforts the state is making to ensure that other states more easily can reuse the proposed system once it is developed.
What is the Centers for Medicare & Medicaid Services (CMS) policy regarding ownership rights?
From an intellectual property standpoint, reuse is supported by the general grant conditions for Federal Financial Participation (FFP) under 45 CFR 95.617, which require states to "include a clause in all procurement instruments that provides that the State or local government will have all ownership rights in software or modifications thereof and associated documentation designed, developed, or installed with FFP under this subpart."
Further, according to 42 CFR 433.112(6), CMS has "a royalty free, non-exclusive, and irrevocable license to reproduce, publish, or otherwise use and authorize others to use, for Federal Government purposes, software, modifications to software, and documentation that is designed, developed, installed or enhanced with 90 percent FFP."
In practice, this means that vendors retain ownership rights to software and other products they have developed under their own initiative and funding, while states and CMS have ownership rights to and may share any software, customizations, configurations, or add-ons funded with FFP.
Are states only required to conduct Upper Payment Limit (UPL) demonstrations for services with approved state plan supplemental payment methodologies?
No, an upper payment limit demonstration considers all Medicaid payments (base and supplemental). States must conduct UPL demonstrations for the applicable services described in State Medicaid Director Letter (SMDL) 13-003 regardless of whether a state makes supplemental payments under the Medicaid state plan for the services.
Does a health plan's submission of information from its full eligibility file, for the purpose of matching that information to the Medicaid eligibility file, violate the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy rules?
State laws determine what information is required of the health plans. A health plan's disclosure and use of information that is required to be submitted under state law - such as, information from insurer eligibility files sufficient to determine during what period any individual may be, or have been, covered by a health insurer and the nature of the coverage that is or was provided by the health insurer — is consistent with the HIPAA privacy provisions.
Under HIPAA, both the state Medicaid agency and most health insurers are covered entities and must comply with the HIPAA Privacy Rule in 45 CFR Part 160 and Part 164, Subparts A and E. In their capacities as covered entities under HIPAA, the state Medicaid agency and health insurers are restricted from using and disclosing protected health information (PHI), as that term is defined in 45 CFR section 160.103, other than as permitted or required by the HIPAA Privacy Rule. However, as relevant here:
- A covered entity may use or disclose PHI to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of the law. (45 CFR 164.512(a)(1)) Under this provision, each covered entity must be limited to disclosing or using only the PHI necessary to meet the requirements of the law that compels the use or disclosure. Anything required to be disclosed by a law can be disclosed without violating HIPAA under the "required by law" provisions. Therefore, health insurers may disclose data elements in addition to the four minimum data elements, up to and including submission of an entire insurer eligibility file, to the extent such information is required to be submitted by state law. (45 CFR 164.512(a))
- Separately, a covered entity may use or disclose PHI, without the consent of an individual, for payment activities, including to facilitate payment. (45 CFR 164.502(a)(1) and 164.506) Under HIPAA, the term payment includes activities undertaken by a health plan to determine or fulfill its responsibility for coverage and provision of benefits under the health plan. These activities include determinations of eligibility or coverage, adjudication or subrogation of health benefits claims, and collection activities. (45 CFR 164.501) To the extent plans are releasing this information to the Medicaid program for payment purposes; this is a separate basis for disclosure under HIPAA.
- The HIPAA Privacy Rule generally requires covered entities to take reasonable steps to limit the use and disclosure of PHI to the minimum necessary to accomplish the intended purpose. (45 CFR 164.502(b)(1)) However, among other limited exceptions, the minimum necessary requirements do not apply to uses or disclosures that are required by law under 45 CFR 164.512(a).
- This FAQ was released as part of a larger set. View the full set. (PDF, 252.32 KB)