Frequently Asked Questions are used to provide additional information and/or statutory guidance not found in State Medicaid Director Letters, State Health Official Letters, or CMCS Informational Bulletins. The different sets of FAQs as originally released can be accessed below.Frequently Asked Questions are used to provide additional information and/or statutory guidance not found in State Medicaid Director Letters, State Health Official Letters, or CMCS Informational Bulletins. The different sets of FAQs as originally released can be accessed below.
Frequently Asked Questions
Does CMS participate in the state's life cycle gate reviews?
No. CMS does not participate the state's in E&E or in MMIS system development life cycle (SDLC) level reviews.
Does the IV&V 18-month compliance period apply to E&E systems?
Yes. The rules pertaining to procuring IV&V contracts (State Medicaid Director Letter 16-010) apply to both E&E and MMIS.
Do the documents in the artifacts table need to be created for every module?
In most cases once they are created, the documents will simply be updated to account for the additional modules being planned or developed. A new document is not necessarily created for each module. If a state calls a document by a different name, the state should inform CMS of the name difference.
CALT is no longer available. Where should state artifacts and evidence be posted?
Granting CMS direct access to the state's evidence repository is the preferred method for making evidence available to CMS. If that is not possible, the state may make other secure arrangements with CMS, such as using encrypted File Transfer Protocol (FTP). It is critical to follow all Health Insurance Portability and Accountability Act (HIPAA) regulations when submitting evidence that contains personal health information (PHI) and personally identifiable information (PII).
Should IV&V progress reports include all the checklist sets every time they submit a progress report?
No. Only the checklists pertaining to the modules undergoing review need to be included, and that only for the report created in preparation for a milestone review. However, the IV&V progress report should include risks and recommendations for the entire project--not just those about to undergo a milestone review.
Why are there Standards and Conditions (S&C) and Access and Delivery (A&D) criteria in the Information Architecture checklist?
When streamlining the core checklists (IA, TA and S&C checklists), we found that some criteria fit better in other checklists, so they were moved. To keep traceability simple for the states, we chose to keep the original identifiers for any criteria that were moved. The same holds true for criteria moved to the programmatic tab of the IV&V progress report template.
Are Eligibility and Enrollment (E&E) systems now going to be certified the way MMIS systems are certified?
No, E&E systems are not subject to certification. Though the Medicaid Eligibility and Enrollment Toolkit (MEET) was based on the MMIS toolkit, the MEET was created as a way to align how CMS reviews Medicaid enterprise systems and is a means for CMS to provide technical assistance to the states.
What is the applicability of Minimum Acceptable Risk Standards for Exchanges (MARS-E) 2.0 to states' Medicaid Management Information Systems (MMIS)?
MARS-E 2.0 compliance is not required by CMS for states' MMIS, but CMS recommends that states follow applicable national privacy and security standards and practices for their MMIS. MARS-E 2.0 compliance is required for states' Medicaid/CHIP Eligibility and Enrollment (E&E) systems in order to maintain their Authority to Connect with CMS. Link for more information about MARS-E 2.0: https://www.medicaid.gov/federal-policy-guidance/downloads/cib-09-23-2015.pdf (PDF, 105.5 KB).
Can state Medicaid agencies access federal financial participation (FFP) to support system changes necessary to meet HIPAA, NIST cybersecurity, or MARS-E 2.0 standards?
For E&E and MMIS, enhanced FFP funding is available at 90 percent via the usual Advanced Planning Document process.
If a state is reusing an MMIS system or module already certified in another state do they need to go through certification review and decision?
CMS encourages states to reuse modular solutions as much as possible. If a state can reuse a modular solution from another state with minimal changes or customization, CMS will work with the state to streamline the certification process as much as possible to leverage knowledge of the reused solution. However, CMS will still require a certification decision for each state implementation of reused solutions to ensure compliance with federal regulations.