Frequently Asked Questions are used to provide additional information and/or statutory guidance not found in State Medicaid Director Letters, State Health Official Letters, or CMCS Informational Bulletins. The different sets of FAQs as originally released can be accessed below.Frequently Asked Questions are used to provide additional information and/or statutory guidance not found in State Medicaid Director Letters, State Health Official Letters, or CMCS Informational Bulletins. The different sets of FAQs as originally released can be accessed below.
Frequently Asked Questions
What is the Precertification Pilot?
The Precertification Pilot was an experiment conducted from October 2017-March 2018 designed to streamline certification and attract new vendors. Unfortunately, the pilot was found to be unscalable across Medicaid. However, key learnings from the pilot will be incorporated into current processes and future experiments around vendor engagement, certification, scalability, and sustainability. The goals the Centers from Medicare & Medicaid Services (CMS) identified at the beginning of the Precertification Pilot process remain the same: reduce the level of effort of certification; shorten the certification timeline; promote modularity and interoperability; reduce risk of system failure; and attract new vendors to the Medicaid IT market. Contact CMS with your ideas for experiments to achieve those goals at MES@cms.hhs.gov.
Is IV&V required during operations and maintenance (O&M) for MMIS?
As contained in the MECT standard RFP/contract language required by CMS, CMS does not cover activities that the state may require of the IV&V contractor during ongoing O&M. However, as Medicaid is moving away from monolithic single applications, it is expected that states will continuously update and replace modules in their enterprise. Therefore, IV&V should always have a role to ensure successful integration and testing.
What would preclude a company from being eligible to bid on the MMIS or E&E IV&V contract(s)?
If an organization is performing another role (such as systems integrator, PMO, quality assurance, etc.) on the MMIS or E&E project, it may not perform the IV&V function on the same project. A state may contract the same vendor to perform the IV&V role for both its E&E and MMIS projects.
Why does the IV&V contractor need to sit outside the Medicaid agency?
To reduce potential conflict of interest, CMS is ensuring that states are arranging IV&V services through contracts that should be owned outside of the agency that owns the MMIS or E&E project. The oversight organization for the IV&V contractor should not be involved in oversight of the development effort, a stakeholder in the business implementation, or the DDI contractor. The IV&V contract monitor should be aware of system development problem solving, reporting, and contractor management. This contract oversight provides true independence between the IV&V contractor and system development teams. This requirement is consistent with other HHS agencies' practices and industry best practices.
If a state is reusing an MMIS system or module already certified in another state do they need to go through certification review and decision?
CMS encourages states to reuse modular solutions as much as possible. If a state can reuse a modular solution from another state with minimal changes or customization, CMS will work with the state to streamline the certification process as much as possible to leverage knowledge of the reused solution. However, CMS will still require a certification decision for each state implementation of reused solutions to ensure compliance with federal regulations.
Which of the checklist paths (MITA, Module, Custom) described in the MECT are best for a state implementing a services-type solution?
All the criteria in the checklists (MITA, MMIS or Custom) are the same. The difference between checklists is the criteria organization within the checklists. If the services solution is innovative, unique, or an unconventional approach, then the custom checklist approach might be appropriate. The RO will work with the state and vendors to decide which checklist set is best suited for the state's certification. Both service and traditional-type solutions need to meet all certification criteria to ensure compliance with federal regulations.
If the state conducts a staged rollout for implementing new MMIS Medicaid modules, will CMS pay for the overlapping costs?
Yes, CMS will support the costs for this kind of MMIS transition. We encourage states to ensure that both the current vendor's and new solutions provider's contracts account for this transition period and address a prorating of cost during this time. States should minimize the costs of transition by performing due diligence on the anticipated spending. The legacy system provider should be compensated for its role in ensuring a smooth transition, with a ramp-down of other operational costs. The new solutions provider should have deliverables in its contract that speak to the soft launch or phased launch approach, with an uptick in operational costs as the transition progresses.
What security and privacy documents are state Medicaid agencies required to have for their MMIS?
State Medicaid agencies are required to have MMIS System Security Plan and Privacy Impact Assessment documents. State Medicaid agencies must perform regular routine security and privacy risk assessments to ensure the protection and safeguard of beneficiary data that is consistent with Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules. Please refer to the MECT for more details: https://www.medicaid.gov/medicaid/data-and-systems/mect/index.html
Can the Systems Integrator (SI) be awarded contracts for development of modular components within the MMIS project?
Yes. While CMS envisions a discrete role for the System Integrator (SI) in each state, with specific focus on ensuring the integrity and interoperability of the Medicaid IT architecture and coherence of the various modules incorporated into the Medicaid system complex, it is permissible for an SI to provide modules as part of the overall solution. The target outcome for the SI in support of the state should be to foster best-in-breed solutions for Medicaid business requirements, with the SI responsible for the successful integration of the chosen solutions and infrastructure into a seamless functional system. The SI must ensure that all modules have open APIs and remain loosely coupled. More information on the SI role can be found in Section 1.7 of the Medicaid Enterprise Certification Life Cycle, part 01 of the MECT. States are encouraged to use an acquisition approach that limits the potential for conflict of interest an SI may have in choosing the modular solutions to be incorporated into the system. As described above, the goal is to avoid lock-in to a single vendor or an otherwise closed set of solutions.
Can a state decide to be its own MMIS systems integrator?
CMS encourages the use of an SI outside the state agency, but states can consider themselves in that role if they can support that effort and if that decision is made with consultation and agreement from CMS. For more information about the role of the SI, see Section 1.7 in part 01 of MECT Medicaid Enterprise Certification Life Cycle. https://www.medicaid.gov/medicaid/data-and-systems/mect/index.html