U.S. flag

An official website of the United States government

Can provider-controlled settings with Memory Care Units with controlled-egress comply with the new Medicaid HCBS settings rule? If so, what are the requirements for such settings?

Yes, but only if controlled-egress is addressed as a modification of the rules defining home and community-based settings, with the state ensuring that the provider complies with the requirements of 42 C.F.R. 441.301(c)(4)(F), 441.530(a)(vi)(F) and 441.710(a)(vi)(F). Any setting using controlled-egress should assess an individual that exhibits wandering (and the underlying conditions, diseases or disorders) and document the individual's choices about and need for safety measures in his or her person-centered care plan.

Medicaid & CHIP Enrollment

Click on the map below or select from drop down to see each state’s Medicaid and CHIP profile.

Use the dropdown to select a state. Press enter to go to the selected state's page.

How can residential and adult day settings comply with the HCBS settings requirements while serving Medicaid beneficiaries who may wander or exit-seek unsafely?

Many Medicaid beneficiaries living with dementia and other conditions can have a heightened risk of wandering, or attempting to leave a setting (exit-seeking) unsafely. These behaviors are not necessarily constant or permanent.

Can the Systems Integrator (SI) be awarded contracts for development of modular components within the MMIS project?

Yes. While CMS envisions a discrete role for the System Integrator (SI) in each state, with specific focus on ensuring the integrity and interoperability of the Medicaid IT architecture and coherence of the various modules incorporated into the Medicaid system complex, it is permissible for an SI to provide modules as part of the overall solution.

What security and privacy documents are state Medicaid agencies required to have for their MMIS?

State Medicaid agencies are required to have MMIS System Security Plan and Privacy Impact Assessment documents. State Medicaid agencies must perform regular routine security and privacy risk assessments to ensure the protection and safeguard of beneficiary data that is consistent with Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules.

If the state conducts a staged rollout for implementing new MMIS Medicaid modules, will CMS pay for the overlapping costs?

Yes, CMS will support the costs for this kind of MMIS transition. We encourage states to ensure that both the current vendor's and new solutions provider's contracts account for this transition period and address a prorating of cost during this time. States should minimize the costs of transition by performing due diligence on the anticipated spending. The legacy system provider should be compensated for its role in ensuring a smooth transition, with a ramp-down of other operational costs.

Which of the checklist paths (MITA, Module, Custom) described in the MECT are best for a state implementing a services-type solution?

All the criteria in the checklists (MITA, MMIS or Custom) are the same. The difference between checklists is the criteria organization within the checklists. If the services solution is innovative, unique, or an unconventional approach, then the custom checklist approach might be appropriate. The RO will work with the state and vendors to decide which checklist set is best suited for the state's certification. Both service and traditional-type solutions need to meet all certification criteria to ensure compliance with federal regulations.

If a state is reusing an MMIS system or module already certified in another state do they need to go through certification review and decision?

CMS encourages states to reuse modular solutions as much as possible. If a state can reuse a modular solution from another state with minimal changes or customization, CMS will work with the state to streamline the certification process as much as possible to leverage knowledge of the reused solution. However, CMS will still require a certification decision for each state implementation of reused solutions to ensure compliance with federal regulations.

Why does the IV&V contractor need to sit outside the Medicaid agency?

To reduce potential conflict of interest, CMS is ensuring that states are arranging IV&V services through contracts that should be owned outside of the agency that owns the MMIS or E&E project. The oversight organization for the IV&V contractor should not be involved in oversight of the development effort, a stakeholder in the business implementation, or the DDI contractor. The IV&V contract monitor should be aware of system development problem solving, reporting, and contractor management.