Enhanced Funding Requirements: Seven Conditions and Standards
This page has been transcribed from the original CMS publication Enhanced Funding Requirements: Seven Conditions and Standards Medicaid IT Supplement (MITS-11-01-v1.0), April 2011
Under sections 1903(a)(3)(A)(i) and 1903(a)(3)(B) of the Social Security Act, the Centers for Medicare & Medicaid Services (CMS) has issued new standards and conditions that must be met by the states in order for Medicaid technology investments (including traditional claims processing systems, as well as eligibility systems) to be eligible for the enhanced match funding. The final regulation establishing these standards and conditions was made public on April 14, 2011 http://www.regulations.gov/#!searchResults;rpp=10;po=70;s=CMS-2010-0251.
Our purpose in moving to this standards and conditions-based approach to approving federal funding is intended to foster better collaboration with states, reduce unnecessary paperwork, and focus attention on the key elements of success for modern systems development and deployment.
In this document, we provide more detail about the seven conditions and standards and the kinds of information, activities and documentation the federal government will examine over the course of a systems development life-cycle to allow for initial and ongoing approval of enhanced funding. More importantly, these dimensions of development and artifacts are essential to help states ensure they are making efficient investments and will ultimately improve the likelihood of successful system implementation and operation. This document, and the principles contained in our April 2011 final regulation, build on the work CMS, states and private industry have done over the last six years under the Medicaid Information Technology Architecture (MITA) initiative.
MITA is intended to foster integrated business and information technology (IT) transformation across the Medicaid enterprise to improve the administration and operation of the Medicaid program. (The Medicaid enterprise is comprised of the states, the federal government, and stakeholders who are directly and indirectly part of the administration and health care delivery ecosystem.) The MITA initiative provides a common framework for all Medicaid stakeholders to focus on opportunities to build common services by decoupling legacy systems and processes, and liberating data previously stored and contained in inaccessible silos. The MITA framework facilitates a more modern and agile approach to traditional systems development life-cycle approaches that have had great difficulty in keeping up with the rate of change demanded by the changing business landscape of health care delivery and administration. By providing a common Framework for the Medicaid Enterprise to plan, architect, engineer, and implement new and changing business requirements, the effort to modernize Medicaid IT systems and processes becomes more stable, uniform, and lowers the risk of poor implementation. Over time, this effort will drive the states’ systems toward a widespread network of shared, common technology and processes that support improved state administration of the Medicaid program. Our initial emphasis is on streamlining the eligibility and enrollment process, improving user experiences, increasing administrative efficiencies, and supporting with greater effectiveness the ability to manage care and produce improved health outcomes for Medicaid beneficiaries.
The MITA initiative began in 2005 with the concept of moving the design and development of Medicaid information systems away from the siloed, sub-system components that comprise a typical Medicaid Management Information Systems (MMIS) and moving to a service oriented architecture (SOA) framework of designing Medicaid information systems along the core principle that business processes inform and drive the implementation of business services. The MITA initiative produced an architecture framework—business, technical, and information—along with a business maturity model for process improvement, that guides the planning of technology and infrastructure build-out to meet the changing business needs of Medicaid programs. MITA enables all state Medicaid enterprises to meet common objectives within the MITA framework while still supporting local needs unique to the particular state. All MITA framework documents are available to the public at http://www.cms.gov/MedicaidInfoTechArch/.
CMS is also issuing Guidance for Exchange and Medicaid Information Technology (IT) Systems (IT Guidance) relevant to Medicaid agencies as it articulates expectations and supports development and design for Medicaid and Exchange operations. Medicaid and Exchange IT Guidance focuses on those business functions and supporting IT solutions needed for successful implementation of expanded coverage through premium tax credits and reduced cost sharing, and enrollment in Medicaid and Children’s Health Insurance Program (CHIP). CMS recognizes that there is not a ‘‘one size fits all’’ technology solution to every business challenge. Each technology investment must be viewed in light of existing, interrelated assets and their maturity. There are trade-offs concerning schedules, costs, risks, business goals, and other factors that should be considered when making technology investments; however, CMS must ensure that enhanced Federal Financial Participation (FFP) funding is approved only when Medicaid infrastructure and information systems projects meet statutory and regulatory requirements to support efficient and effective operation of the program.
Purpose and Scope
The purpose of this document is to assist states as they design, develop, implement and operate technology and systems projects in support of the Medicaid program. This document provides additional insight and context to states to allow them to meet the conditions and standards for enhanced federal match for Medicaid technology investments. Future editions of this guidance will be developed with additional input from and consultation with states.
Conditions and Standards
This condition requires the use of a modular, flexible approach to systems development, including the use of open interfaces and exposed application programming interfaces (API); the separation of business rules from core programming; and the availability of business rules in both human and machine-readable formats. The commitment to formal system development methodology and open, reusable system architecture is extremely important in order to ensure that states can more easily change and maintain systems, as well as integrate and interoperate with a clinical and administrative ecosystem designed to deliver person-centric services and benefits.
Modularity is breaking down systems requirements into component parts. Extremely complex systems can be developed as part of a service-oriented architecture (SOA). Modularity also helps address the challenges of customization. Baseline web services and capabilities can be developed for and used by anyone, with exceptions for specific business processes handled by a separate module that interoperates with the baseline modules. With modularity, changes can be made independently to the baseline capabilities without affecting how the extension works. By doing so, the design ensures that future iterations of software can be deployed without breaking custom functionality.
A critical element of compliance with this condition is providing CMS with an understanding of where services and code will be tightly coupled, and where the state will pursue a more aggressive decoupling strategy.
Use of Systems Development Lifecycle methodologies. States should use a system development lifecycle (SDLC) methodology for improved efficiency and quality of products and services. The system development lifecycle methodology should have distinct, well-defined phases for inception through close-out; include planning that describes schedules, target dates, and budgets; should exhibit controls over the life of the project via written documentation, formal reviews, and signoff/acceptance by the system owner(s); and should have well documented, repeatable processes with clear input and output criteria (e.g., artifacts). States should assess deliverables against CMS guidelines such as MITA and Medicaid and Exchange IT Guidance.
CMS is implementing a streamlined systems development life cycle process for Exchange Grants that accommodates CMS feedback and direction to the states. All grantees have received guidance on this process. We will also distribute information on our combined Exchange/ Medicaid governance processes to states through a variety of different mechanisms, including informational bulletins and by posting materials on our CMS website. States will be required to participate in this process for eligibility and enrollment systems needed to implement expansions under the Affordable Care Act. States may refer to this SDLC process as a model they can employ internally for other Medicaid IT projects. Otherwise, the system development methodology framework selected by the state should suit the specific kinds of project, based on varying technical, organizational, project, and team factors. Some mature methodologies for consideration include the traditional “waterfall” model; Rapid Application Development (RAD); Spiral Approach; Unified Process or Rational Unified Process (RUP), which reinforces the usage of Unified Modeling Language (UML); and Agile Development.
The objective of any SDLC process is to provide structure and discipline, and states are to build secure IT solutions based on SOA principles. The application of and adherence to SOA principles should facilitate the delivery of flexible, agile, and interoperable MMISs. States should employ an open, reusable system architecture that separates the presentation layer, business logic (i.e., service layer), and data layer for greater flexibility, security, performance, and quality of design, implementation, maintenance, and enhancement in the software life cycle. The system architecture should utilize a user interface (UI) framework that deploys presentation components to allow for communication with disparate populations using different media formats such as web, email, mobile, and short message service (i.e., text messaging).
Identification and description of open interfaces. States should emphasize the flexibility of open interfaces and exposed APIs as components for the service layer. States should identify all interfaces in their development plan and discuss how those interfaces will be maintained. States must develop and maintain an exposed API to any data services hub available for the reporting of data, verifications, and exchange of data among states. Service interfaces should be documented in an Interface Control Document (ICD). This ICD, for which CMS can provide a template, should contain details of hardware, operating systems, software, memory, service packs, product keys, and versions.
Use of business rules engines. States should ensure the use of business rules engines to separate business rules from core programming, and should provide information about the change control process that will manage development and implementation of business rules. States should be able to accommodate changes to business rules on a regularized schedule and on an emergency basis.
States should identify and document the business rules engines used, the manner in which the business rules engine(s) is implemented in the state’s architecture, the type of business rules engine (e.g., forward-chaining, backward-chaining, deterministic/domain specific, event processing, inference-based, etc.); the licensing and support model associated with the business rules engine(s); and the approximate number of rules the business rules engine(s) executes for a given business process.
Submission of business rules to a HHS-designated repository. States should be prepared to submit all their business rules in human-readable form to an HHS repository, which will be made available to other states and to the public. In their APD, states must specify when they expect to make those business rules available. CMS will provide additional detail and specifications about how to submit those rules. If the states want to protect distribution of any specific business rules (e.g., those that protect against fraud), states may specify their desire to protect those rules.
This condition requires states to align to and advance increasingly in MITA maturity for business, architecture, and data. CMS expects the states to complete and continue to make measurable progress in implementing their MITA roadmaps. Already the MITA investments by federal, state, and private partners have allowed us to make important incremental improvements to share data and reuse business models, applications, and components. CMS strives, however, to build on and accelerate the modernization of the Medicaid enterprise that has thus far been achieved.
MITA Self Assessments. CMS will be reviewing and producing MITA 3.0 in 2011. This next version of MITA will take into account the changes required by the Affordable Care Act and the availability of new technologies such as cloud computing and build out maturity levels 4 and 5. Once completed, CMS expects all states to update their self assessments within 12 months. If a state has not yet completed a self assessment, it may wait until version 3.0 is published (expected in 2011).
MITA Roadmaps. States will provide to CMS a MITA Maturity Model Roadmap that addresses goals and objectives, as well as key activities and milestones, covering a 5-year outlook for their proposed MMIS solution, as part of the APD process. This document will be updated on an annual basis. States should demonstrate how they plan to improve in MITA maturity over the 5-year period and their anticipated timing for full MITA maturity. States should ensure that they have a sequencing plan that considers cost, benefit, schedule, and risk.
Concept of Operations (COO) and Business Process Models (BPM). States should develop a concept of operations and business work flows for the different business functions of the \state to advance the alignment of the state’s capability maturity with the MITA Maturity Model (MMM). These COO and business work flows should align to any provided by CMS in support of Medicaid and Exchange business operations and requirements. States should work to streamline and standardize these operational approaches and business work flows to minimize customization demands on technology solutions and optimize business outcomes. CMS will provide more direction in future guidance about the form and format for the COO and BPMs.
Industry Standards Condition
States must ensure alignment with, and incorporation of, industry standards: the Health Insurance Portability and Accountability Act of 1996 (HIPAA) security, privacy and transaction standards; accessibility standards established under section 508 of the Rehabilitation Act, or standards that provide greater accessibility for individuals with disabilities, and compliance with federal civil rights laws; standards adopted by the Secretary under section 1104 of the Affordable Care Act; and standards and protocols adopted by the Secretary under section 1561 of the Affordable Care Act.
CMS must ensure that Medicaid infrastructure and information system investments are made with the assurance that timely and reliable adoption of industry standards and productive use of those standards are part of the investments. Industry standards promote reuse, data exchange, and reduction of administrative burden on patients, providers, and applicants.
Identification of industry standards. CMS will communicate applicable standards to states. Standards would be updated periodically to ensure conformance with changes in the industry. States will be required to update systems and practices to adhere to evolving industry standards in order to remain eligible for enhanced FFP funding.
The state must identify all industry standards relevant to the scope and purpose of their project and produce development and testing plans to ensure full compliance. States must also have risk and mitigation strategies in place to address potential failures to comply.
Incorporation of industry standards in requirements, development, and testing phases. States must implement practices and procedures for the system development phases such as requirements analysis, system testing, and user acceptance testing (UAT). States’ plans must ensure that all systems comply fully and on-time with all industry standards adopted by the Secretary of HHS.
To comply with to the Rehabilitation Act’s section 508(c) for accessibility of user interfaces for disabled persons, states must produce a Section 508 Product Assessment Package as part of their SDLC. The state should perform regularly scheduled (i.e., automatic) scans and manual testing for Section 508(c) compliance for all types of user interface screens (static, dynamic, Web, client-server, mobile, etc.) to meet the standards for full compliance. Software is available that assist with Section 508(c) compliance testing.
State solutions should promote sharing, leverage, and reuse of Medicaid technologies and systems within and among states.
States can benefit substantially from the experience and investments of other states through the reuse of components and technologies already developed, consistent with a service-oriented architecture, from publicly available or commercially sold components and products, and from the use of cloud technologies to share infrastructure and applications. CMS commits to work assertively with the states to identify promising state systems that can be leveraged and used by other states. Further, CMS would strongly encourage the states to move to regional or multistate solutions when cost effective, and will seek to support and facilitate such solutions. In addition, CMS will expedite APD approvals for states that are participating in shared development activities with other states, and that are developing components and solutions expressly intended for successful reuse by other states.
CMS will also review carefully any proposed investments in sub-state systems when the federal government is asked to share in the costs of updating or maintaining multiple systems performing essentially the same functions within the same state.
Multi-state efforts. States should identify any components and solutions that are being developed with the participation of or contribution by other states.
Availability for reuse. States should identify any components and solutions that have high applicability for other reuse by other states, how other states will participate in advising and reviewing these artifacts, and the development and testing path for these solutions and components will promote reuse. As the capability becomes available, states should supply key artifacts to a common, national cloud-based repository accessible by all states and CMS. Further definition of these artifacts (SLDC deliverables, business requirements and process flows, and conceptual and logical data models) and how to provide them to the national repository will follow in subsequent guidance.
Identification of open source, cloud-based and commercial products. States should pursue a service-based and cloud-first strategy for system development. States will identify and discuss how they will identify, evaluate, and incorporate commercially or publicly available off-the-shelf or open source solutions, and discuss considerations and plans for cloud computing. States should identify any ground-up development activity within their development approaches and explain why this ground-up activity has been selected.
Customization. States will identify the degree and amount of customization needed for any transfer solutions, and how such customization will be minimized.
Transition and retirement plans. States should identify existing duplicative system services within the state and seek to eliminate duplicative system services if the work is cost effective such as lower total cost of ownership over the long term.
Business Results Condition
Systems should support accurate and timely processing of claims (including claims of eligibility), adjudications, and effective communications with providers, beneficiaries, and the public.
Ultimately, the test of an effective and efficient system is whether it supports and enables an effective and efficient business process, producing and communicating the intended operational results with a high degree of reliability and accuracy. It would be inappropriate to provide enhanced federal funding for systems that are unable to support desired business outcomes.
Degree of automation. The state should be highly automated in systematic processing of claims (including claims of eligibility) and steps to accept, process, and maintain all adjudicated claims/transactions.
Customer service. States should document how they will produce a 21st-century customer and partner experience for all individuals (applicants, beneficiaries, plans, and providers). This 21stcentury customer experience should include the ability to submit and manage interactions with Medicaid through the web and to self-manage and monitor accounts and history electronically. It should also outline how customer preferences for communications by email, text, mobile devices, or phones will be accommodated. States should also commit to testing and evaluation plans to ensure providers, applicants, and others interacting with and using their systems will have the opportunity to provide feedback and assessment of accessibility, ease of use, and appropriateness of decisions.
Performance standards and testing. CMS intends to provide additional guidance concerning performance standards—both functional and non-functional, and with respect to service level agreements (SLA) and key performance indicators (KPI). We expect to consult with states and stakeholders as we develop and refine these measures and associated targets. As this list of measures will be focused on very core elements/indicators of success, states should also consider adding state-specific measures to this list.
For the implementation of IT system enhancements, states will execute tests against test cases intended to verify and validate the system’s adherence to its functional and non-functional requirements.
For operational IT systems, states will periodically evaluate system performance against established SLAs. When SLAs are not met, states will create and execute a Plan of Action with Milestones (POAM). CMS reserves the right to inspect a state’s performance assessment outcomes and POAMs. States will periodically evaluate operational business processes against established KPIs. When KPIs are not met, states will create and execute a POAM. CMS reserves the right to inspect a state’s performance assessment outcomes and POAMs.
Solutions should produce transaction data, reports, and performance information that would contribute to program evaluation, continuous improvement in business operations, and transparency and accountability.
Systems should be able to produce and to expose electronically the accurate data that are necessary for oversight, administration, evaluation, integrity, and transparency. These reports should be automatically generated through open interfaces to designated federal repositories or data hubs, with appropriate audit trails. MITA 3.0 will provide additional detail about reporting requirements and needs that arise from the Affordable Care Act. Additional details about data definitions, specifications, timing, and routing of information will be supplied later this year.
Systems must ensure seamless coordination and integration with the Exchange (whether run by the state or federal government), and allow interoperability with health information exchanges, public health agencies, human services programs, and community organizations providing outreach and enrollment assistance services.
CMS expects that a key outcome of the government’s technology investments will be a much higher degree of interaction and interoperability in order to maximize value and minimize burden and costs on providers, beneficiaries, and other stakeholders. CMS is emphasizing in this standard and condition an expectation that Medicaid agencies work in concert with Exchanges (whether state or federally administered) to share business services and technology investments in order to produce seamless and efficient customer experiences. Systems must also be built with the appropriate architecture and using standardized messaging and communication protocols in order to preserve the ability to efficiently, effectively, and appropriately exchange data with other participants in the health and human services enterprise.
As stated in MITA Framework 2.0, each state is “responsible for knowing and understanding its environment (data, applications and infrastructure) in order to map its data to information sharing requirements. The data-sharing architecture also addresses the conceptual and logical mechanisms used for data sharing (i.e., data hubs, repositories, and registries). The data-sharing architecture will also address data semantics, data harmonization strategies, shared-data ownership, security and privacy implications of shared data, and the quality of shared data.
Interactions with the Exchange. States should ensure that open interfaces are established and maintained with any federal data services hub and that requests to the hub are prepared and available for submission immediately after successful completion of the application for eligibility. States must ensure and test communications between Exchange and Medicaid systems so that determinations and referrals can be effectively transmitted from the Exchange. States should describe how shared services will support both the Exchange and Medicaid.
Interactions with other entities. States should consult with and discuss how the proposed systems development path will support interoperability with health information exchanges, public health agencies, and human services programs to promote effective customer service and better clinical management and health services to beneficiaries. States should also consult with and discuss how eligibility systems will allow community service organizations to assist applicants seeking health care coverage to complete forms and to submit those forms electronically.
CMS will continue to refine, update, and expand this guidance in the future, based on initial and continuing feedback from states, beneficiaries, providers, and industry; and with experience over time. We intend to actively solicit feedback and well as to invite it. Our experience with states that are early in implementing new eligibility systems in support of Exchanges, Medicaid, and CHIP, as well as states that are beginning or in early stages of development of new claims systems, will be instrumental in helping us to further refine and shape this guidance.
API - Application Programming Interface
BPM - Business Process Model
CHIP - Children’s Health Insurance Program
CMS - Centers for Medicare & Medicaid Services
COO - Concept of Operations
FFP - Federal Financial Participation
HHS - U.S. Department of Health and Human Services
HIPAA - Health Insurance Portability and Accountability Act of 1996
IT - Information Technology
KPI - Key Performance Indicator
MITA - Medicaid Information Technology Architecture
MMIS - Medicaid Management Information System
MMM - MITA Maturity Model
POAM - Plan of Action and Milestones
RAD - Rapid Application Development
RUP - Rational Unified Process
SDLC - System Development Life Cycle
SLA - Service Level Agreement
SOA - Service-Oriented Architecture UAT - User Acceptance Testing
UI - User Interface
UML - Uniform Modeling Language