Frequently Asked Questions

All the criteria in the checklists (MITA, MMIS or Custom) are the same. The difference between checklists is the criteria organization within the checklists. If the services solution is innovative, unique, or an unconventional approach, then the custom checklist approach might be appropriate. The RO will work with the state and vendors to decide which checklist set is best suited for the state's certification. Both service and traditional-type solutions need to meet all certification criteria to ensure compliance with federal regulations.

FAQ ID:94901

Yes, CMS will support the costs for this kind of MMIS transition. We encourage states to ensure that both the current vendor's and new solutions provider's contracts account for this transition period and address a prorating of cost during this time. States should minimize the costs of transition by performing due diligence on the anticipated spending. The legacy system provider should be compensated for its role in ensuring a smooth transition, with a ramp-down of other operational costs. The new solutions provider should have deliverables in its contract that speak to the soft launch or phased launch approach, with an uptick in operational costs as the transition progresses.

FAQ ID:94906

State Medicaid agencies are required to have MMIS System Security Plan and Privacy Impact Assessment documents. State Medicaid agencies must perform regular routine security and privacy risk assessments to ensure the protection and safeguard of beneficiary data that is consistent with Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules. Please refer to the MECT for more details: https://www.medicaid.gov/medicaid/data-and-systems/mect/index.html

FAQ ID:94911

Yes. While CMS envisions a discrete role for the System Integrator (SI) in each state, with specific focus on ensuring the integrity and interoperability of the Medicaid IT architecture and coherence of the various modules incorporated into the Medicaid system complex, it is permissible for an SI to provide modules as part of the overall solution. The target outcome for the SI in support of the state should be to foster best-in-breed solutions for Medicaid business requirements, with the SI responsible for the successful integration of the chosen solutions and infrastructure into a seamless functional system. The SI must ensure that all modules have open APIs and remain loosely coupled. More information on the SI role can be found in Section 1.7 of the Medicaid Enterprise Certification Life Cycle, part 01 of the MECT. States are encouraged to use an acquisition approach that limits the potential for conflict of interest an SI may have in choosing the modular solutions to be incorporated into the system. As described above, the goal is to avoid lock-in to a single vendor or an otherwise closed set of solutions.

FAQ ID:94916

CMS encourages the use of an SI outside the state agency, but states can consider themselves in that role if they can support that effort and if that decision is made with consultation and agreement from CMS. For more information about the role of the SI, see Section 1.7 in part 01 of MECT Medicaid Enterprise Certification Life Cycle. https://www.medicaid.gov/medicaid/data-and-systems/mect/index.html

FAQ ID:94921

Yes. The certification checklist defines a set of business and technical requirements that a particular Medicaid function must meet. The checklists and criteria are agnostic as to whether the requirements are met by a system built within the Medicaid Agency, a Software-as-a-Service model, a cloud-hosted model, or an ASO model.

FAQ ID:94461

Yes, our milestone review process is fully aligned with MITA. During each milestone review, CMS will verify that the state has considered MITA maturity during system definition, and whether the state is actively moving toward higher MITA maturity as defined in the state's latest MITA State Self-Assessment. Please see 42 CFR 433.112 (b)(11).

FAQ ID:94476

CMS is looking for new innovators in the Medicaid IT space. Please direct inquiries to: mmis_mes_certification@cms.hhs.gov.

FAQ ID:94416

Please work with your state representatives, so that they can contact CMS regional offices for quick assistance with your questions. In addition, please review other FAQs related to this topic.

FAQ ID:94431

Section 1902(a) (25) (I) of the Act defines ""health insurers"" to include self-insured plans, group health plans (as defined in section Medicaid Management Information Systems (MMIS)(l) of the Employee Retirement Income Security Act of 1974 (ERISA)), service benefit plans, managed care organizations (MCOs), pharmacy benefit managers (PBMs), and ""other parties that are, by statute, contract, or agreement, legally responsible for payment of a claim for a health care item or service."" Workers' compensation, automobile insurance, and liability insurance plans all are included within the definition of ""health insurer"" for purposes of this section and the requisite state laws which must be enacted pursuant to it.

The CMS interprets ""other parties that are, by statute, contract, or agreement, legally responsible for payment of a claim"" to include:

1. Prepaid Inpatient Health Plans (PIHPs) and Prepaid Ambulatory Health Plans (PAHPs). For purposes of Medicaid managed care, PIHPs and PAHPs are entities that contract with the state to deliver Medicaid-covered services; in that context, they would also be considered ""other parties that are, by contract, legally responsible for payment of a claim for a health care item or service;"" and,
2. Such entities as third party administrators (TPAs), fiscal intermediaries, and managed care contractors, which administer benefits on behalf of the riskbearing plan sponsor (e.g., an employer with a self-insured health plan). CMS recognizes that entities such as PBMs and TPAs do not necessarily have ultimate financial liability, but, to the extent that they are required, by contract or otherwise, to review claims and authorize payment by the plan sponsor, they are included within the definition of ""third party"" and ""health insurer"" for purposes of section 1902(a) (25) of the Act.

Nothing in revisions to the Social Security Act made by the Deficit Reduction Act of 2005 (DRA) imposes new liability to pay claims on entities that do not otherwise bear such liability. Nor does section 1902(a) (25) of the Act negate any right of indemnification against a plan sponsor or other entity with ultimate liability for health care claims by a contracting party that pays the claims.

Supplemental Links:

• This FAQ was released as part of a larger set. View the full set. (PDF, 252.32 KB) 

FAQ ID:94021