A Streamlined Approach to Modular Certification: Here's How to Be Ready

On April 14, 2022, the Centers for Medicare and Medicaid Services (CMS) released a State Medicaid Director Letter (SMDL) announcing improvements to the way states certify Medicaid Enterprise System (MES) modules.

What does this mean?

  • CMS sunset the Medicaid Enterprise Certification Toolkit (MECT) and Medicaid Eligibility and Enrollment Toolkit (MEET), eliminating some of the administratively burdensome aspects of MES Modular Certification and streamlining the entire process.
  • In the letter and accompanying documents outlining the changes, CMS introduced a Streamlined Modular Certification (SMC) process that states must now follow to certify their MES modules.
  • The SMC process emphasizes the specific outcomes states are trying to achieve with their MES transformation efforts and establishes testing expectations for MES modular implementations.
  • The new approach aligns with the Outcomes Based Certification (OBC) process piloted by several states.

In this blog, we dig into five key aspects of the new guidance to get smart about the changes and understand the ways you can prepare.

  1. CMS is all about outcomes.

CMS is lasering in on outcomes in its latest guidance. The SMDL explains that “Outcomes describe the measurable improvements to a state’s Medicaid program that should result from the delivery of a new module or enhancement to an existing module.” CMS has defined CMS-required outcomes, while leaving it up to states to define state-specific outcomes for projects. CMS-required outcomes are the standard requirements for certification, based on statutory and regulatory requirements. State-specific outcomes are developed by states and cover those areas of planned program improvements not covered by the CMS-required outcomes. Most MES transformation projects will have CMS-required and state-specific outcomes; however, some systems will only require state-specific outcomes, such as Health Information Exchange (HIE). Also of note, states will now need to include outcomes in Advance Planning Documents (APDs).

  1. Testing, testing, and more testing.

In its new guidance, CMS places a strong emphasis on robust and thorough testing. It wants to see clear evidence that the MES functionality will support state-specific and CMS-required outcomes. The MES Testing Guidance Framework outlines the minimum testing expectations states and their system vendors must follow to meet certification requirements. To start, states must include testing expectations in MES module Requests for Proposals (RFPs), such as vendor staffing skills requirements, testing environments required, definitions for severity levels, test case standards, defect resolution processes, environment monitoring standards, and measuring and reporting Service Level Agreements (SLAs). These testing expectations are designed to help states hold vendors accountable.

From now on, states will need to have Master Test Plans, which can be developed by states or vendors, that describe:

  • How testing will occur
  • Testing stakeholders
  • Scope of features that will be tested
  • Test entry and exit criteria
  • Test data requirements
  • Testing tools that will be used
  • Testing risk identification, tracking, and mitigation processes
  • Testing schedule
  • Defect management process
  • Test metrics and reporting methods

According to the SMDL, states will also need to prove that “robust testing has been performed and the delivered system is of high quality.” They will need to provide CMS with evidence and results throughout the Systems Development Life Cycle (SDLC) related to:

  • Unit Testing
  • System Integration Testing (SIT)
  • Regression Testing
  • User Acceptance Testing (UAT)
  • Performance Testing
  • Load Testing
  • Parallel Testing
  • Data Migration Testing
  • Security Testing
  • Usability Testing

In addition to sharing testing results, states will need to provide testing and quality metrics with CMS. To help reduce costs and drive speed and consistency throughout testing during the SDLC, CMS is encouraging the use of automated testing. It hopes that automated testing will make it easier to find and resolve defects early in the SDLC, so states avoid larger downstream impacts. CMS is also pushing for states to use synthetic data for testing when possible. This allows states to test real-world scenarios, but adds a layer of security because no Personally Identifiable Information (PII) or Protected Health Information (PHI) exists in the data being tested. Additionally, CMS encourages states to pool testing resources and share knowledge with other states to increase efficiencies. Finally, CMS is asking states to define formal testing team structures, which can include a combination of state and vendor staff. States should consider establishing robust Testing Centers of Excellence (TCOE) to ensure they meet CMS's testing requirements. States may choose to build out their own TCOE or leverage external resources to stand up and maintain this critical governing function.

  1. People play an integral role in operational readiness and certification.

In addition to a formal testing team structure, CMS will now require states to have formal Organizational Change Management (OCM) plans. It wants to see evidence of arrangements for stakeholder management, user training, help desk information, and more to ensure teams are ready for production and operations. To demonstrate that staff members are equipped to operate a new system, states will need to provide documentation of training and other relevant OCM activities that have occurred and/or are planned for the future. In other words, states must put change management at the core of their project to support stakeholders along the change journey. Ultimately, this will help ensure seamless adoption of new ways of working, compliance with CMS guidelines, and importantly, improve programmatic outcomes.

  1. Data and reporting are necessities.

To adhere to the SMC process, states must have access to quality data and the reporting and analytics capabilities to generate frequent insights. They must be able to define state-specific metrics and map data to state-specific and CMS-required outcomes. CMS now expects to evaluate these metrics to determine if a state is achieving the identified outcomes required for certification. Even the states that have already certified their Medicaid Management Information Systems (MMIS) will need to begin submitting metrics to CMS to secure ongoing operational matching funds. Data and reporting capabilities will also be critical in enabling states to submit required monthly Transformed Medicaid Statistical Information System (T-MSIS) data. In these submissions, states must demonstrate that they’ve met Outcomes Based Assessment (OBA) data quality standards. They must also showcase that MES modules comply with all T-MSIS requirements. To be able to provide these metrics expected by CMS to receive certification, states must revisit and strengthen their data and analytics (D&A) capabilities.

  1. Certification is now a continuous process.

Under the new approach, states will need to continue providing evidence that they are complying with applicable regulations and are meeting programmatic outcomes after systems are certified and in operation. They will need to share operational monitoring reports that track and document system health with CMS. Even states that previously certified their MMIS/MES modules and/or implemented Eligibility and Enrollment Systems, including those not previously subject to certification, will need to start reporting on outcomes.

To be prepared, states should consider and plan carefully for metrics and processes related to the Medicaid Enterprise. Again, it will be critical to have robust D&A capabilities to provide ongoing metrics. This will be important as states prepare for and implement COVID-19 unwinding efforts, such as redetermining eligibility for Medicaid members after the Public Health Emergency (PHE) ends.

So, what’s next? CMS plans to release additional materials describing updated software development best practices, which states will incorporate into their future MES development efforts. In the meantime, check out the full SMDL to learn about other noteworthy changes we weren’t able to cover here, including:

  • The number of required artifacts in Appendix C was reduced from 29 to 7.
  • CMS eliminated quarterly IV&V reports.
  • CMS will accept alternative formats for the Medicaid Information Technology Architecture (MITA) State Self-Assessment (SS-A) if states prefer.