GovWin
B2G is moving!
Blogs posted after May 22, 2015 will be located on Deltek's central blog page at www.deltek.com/blog.
Just select the "B2G Essentials" blog to continue to receive this valuable content.
90/10 funding made permanent: CMS updating Medicaid procurement standards

In October 2014, the Centers for Medicare & Medicaid Services (CMS) announced that 90/10 enhanced federal funding would be permanently available for states making upgrades to their Medicaid eligibility and enrollment systems. This funding encourages states to retire defunct Medicaid systems, modify existing eligibility and enrollment (E&E) systems, and integrate Medicaid systems with other human services systems.

On April 14, 2015, CMS issued a notice of proposed rulemaking (NPRM) to codify the 90/10 permanent extension and proposed changes to the Medicaid Management Information System (MMIS) standards and conditions, including a new modular certification process for MMIS. The agency is also soliciting feedback on how to encourage the sharing of Medicaid software and reduce duplicative costs. Public comments are due June 15, 2015.

Key takeaways

1) CMS getting more involved in Medicaid procurement process - CMS is proposing a new contract review process and will help states develop acquisition roadmaps for future procurement. States will look for solutions that already comply with the Seven Standards and Conditions issued by CMS.

2) CMS proposing modular approach to certification - CMS recognizes that most monolithic contracts go over budget and over schedule when states get locked into one vendor, such as those in Maryland, Montana, Nebraska and North Carolina. The agency is offering to certify MMIS systems on a modular basis. We can see many states are already following this approach, such as Texas, Louisiana, Mississippi, and South Carolina.

3) Preference for shared software and COTS solutions - CMS is trying to encourage states to adopt commercial-off-the-shelf (COTS) solutions to save money and reduce duplicative implementation efforts. The NPRM proposes a 90 percent matching rate for COTS software, and vendors including HP, Molina, EngagePoint and Accenture are increasingly offering COTS solutions that are flexible and adaptable for states. 

Analyst’s Take

While making 90/10 funding permanent, CMS is also using this opportunity to update certification procedures to keep pace with the MMIS modular procurement strategy most states are adopting. In 2015, Deltek is expecting MMIS rebids in Florida, Louisiana, Mississippi, Missouri, South Carolina, Texas and Virginia. Vendors will have a leg up on the competition if their solutions are in line with CMS standards for COTS products and align with the desire to use modular components and incremental delivery strategies. The benefits are greater with these approaches by reducing risks and lowering costs of complete replacements. Still, as strategy moves away from single fiscal agent contracts and big-bang implementations, states have challenges managing multi-procurements and relationships with several vendors. For more information on Medicaid procurements across the country, please see the GovWin MMIS Vertical Page.

 

Deltek Pulse: Health and human services month in review, January 2015

Deltek saw the release of 1,340 solicitations from the health care and human services vertical in January – a 13 percent increase from December.

Notable RFP releases in January include:

  • The commonwealth of Kentucky Cabinet for Health and Family Services (CHFS), Department for Medicaid Services (DMS), has a requirement for a vendor to provide a configurable Software-as-a-Service (SaaS) solution for the Kentucky MEMS claims processing and fiscal agent (FA) services, as well as a custom-built encounter processing solution and a decision-support system/data warehouse (DSS/DW) solution. Proposals are due April 6.
  • The Arkansas Department of Human Services released an RFP for information systems support. The incumbent contract with Northrop Grumman expires on June 30, 2015, and the department is seeking maintenance, support and modifications of its various mainframe and client-server computer applications, as well as maintenance, support and development of new Web-based applications. Proposals are due on April 21.
  • The Mississippi Division of Medicaid has a requirement for independent verification and validation Services (IV&V) for the eligibility modernization project to replace current legacy systems – the Medicaid eligibility determination system (MEDS) and Medicaid eligibility determination system expansion (MEDSX) systems. Proposals are due February 27.
  • The Texas HHSC Office of Social Services (OSS) Division would like to procure services to implement HHSC-established business process redesign (BPR) principles and procedures currently operating in a select number of HHSC pilot offices to all remaining offices, statewide. Proposals are due February 23. 

You can learn more about current procurement opportunities in the GovWin IQ State and Local Opportunities database. Not a Deltek subscriber? Click here to learn more about Deltek's GovWin IQ service and gain access to a free trial.

 

Medicaid eligibility and enrollment systems: Which states still need to modernize?

Modernized and fully integrated Medicaid eligibility systems have proven to be a catalyst for successful enrollment in state and federally facilitated health insurance exchanges. Kentucky, New York, and Washington state have stood out for their top-performing exchanges and high enrollment numbers. All three states rely on integrated Medicaid eligibility systems that facilitate the consumer application process, eligibility determination, and enrollment in Medicaid/CHIP or private health insurance plans.

On the other hand, states with outdated and isolated technologies struggled to enroll new customers, which led to significant Medicaid backlogs, most notably in California, New Jersey, and Tennessee. Now that the feds have finalized 90/10 funding and extended the OMB A-87 cost allocation exception, more states will invest in upgrading their Medicaid eligibility systems and building integrated eligibility systems that incorporate human services programs, including Supplemental Nutrition Assistance Programs (SNAP) and Temporary Assistance for Needy Families (TANF). This analyst perspective will help vendors identify which states have already completed upgrades, which states are currently modernizing, what contracts may be rebid, and where to find potential business opportunities.

Current Landscape


While states have been working to integrate and modernize eligibility systems for more than a decade now, the vast majority of states took steps in recent years to upgrade their Medicaid eligibility systems in preparation for ACA enrollment. In fact, 19 states have issued contracts for upgrades to Medicaid eligibility and enrollment systems since 2012. Some states combined contracts for health insurance exchanges with eligibility upgrades (HIX/IES), including Connecticut, Maryland, Oregon, Rhode Island and Washington, D.C. Other states are still in the early planning stages for eligibility system modernization efforts, and a few states have indicated their intent to release a solicitation in the coming year. Below is a preview of a few of these upcoming opportunities.

Upcoming Solicitations

Louisiana – The Louisiana Department of Health and Hospitals anticipates releasing a Medicaid Eligibility Determination System (MEDS) request for proposals (RFP) this month. The department is designing new enterprise architecture to modernize the state’s Medicaid technologies. The previous contract with Deloitte was worth approximately $29 million (Opportunity ID 99187).

Massachusetts – The Massachusetts Executive Office of Health and Human Services plans to move forward with Phase II of the state health insurance exchange and integrated eligibility system (HIX/IES). The state expects to complete planning by the end of June 2015, and an RFP could be released sometime this fall, at the earliest. A $66 million contract with CGI was terminated in March 2014, and Optum and hCentive have worked to rebuild the system (Opportunity ID 89076).

New York – The New York Office of General Services is seeking a systems integrator for its integrated eligibility system to replace the statewide welfare management system (WMS) – a legacy system first implemented in 1977. An RFP was issued in May 2014 for a business advisory services contractor that will work during the first phase of the IES project; the systems integrator will conduct phase two. Deltek anticipates this legacy system modernization could approach $100 million (Opportunity ID 49905).

Possible Rebids

Tennessee – The Tennessee Department of Finance and Administration may have a requirement for the development and/or maintenance of the TennCare Eligibility Determination System (TEDS). The current contract with Northrop Grumman is behind schedule and the system remains unfinished, which has created months-long delays for Tennesseans who want to apply for Medicaid. Subsequently, three advocacy groups have filed a lawsuit against TennCare. The incumbent contract is valued at $35.7 million (Opportunity ID 117922).

New Jersey – The $83.5 million contract with Hewlett-Packard for maintenance of the Consolidated Assistance Support System (CASS) has been terminated, and a spokeswoman for the New Jersey Department of Human Services said the state and the vendor are still in talks regarding the contract termination (Opportunity ID 105816).

Early Planning Stages

California – The 2014-2015 Governor's Budget Highlights for the Department of Health Care Services requested expenditure authority for a multi-year IT project to modernize the Medi-Cal Eligibility Data System (MEDS). In 2012, a contract was awarded to PCG for IT project planning consulting services, including a feasibility study and advanced planning document (APD) for the MEDS Modernization Project. An RFP for the Medi-Cal Program integrity data analytics is currently in development (Opportunity ID 69871).

South Dakota – The state issued an invitation to discuss and demonstrate (IDD) to review and research existing Medical assistance eligibility systems that comply with the Affordable Care Act (ACA) and preferably have existing or planned capability to support other programs such as SNAP, TANF, Child Care, Low Income Energy Assistance (LIEAP), and Child Support. The Department of Social Services is now planning an RFP for an integrated eligibility system (Opportunity ID 83922).

Washington – In 2013, the Washington State Legislature passed Senate Bill 5034, directing a study of the state’s medical and public assistance eligibility systems and infrastructure with the goal of simplifying procedures and reducing state expenditures. PCG was awarded the contract to conduct the Medical and Public Assistance Eligibility Study, which was published in September 2014. The state may continue to make efforts to modernize the medical and public assistance eligibility systems (Opp ID 104365).

Analyst’s Take

Now that 90/10 funding has been made permanent and the A-87 waiver is extended until December 2018, states will continue to make upgrades to eligibility systems, which could yield significant business opportunities for vendors. Deloitte is the dominant vendor in this space, currently holding contracts in more than 15 states. Other vendors holding contracts in multiple states include Accenture, IBM, Northrop Grumman, KPMG, HP, and Maximus. Contract values for eligibility modernization projects vary significantly based on the size of the state and scope of the project. Contracts for Medicaid eligibility modernization average between $20-50 million, while IES projects that include major system overhauls can exceed $100 million.

Many states that have recently integrated health insurance program eligibility systems may now look to incorporate human services programs, starting the next wave of procurement activity. As Deltek continues to track upcoming eligibility projects, we encourage vendors to keep an eye on the above mentioned projects and expect to see more eligibility-related opportunities thanks to this funding extension.

 

Updated Federal Health IT Strategic Plan Focuses on Interoperability

The Office of the National Coordinator for Health Information Technology (ONC) within HHS, this week released its new strategic plan detailing efforts to promote interoperability of health records and systems.

The new plan recognizes the strides made in the area of electronic health records adoption by US providers and takes these efforts a step further to facilitate the sharing of health data.  Over 400,000 hospitals and professionals now participate in Medicare and Medicaid EHR incentive programs, generating a strong demand for information sharing.

ONC lays out the following five goals to advance accessibility of health information and make it available when and where it is needed to improve and protect people’s health and well-being:  

  • Expand adoption of Health IT 
  • Advance, secure and interoperable health information  
  • Strengthen health care delivery 
  • Advance the health and well-being of individuals and communities  
  • Advance research scientific knowledge and innovation

Each goal is supported by two to three specific objectives with three and six year expected outcomes, along with strategies for achieving each objective.  Additionally, the goals and objectives of the federal health IT plan will be implemented and supported by 37 federal departments and agencies.   The plan is a coordination of these agencies in order to advance the collection, sharing, and use of electronic health information to improve health care, individual and community health, and research

ONC is also in the process of developing a Nationwide Interoperability Roadmap to drive the goals of the strategic plan.   

The strategic plan promotes health IT adoption and information sharing among the commercial market as well as government entities.  Implementation of the plan will involve establishing standards and frameworks for information exchange.  One way for contractors to influence these standards is to participate on committees, boards, and other organizations to influence their development.  Private and public health organizations may need contractor assistance in adopting and incorporating resulting information exchange architectures, standards, and frameworks. 

Public comments will be accepted on the plan until 5 pm on February 6, 2015. 

 

Sharing and Securing Veterans Health Data

According to VA’s CIO Steph Warren, for the VA, information security is all about people, process and paper.   Securing VA health information involves risk balance. 

Warren’s remarks were aimed at a ballroom full of Health IT professionals last Tuesday at AFCEA Bethesda’s Annual Health IT Day. 

According to statistics from an October information security activity report released by Warren, VA blocked over 12 million intrusion attempts, contained or blocked over 200 million occurrences of malware, and blocked over 70 million suspicious/malicious e-mails.  No veterans were affected by these threats or attempts.  However, the same report shows 52 lost or stolen devices, 131 lost PIV cards, 135 mishandled incidents and 155 mis-mailed incidents affecting 765 veterans in the same time period.

One of VA’s biggest security problems is paper.  Once the information is printed, it becomes harder to secure.  The document can be inadvertently left somewhere, misplaced, or lost. 

VA is addressing security vulnerabilities with the following initiatives:  

  • Defense in Depth  
  • Continuous Monitoring  
  • Einstein 2 and 3A  
  • 100% Device Encryption  
  • Secure Access through Mobile (Citrix)

VA is also responsible for securing 600,000 medical devices which carry unique risk balance challenges due to complexity, and HIPPA and FDA regulations.   

Sharing data is also a high priority for VA, not only with DoD, but also with outside third party providers.  For example, Walgreens is sharing data with the VA.  If a veteran gets a flu shot at a Walgreens, it is added to his/her electronic health record in VistA. 

Below are FY 2014 milestones achieved to increase interoperability with DoD:  

  • Joint Legacy Viewer (JLV) 
  • Health Management Platform (HMP) 
  • VistA Standardization  
  • Immunization  
  • Application Programming Interface (API)

Planned milestones for further interoperability:  

  • Ongoing integration of DoD and external provider data  
  • New ONC certified EHR platform   
  • Deployment of view-only eHMP  
  • Clinical improvements for patient safety decision support, communication and population health  
  • Begin VistA scheduling deployment

DoD and VA are currently sharing data, but it’s not integrated.  Right now, DoD data is in a separate tab.  They are working to blend the data into a single view and add read/write capability.  Janus (Joint Legacy Viewer) is the current viewer.   eHMP is the replacement for Janus.

VA’s priorities for FY 2015 include driving down the claims backlog with the Veterans Benefits Management System (VBMS), VistA Evolution, OneVA by providing one website with single login credentials, and infrastructure.  These priorities will be dependent on VA’s appropriated IT budget. 

 

 

Deltek Pulse: Health and human services month in review, November 2014

In November, Deltek saw the release of 1,253 solicitations from the health and human services vertical – a 10 percent decrease from October.

Notable RFP releases in November include:

Notable awards made in November include:

You can learn more about current procurement opportunities in the GovWin IQ State and Local Opportunities database. Not a Deltek subscriber? Click here to learn more about Deltek's GovWin IQ service and gain access to a free trial.

 

Collaboration Needed to Improve Health IT Security

The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) and the Department of Commerce’s National Institute of Standards and Technology (NIST) hosted the seventh annual conference on Safeguarding Health Information on September 23 and 24, 2014. Exploring information assurance through the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, the event covered topics including breach management, technical assurance of electronic health records, and integrating security into health IT.

The keynote address that kicked off the event was delivered by Darren Dworkin, the chief information officer and senior vice president for of enterprise information systems for Cedars-Sinai Health System. Dworkin described major security events that have shaped security architecture. For example, 2003’s Blaster RPC Worm led to better security patch management as well as improvements to antivirus deployment. More recently, Heartbleed resulted in enhancements to security scanning and inventory. Dworkin noted that hackers have not been the only threat. In fact, 35% of patient data breaches in 2013 were due to loss or theft of unencrypted laptops or other devices. The recent explosion of medical devices and mobile computing are further changing the landscape for health IT security. As new technologies change how data is accessed and shared, protecting health information becomes increasingly challenging.

Other speakers at the event stressed hurdles around risk assessments and promoting end-user awareness. One speaker from the HHS observed that it’s impossible to achieve effective risk management if organizations don’t know what their risks are. Another presentation (from industry) emphasized the importance of encrypting data at rest, in transit, or in process. One major takeaway from the event was the need for health care organizations to perform comprehensive security risk assessments. There’s no such thing as eliminating vulnerability or being “risk proof.” The key is managing risks, but first organizations need to know what those risks are. 

While speakers described a broad range of challenges and setbacks related to safeguarding healthcare information, the burden of progress must be shared by the whole community. As the Food and Drug Administration’s Suzanne Schwartz put it, "No one organization, no single government agency, no sole stakeholder, manufacturer, healthcare facility, provider, information security firm is going to be able to address and solve these issues on their own ." Schwartz’s comments echoes a recent blog entry from the White House Cybersecurity Coordinator, which stressed the need for collaboration between government and industry to strengthen the nation’s information security posture.

Vendors will find a number of opportunities to engage with government in the discussion around cybersecurity improvements. For example, NIST is accepting comments on its Framework for Improving Critical Infrastructure Cybersecurity until October 10, 2014. Later in October, the Food and Drug Administration will be holding a public workshop on adapting medical device cybersecurity. These discussions will help lay groundwork for partnerships, identify best practices, and may help shape requirements for future guidance.

----------------------------------

Originally published in the GovWin FIA Analysts Perspectives Blog. Follow me on Twitter @FIAGovWin. 

 

Mobility a must for state social services programs

Over the last 2-3 years, state governments have seen an increase in mobile traffic to health and human services websites. A recent Government Technology article highlighted this trend, noting that half of all traffic to Georgia’s child support website in 2012 came from mobile phones. Similarly, one in three visits to the New Jersey child support website in 2013 came from a mobile device. In response, many state IT departments are adopting “mobile first” strategies to ensure that information and benefits are easily accessible via mobile technologies, which are oftentimes the sole source of Internet access for many state residents.
 
Several states have pioneered smartphone apps for social services programs, which participants can download to quickly get information about their benefits or to access additional resources. New Jersey and California have developed child support phone apps to help recipients manage child support accounts on the go. Georgia has developed Quickwic, an app for WIC participants who want instant access to their benefits and information about eligible purchases. The Connecticut Health Insurance Marketplace, Access Health CT, developed a smartphone app that makes it easier for residents to browse healthcare plans and submit applications, even allowing residents to take photos of their verification documents and upload them to their account.
 
Deltek predicts an increase in user-friendly, mobile-enabled Web applications that make it easier for both caseworkers and constituents to access the information and resources they need. Vendors who emphasize mobile-first strategies or the importance of mobile-friendly software applications will stand out to state governments looking for innovative health and social services solutions. Pennsylvania announced that it is considering a mobile app for WIC payments, and many other states are looking for ways to make their health and social services programs more mobile friendly. To learn more about upcoming health and human services IT business opportunities, be sure to visit the State & Local Vertical Profiles for Health Care and Social Services. Not a Deltek subscriber? Click here to learn more about Deltek's GovWin IQ service and gain access to a free trial.
 

 

 

HHS OIG Hackers Test Health Insurance Exchange Websites

HHS Office of Inspector General (OIG) auditors conducted audits of Healthcare.gov, the Kentucky Health Benefit Exchange, and the New Mexico Health Insurance Exchange during February through June 2014, to include vulnerability scans and simulated attacks.

Auditors praised each marketplace for aspects of their security controls, policies, procedures and testing, while making recommendations for improvements in areas where they spotted vulnerabilities.

Findings and recommendations for each marketplace are specified below:

Healthcare.gov

CMS has taken actions in the last year to lower the security risks associated with Healthcare.gov systems and consumer Personal Identifying Information (PII), including:

  • Establishing a dedicated security team under the CIO to monitor and track corrective action plans for vulnerabilities and ensure they are completed 
  • Performing weekly vulnerability scans 
  • Completing two security control assessments

Suggested areas for improvement are as follows: 

  • Implement a process to use automated tools to test database security configuration settings on all databases 
  • Implement an effective enterprise scanning tool to test for web site vulnerabilities 
  • Maintain adequate documentation to verify that database property files containing user credentials have been closed by encrypting the file 
  • Detect and defend against web site vulnerability scanning and simulated cyber attacks directed at the Healthcare.gov web site 
  • Finish corrective action already underway to remedy a critical vulnerability. The publically available OIG summary did not convey specifics of this vulnerability. However, CMS stated that their scheduled completion date for corrective action was June 30, 2014.

Kentucky Health Benefit Exchange (KHBE)

According to the HHS OIG, the KHBE had sufficiently protected PII in accordance with federal requirements. Using encryption, Kentucky properly secured individual’s PII upon system entry, as well as during storage and transmission. However, the OIG identified the following areas of opportunity for improvement for database access and security control:

  • Sufficiently restrict user and group access to authorized roles and functions 
  • Address federal requirements for system security planning, risk assessment, penetration testing and flaw remediation, POA&M, and incident response capability 

The above deficiencies were mainly due to the fact that Kentucky was transitioning its information technology responsibilities among agencies and had not sufficiently established coordination between them, to date.

New Mexico Health Insurance Exchange (NMHIX)

The HHS OIG found that the NMHIX had implemented security controls, policies, and procedures to prevent vulnerabilities in its website, database, and supporting information systems. However, NMHIX’s IT policies and procedures did not always conform to federal IT requirements and NIST recommendations.

Specifically, the audit identified the following vulnerabilities: 

  • One data encryption vulnerability 
  • Two remote access vulnerabilities 
  • One patch management vulnerability 
  • One Universal Serial Bus port and device vulnerability 
  • 64 web application vulnerabilities, two of which were listed as critical 
  • 74 data base vulnerabilities, one of which were listed as high

In written responses to the HHS OIG, all of the exchanges concurred with most of the findings and recommendations and furnished plans regarding how they planned to address vulnerabilities cited.

 

 

HHS Inspector General Reports on Healthcare.gov Spending

In the wake of the troubled launch of the Federal Marketplace for health insurance, the Office of Inspector General (OIG) for Health and Human Services (HHS) is reviewing the planning, acquisition, management, and performance oversight of the contracts associated with the effort as well as aspects of Federal Marketplace Operations. The first in a series of reports on the findings of the review was released in August 2014.

On December 10, 2013, Kathleen Sebelius, Secretary of Health and Human Services from 2009 to 2014, issued a letter to the department's Inspector General. The letter requested review of several aspects of the contracting process including:

  • the acquisition process for the contracts that supported the October 1st launch,
  • contractor selection, contract administration, and project management of the development of Healthcare.gov,
  • contractor performance, supervision of the development contracts, and payments to contractors throughout the process, and
  • whether contract specification were met.

Between January 2009 and January 2014, some sixty different contracts started work on the development and operations for the Federal Marketplace. One third of the contracts started before 2012. Just over one third of the contracts started during 2012. Most of the remaining began in 2013, and a single contract started in 2014. These contracts covered a range of goods and services including health benefit data collection, consumer research, cloud computing, and website development.

OIG found that the development of the Federal Marketplace primarily leveraged two types of contracts: fixed-price and cost-reimbursement. In the former, the contractor assumes the risk of cost overruns. In the latter, the government carries the cost overrun risks (as far as prescribed in the contract). This is worth noting because combined obligations for the federal marketplace grew from $86 million in September 2011 to over $294 million in February 2014. This rise was related to cost increases, schedule delays, and lagging system functionality related to changing requirements. With contract values spanning from under $700,000 to over $200 million, the original value of these contract totaled $1.7 billion. Through February 2014, one third of these contracts exceeded the estimated value of the awards. Over ten percent of those contracts surpassed the estimated value in excess of 100 percent.

Not long before HHS OIG released its first report on the review, the Government Accountability Office (GAO) issued a study on Healthcare.gov that had been requested by Congress. GAO's study assessed selected contracts from the Center for Medicare and Medicaid Services (CMS) for acquisition planning, oversight of cost and schedule, system capability changes, and actions to regarding contactor performance. Among other things, GAO recommended that CMS take immediate actions to assess ballooning contract costs and that required oversight tools be used.

This first report from HHS's Inspector General offers an overview of the contracts such as basic financial information. HHS OIG reports from additional, ongoing reviews related to contract procurement and oversight are expected in 2014 and 2015. These reports will offer more detailed analysis, findings, and recommendations.

----------------------------------

Originally published in the GovWin FIA Analysts Perspectives Blog. Follow me on Twitter @FIAGovWin .

 

More Entries