Using CMS Box in the Certification and Ongoing Operational Reporting Processes

In accordance with 42 C.F.R. §§ 433.112(b)(15) and 433.116(b), (c), and (i) and to support the work of Streamlined Modular Certification (SMC) framework, the Centers for Medicare and Medicaid Services (CMS) uses Box to easily upload files for certification and ongoing operational reporting, including secure file exchange and storage of Protected Health Information (PHI) and Personally Identifiable Information (PII) files. The Box Cloud Content Management Platform has achieved numerous U.S. Government certifications for privacy and security regulatory and compliance, including, but not limited to, FedRAMP Moderate, DoD SRG IL4, NIST SP 800-171, AICPA SOC 2/SOC 3/AT 101 Type II, IRS Publication 1075, and HIPAA.

Certification Box Configuration

Your CMS State Officer will establish a single Box folder for each individual module or system undergoing certification contained in the state’s root folder. You should see your applicable state folder with “ – Certifications” at the end. All unredacted certification related files should be uploaded to the applicable Operational Readiness Review (ORR) and Certification Review (CR) folders. Refer to Example 1 and the Module Abbreviation table below. Sub-folders for each module certification will be created as follows:

State Abbreviation and Module Abbreviation

ORR

• Evidence* – should contain the Intake Form and two subfolders:
  • Conditions for Enhanced Funding (CEF) – should contain the evidence listed in the Intake Form for applicable CEFs. There is no need for additional sub-folders.
  • Outcomes – should contain the evidence listed in the Intake Form for applicable CMS-required and state-specific outcomes. If needed, include additional sub-folders by outcome.
• Metrics – should contain the definitions of the metrics for ORR. CMS highly encourages states to use the Operational Report Workbook.
• Presentation – should contain the presentation for the day of the review and any other meeting documentation.
• Required Artifacts – should contain the applicable Required Artifacts listed in Appendix C of the Streamlined Modular Certification for Medicaid Enterprise Systems Certification Guidance. This will also contain any files applicable to the entry criteria.

CR

• Evidence* – should contain the Intake Form and two subfolders:
  • CEF – should contain the evidence listed in the Intake Form for applicable Conditions for Enhanced Funding. There is no need for additional sub-folders.
  • Outcomes – should contain the evidence listed in the Intake Form for applicable CMS-required and state-specific outcomes. If needed, include additional sub-folders by the outcome.
• Metrics – should contain the monthly metrics data reports required for CR. CMS highly encourages states to use the Operational Report Workbook Template. Note: once the state is certified, they will need to load the final metrics to the applicable metric folder on CMS Box.
• Day of CR Presentation – should contain the presentation for the day of the review and any other meeting documentation.
• Required Artifacts – should contain the applicable Required Artifacts listed in Appendix C of the Streamlined Modular Certification for Medicaid Enterprise Systems Certification Guidance. This will also contain any files applicable to the entry criteria.

Project Status Reports

• Should contain all applicable status reports for the entire project.

*Evidence filenames should include the SMC outcome reference number at the beginning, for example, CEF1 or TPL2.

Operational Reporting Box Configuration

Box folders are already established for each state’s ongoing operational reports. Refer to Example 2 below. States must submit operational reports to CMS containing metrics in support of a state’s annual Operational Advanced Planning Document (OAPD) request for an MES module or solution. CMS may determine states must report some metrics more frequently. CMS highly encourages states to use the Operational Report Workbook template.

• Every state has a folder with the state’s abbreviation, followed by “– Metrics”.
• The state should upload all metric-related files in “1. State Submission” folder, and not in an “Archived” folder.
• If the state is going through certification, it can upload all metric data captured since go-live once certification is complete.

Note: Data submissions that have formatting errors or are missing information need to be corrected by the state before they can be processed.

Benefits of Using Box

Benefits of using Box include:

• One Platform for your Content. CMS and state partners can find, organize, edit, share, and centralize their content on an all-inclusive storage platform. Since its integration into the SMC process, many states have easily uploaded files to CMS Box while maintaining surrounding data, like permissions, metadata, and version history.
• Collaboration. CMS and state partners can efficiently collaborate, increasing transparency and partnership with CMS. CMS can leverage the information submitted by states to improve their experience with Medicaid.
  • Standardization of state evidence submission supports collaboration and removes ambiguity in reporting requirements with a clearly defined evidence folder organization structure.
  • Only users who have been granted access to a folder by your CMS State Officer will have access to the information uploaded to that folder. Additionally, only the CMS Certification Team assigned to a given review and supporting CMS and MITRE leadership will be granted access to a state’s review documentation.
• Privacy and Security. Box includes secure file sharing, permission controls, and built-in security and compliance – reducing the number of tools needed to protect your data. Many state Medicaid agencies have securely uploaded private metric data files to Box with confidence.
• HHS Records Management. Box abides by the Department of Health and Human Services (HHS) records management policies outlined in 44 U.S.C. § 2901(2), thereby enabling CMS to adhere to federal records retention regulations without needing to access state repositories.

If you have any questions about using Box, please reach out to your CMS State Officer.

Learn More About Using Box

To learn more about using the Box platform, see the video tutorials for Demos and Use Cases for Box.

Frequently Asked Questions

Question: Who should I contact to create my state’s Box folder for an upcoming certification?

Answer: Please contact your CMS State Officer to initially set up your folder in Box and add collaborators. A leader from your state team will then be given Viewer Uploader privileges.

Question: Can we use our document repository for a certification, instead of Box?

Answer: If a state would prefer to use its document repository, the CMS State Officer is responsible for copying state documentation to the relevant Box folder. If a state encounters difficulty using the Box repository, please reach out to your CMS State Officer to discuss.

Question: How should I populate the Intake Form evidence columns with evidence files saved in Box?

Answer: The state may either include the exact filename (if a single document) or file folder of the outcome evidence as it appears in CMS Box when populating the Intake Form evidence columns.

Question: Is there a file size limit for file uploads?

Answer: There is a 150 GB size limit on uploads. In the situation where your file is above the file size limit, we recommend you create a ZIP file. A ZIP is a common file format that’s used to compress one or more files together into a single location. This reduces file size and makes it easier to transport or store.

Question: Is there a preferred naming convention for file and folder names?

Answer: The most important practice to follow when naming files is to be consistent with your filename conventions for each module certification. Consider including the following elements in your filename:

• State abbreviation (using the USPS code)
• Module (refer to the Module Abbreviation table below)
• Outcome number
• Document title or description as appropriate, (e.g., “VPAT”)
• Additional fields such as a vendor or system name may be added for clarification when needed. For example:
  • “AK_PBM_CEF1” for Alaska PBM CEF outcome 1
  • “DE _EE12” for Delaware E&E CMS-required outcome EE12

Question: How should I differentiate the file name of a newer version of a file to avoid duplications or confusion?

Answer: You may differentiate the file name of a new version of a file by including at the end of the filename either the upload date of the file (example 1) or file version (example 2).

• Example 1: “AK_PBM_CEF1_06032023”
• Example 2: “AK_PBM_CEF1_v2”

Question: Where do I upload post-CR and/or ongoing operational reports for my state?

Answer: It is important to note that ongoing operational reports are uploaded to a different folder on Box than where ORR or CR data files are saved. Once in the state “- Metrics” folder, navigate to the subfolder “1. State Submission” and upload any operational reports and applicable material. Please review the sequential screenshots that provide the mapping in Example 2 above.

The file path is noted here: (Your State Abbreviation) > Metrics > 1. State Submission

Question: What module abbreviations should I use?

Answer: Please use the module abbreviations referenced in Appendix B of the Medicaid Enterprise Systems (MES) Data Submissions and Intake Process Procedures Manual, copied in the table below.

Module Abbreviations

Adapted from Appendix B of the Medicaid Enterprise Systems (MES) Data Submissions and Intake Process Procedures Manual.