Conditions for Enhanced Funding (CEF)

Overview

As a condition of receiving enhanced federal financial participation (FFP) for state expenditures on Medicaid Enterprise Systems (MES), states must attest that the system complies with all of the applicable 22 conditions for enhanced funding (CEF) as provided in 42 C.F.R. 433.112 and that the system remains compliant with federal Medicaid requirements for enhanced funding once it is in operation as provided in 42 C.F.R. 433.116.

Conditions for Enhanced Funding

The information in the following table contains the CEF described in 42 C.F.R. 433.112 that are applicable for all MES modules.

This table, combined with the applicable business area outcomes, are a starting point for aligning the state’s goals for a project with applicable CMS-required outcomes.

Click here to download the Conditions for Enhanced Funding in a CSV file

Ref #	Condition	Example Evidence
1	CMS determines the system is likely to provide more efficient, economical, and effective administration of the State plan.	Documented in the CMS approved APD, including, but not limited to, the Analysis of Alternatives (AoA), State Self-Assessment (SS-A), or Cost Benefit Analysis (CBA), CMS-required and/or state-specific outcomes.
2	The system meets the system requirements, standards and conditions, and performance standards in Part 11 of the State Medicaid Manual, as periodically amended.	Refer to the applicable business area modular implementation streamlined business outcomes and metrics. Can be a state self-attestation.
3	The system is compatible with the claims processing and information retrieval systems used in the administration of Medicare for prompt eligibility verification and for processing claims for persons eligible for both programs.	Provide evidence of processing dual-eligible beneficiaries. Provide evidence of claims or eligibility and enrollment data loaded in the system being certified. Can be N/A depending on the MES module, if the module does not interface with the Claims or Eligibility and Enrollment module. Can be a state self-attestation.
4	The system supports the data requirements of quality improvement organizations established under Part B of title XI of the Act.	Provide evidence on how the MES module interfaces with the quality improvement organizations (QIO). Can be N/A depending on the MES module.
5	The State owns any software that is designed, developed, installed or improved with 90 percent FFP.	Documented in the contractual language between the SMA and vendor. If SaaS, then the language would focus on owning data vs software. Applicable procurement related documentation. Documented in the CMS approved APD which includes the state attestation and/or supplemental material.
6	The Department has a royalty-free, non-exclusive, and irrevocable license to reproduce, publish, or otherwise use and authorize others to use, for Federal Government purposes, software, modifications to software, and documentation that is designed, developed, installed or enhanced with 90 percent FFP.	Documented in the contractual language between the SMA and the vendor. Documented in the CMS approved APD which includes the state attestation and/or supplemental material.
7	The costs of the system are determined in accordance with 45 C.F.R 75, subpart E.	Documented in the contractual language between the SMA and vendor. Documented in the CMS approved APD which includes the state attestation and/or supplemental material.
8	The Medicaid agency agrees in writing to use the system for the period of time specified in the advance planning document (approved by CMS) or for any shorter period of time that CMS determines justifies the Federal funds invested.	Documented minimum timeframe of use in the CMS approved APD. Can be a state self-attestation.
9	The agency agrees in writing that the information in the system will be safeguarded in accordance with 42 C.F.R. 431 subpart F of this subchapter.	Required: Most recent independent third-party security and privacy controls assessment report performed at a minimum of every two years per 45 C.F.R. 95.621(f)(3). Most recent independent third-party penetration test, performed at a minimum of every two years per 45 C.F.R. 95.621(f)(3). Most recent Vulnerability Scans, recommend running monthly. Plan of Action and Milestones (see Reference section below). Or: Affordable Care Act (ACA) Authority to Connect (ATC) to CMS Hub. Optional: Most recent Security Incident Breach Notification. HIPAA Business Associate Agreement (BAA). HIPAA sanction rules.
10	Use a modular, flexible approach to systems development, including the use of open interfaces and exposed application programming interfaces; the separation of business rules from core programming, available in both human and machine readable formats.	Conceptual data model that depicts high-level data and relationships with other state Medicaid systems/modules. Enterprise system diagrams to show how the open architecture is integrated in the overall solution (e.g. system architecture design showing adoption of an open Application Programming Interface (API) based architecture, automated arrangement, coordination, and management of the system). Screenshot of the business rules engine control panel.
11	Align to, and advance increasingly, in maturity for business, architecture, and data.	Documented in the CMS approved APD which includes the state attestation and/or supplemental material. Can be the SS-A or a state self-attestation.
12	The agency ensures alignment with, and incorporation of, industry standards adopted by the Office of the National Coordinator for Health IT in accordance with 45 C.F.R. part 170, subpart B: The HIPAA privacy, security and transaction standards; accessibility standards established under section 508 of the Rehabilitation Act, or standards that provide greater accessibility for individuals with disabilities, and compliance with Federal civil rights laws; standards adopted by the Secretary under section 1104 of the Affordable Care Act; and standards and protocols adopted by the Secretary under section 1561 of the Affordable Care Act.	Required: Most recent independent third-party security and privacy controls assessment report performed at a minimum of every two years per 45 C.F.R. 95.621(f)(3). Most recent independent third-party penetration test, performed at a minimum of every two years per 45 C.F.R. 95.621(f)(3). Most recent Vulnerability Scans, recommend running monthly. Plan of Action and Milestones (see Reference section below). 508 test report or equivalent.
13	Promote sharing, leverage, and reuse of Medicaid technologies and systems within and among States.	Describe and document how the SMA leverages reuse opportunities. Documented in the CMS approved APD which includes the state attestation and/or supplemental material, AoA, or SS-A.
14	Support accurate and timely processing and adjudications/eligibility determinations and effective communications with providers, beneficiaries, and the public.	Refer to applicable business outcomes and metrics related to the following but not limited to, Claims, Pharmacy, Eligibility and Enrollment modules. Can be N/A depending on the MES module.
15	Produce transaction data, reports, and performance information that would contribute to program evaluation, continuous improvement in business operations, and transparency and accountability.	Confirmation of T-MSIS Outcome Based Assessment (OBA) reporting compliance. Confirmation of following T-MSIS Standard Operating Procedure (SOP). Metrics data reported in the Operational Report Workbook. Applicable service level agreement and/or key performance indicator showing the system can record and monitor the performance and utilization of resources.  Payment Error Rate Measurement (PERM) report and/or enrollment data performance indicator report as applicable.
16	The system supports seamless coordination and integration with the Marketplace, the Federal Data Services Hub, and allows interoperability with health information exchanges, public health agencies, human services programs, and community organizations providing outreach and enrollment assistance services as applicable.	Refer to applicable business outcomes and metrics related to the following but not limited to, Eligibility and Enrollment, and Health Information Exchange modules. Can be N/A depending on the MES module.
17	For E&E systems, the State must have delivered acceptable MAGI-based system functionality, demonstrated by performance testing and results based on critical success factors, with limited mitigations and workarounds.	Refer to applicable business outcomes and metrics related to the Eligibility and Enrollment module. Can be N/A depending on the MES module.
18	The State must submit plans that contain strategies for reducing the operational consequences of failure to meet applicable requirements for all major milestones and functionality. This should include, but not be limited to, the Disaster Recovery Plan and related Disaster Recovery Test results.	Provide module specific DRP and DR test results, which are coordinated with the other related SMA DRP. Plan of Action and Milestones with any deficiencies found during the IT system level DR test.
19	The agency, in writing through the APD, must identify key state personnel by name, type and time commitment assigned to each project.	Documented in the contractual language between SMA and vendor. Documented in the CMS approved APD which includes the state attestation and/or supplemental material.
20	Systems and modules developed, installed or improved with 90 percent match must include documentation of components and procedures such that the systems could be operated by a variety of contractors or other users.	Provide MES module-specific transition plan or relevant knowledgebase (training) documentation, and most current Concept of Operations (ConOps) documentation.
21	For software systems and modules developed, installed or improved with 90 percent match, the State must consider strategies to minimize the costs and difficulty of operating the software on alternate hardware or operating systems.	Documented in the contractual language between SMA and vendor. Documented in the CMS approved APD which includes the state attestation and/or supplemental material, and the AoA.
22	Other conditions for compliance with existing statutory and regulatory requirements, issued through formal guidance procedures, determined by the Secretary to be necessary to update and ensure proper implementation of those existing requirements.	Other reporting metrics such as CMS-37 and CMS-64 quarterly estimates and expenditure reports, as applicable. Confirmation of T-MSIS Outcome Based Assessment (OBA) reporting compliance. Can be a state self-attestation, including, but not limited to, attesting that the system captures and stores relevant information necessary to support Medicaid Fraud Control Unit (MFCU) investigations.

Click here for CEF Tips and Best Practices

Additional Resources

SMC SMDL Guidance Document
MES Testing Guidance Framework
Operational Report Workbook
Transformed Medicaid Statistical Information System (T-MSIS)
Section 508 Guidance
Accessibility Guidance
Incident Response
Address Gaps in Cybersecurity: HHS OCR releases crosswalk between HIPAA Security Rule and NIST Cybersecurity Framework and NIST SP 800-53 controls
Risk assessment determination and scale as defined in NIST SP 800-30 Revision 1, see Appendix G (Likelihood of Occurrence), H (Impact), and I (Risk Determination)
PERM
Enrollment data performance indicator report

References

42 C.F.R. § 433.112
42 C.F.R. § 433.116
45 C.F.R. §164.308
45 C.F.R. § 95.621
Medicaid.gov SMC Site
State Medicaid Director Letter #22-001
State Medicaid Director Letter #06-022
State Medicaid Manual
Business Associates
Voluntary Product Accessibility Template (VPAT), see the latest WCAG version
State Self-Assessment (SS-A)
Example Risk Acceptance Form (see Attachment D)
Example Concept of Operations template
FedRAMP POA&M template
ACA AE templates are posted in CMS zONE which requires additional access. Please ask your state’s ACA E&E ISSO for these templates.