Recently, the Centers for Medicare & Medicaid Services (“CMS”) announced a simplified, “outcomes-based” approach to certify Electronic Visit Verification (“EVV”) systems that states and provider organizations will be required to implement to document all Medicaid personal care and home health services.
In the past, CMS certified EVV systems using the Medicaid Enterprise Certification Toolkit, which has 146 certification evaluation criteria and includes project initiation milestone reviews. The new outcomes-based approach purports to streamline this process by reducing the certification evaluation criteria from 146 to 11 and eliminating the project milestone reviews altogether.
The new EVV certifications are centered around two business-related outcome statements, Preventing Fraud and Availability & Accessibility, and one enterprise outcome statement, Privacy & Security. States will demonstrate their EVV solution’s achievement of these outcomes through the evaluation criteria and key performance indicators (“KPIs”) described below.
Business outcome statement one: preventing fraud
Under this business outcome statement, the state Medicaid agency has an enhanced ability to prevent fraud, waste, and abuse through increased visibility into its home- and community-based services (HCBS) program. KPIs for this outcome include: (i) an association of the EVV record to a claim or encounter; (ii) a match of the EVV against approved services, provider organization, and units; and (iii) the EVV record devoid of manual edits.
There are six evaluation criteria for this outcome:
- The EVV solution captures and verifies home health care services data, including the type of service performed, identity of the individual receiving the service, date of service, the service delivery location, identity of the individual providing the service, and the time the service begins and ends. Required evidence includes, but is not limited to, automated test reports and screenshots verifying that the EVV solution correctly captures service type, delivery location, receipt of service, beginning and end times of service visits, and identifies incomplete records.
- The system is designed such that even if there is a break in communication service (network connectivity, telephony, cell coverage), data is stored and can be transmitted when service is restored. Required evidence includes an explanation and relevant screenshots of how the solution can store and transmit data in cases where the communications service is interrupted.
- Each visit initiated is captured within the EVV system, whether or not the visit was verified. Required evidence includes an automated test report and screenshot verifying that EVV visit information is captured, even if the visit is not verified.
- For states that receive EVV data from various EVV platforms, the state standardizes EVV data elements. The state validates incoming data against its EVV data standards. Required evidence includes an automated test report and screenshot showing that data elements received by the EVV solution that are not compliant with the state’s EVV data are rejected, compliant data is accepted, and the state’s EVV definitions are available to all relevant stakeholders.
- The state Medicaid agency uses the EVV data to avoid paying for unauthorized or unapproved services. Required evidence includes, but is not limited to, a high-level diagram showing all interfaces and types of data flow, and screenshots showing claims that were edited along with reason codes in specified situations.
- All EVV data flows and interfaces are documented and tested. Required evidence includes a high-level diagram showing all interfaces and types of dataflow, automated test reports, and screenshots verifying that the EVV solution correctly transfers and receives data, and includes an explanation of how changes to the system are communicated to stakeholders.
Business outcome statement two: availability & accessibility
Under the second business outcome statement, beneficiaries, their caregivers, and provider organizations can access the system when they need to do so. Access to the system is not limited by a beneficiary’s disabilities, by his or her provider organizations’ lack of ownership of a mobile device, or by his or her location. KPIs for this outcome include EVV system availability in order to ensure that the EVV system has a high availability.
There are four evaluation criteria for this outcome:
- Health care professionals, beneficiaries, and caregivers are able to submit the necessary verification information via alternate methods, should the primary mode of submission be out of service (for example, if a handheld device is not working properly). Required evidence includes an automated test report and screenshots showing that the required EVV data is correctly received and stored when the primary mode of submission is out of service, as well as training materials for users that explain how visit information can be submitted.
- The system must be accessible for individuals with physical disabilities and vision impairments. Required evidence includes a detailed 508 test report.
- The state provides user training and stakeholder outreach. Required evidence includes a training plan and materials as well as a record of when training occurred or is scheduled and for which stakeholder groups.
- The system provides support for non-native English speakers. Required evidence includes a list of all languages supported and how they are supported.
Enterprise outcome statement: privacy & security
Under the single enterprise outcome statement, beneficiary personal health information (“PHI”) and beneficiary and clinical professional personally identifiable information (“PII”) are protected in compliance with the Health Insurance Portability and Accountability Act (“HIPAA”). Best practices for security and privacy controls must be in place. KPIs for this outcome include privacy and security to ensure that the state is managing privacy and security risks.
The evaluation criterion for this outcome requires that the solution, employees, contractors, and downstream subcontractors or entities that work with electronic PHI/PII comply with the HIPAA privacy, security, and breach notification regulations, and applicable state and federal laws and regulations. Required evidence includes a recent penetration test report, a security and privacy control assessments report, and an independent, third-party security and privacy controls assessment report.
CMS released the outcomes-based structure, KPIs, and evaluation criteria in “Electronic Visit Verification (EVV) Certification Version 1.0: Guidance” on October 22, 2019. Just two days later, in a separate release entitled “CMCS Informational Bulletin: Outcomes-Based Certification. For Electronic Visit Verification (EVV) Systems,” CMS offered states the opportunity to receive enhanced, 90% Federal Financial Participation (“FFP”), or funding from the federal government, to design, develop, and implement outcomes-based EVV. In order to qualify for enhanced FFP under the outcomes-based certification process, a state’s EVV solution must meet evaluation criteria including the accessibility to persons with disabilities, support for non-native English speakers, and stakeholder inclusion.
States that fail to implement a compliant EVV system by January 1, 2020, for personal care services and January 1, 2023, for home health services will lose a share of their federal Medicaid matching funds for these services.