Utilization Management (UM)System Requirements

The Vendor has the necessary technology needed to fully manage and report on the UM program described in this RFP and resulting Master Agreement. The Vendor should, at a minimum, provide the following:

1. The Vendor should provide a proven and reliable automated, rule driven web- based UM system for receiving, collecting, transmitting, and routing UM requests.

This system should fully interface with the current and any future MMIS. The Vendor should, at no additional cost, coordinate with the State‘s FA to ensure a timely and fully functioning interface with the MMIS.

2. The Vendor should produce system-generated periodic (daily, monthly, quarterly, or as otherwise requested) reports. The system should also be able to produce ad hoc reports.

3. The system should generate unique PA numbers to all PA requests immediately upon receipt, and maintain all PA data on the PA file, regardless of disposition. 4. The Vendor should ensure that only valid data is entered on the PA file and deny

duplicate requests or requests that contain invalid data.

5. The system should capture and maintain both the requested service amounts (units and/or dollars) and authorized service amount (units and/or dollars) on the PA file.

6. The system should authorize services for a specific recipient, at a minimum, by procedure codes, diagnosis codes, types of service, units, dollars, origin, destination, provider number, and provider types.

7. The system should track modifications to authorization records (i.e., partial approval and partial denial on the same authorization record, appealed

authorization upheld and modified, etc.) and maintain a DMS-approved audit trail of file updates.

8. The system should have the capability to change the services authorized and to extend or limit the effective dates of the authorization. Additionally, the system should also maintain the original and updated data in the authorization records. 9. The system should have the capability to inquire/access/report the prior

authorization.

10. The system should provide the capability for providers to submit and check the status of PA requests.

11. The system should provide the capability for authorized DMS staff to check the status of all PAs.

12. The Vendor should use imaging equipment to capture, store, and retrieve hard copy authorization requests and associated documents and enter these requests to the on-line authorization system. Documents need to be electronically linked to the appropriate prior authorization request.

13. No less than twenty-four (24) hours of an utilization review determination, the Vendor should generate and send to the appropriate requesting and/or rendering provider(s) and recipient a DMS-approved notice of disposition (approval, denial, reduction of service). The Vendor should maintain electronic copies of the

notification letters to be provided to DMS within one (1) business day of request. 14. The Vendor should accurately and timely implement into its systems and

processes all known (i.e., ICD-10, Version 5010) and future CMS and other Federal and State mandates.

15. The Vendor should provide fully tested connectivity to the current FA‘s existing system.

Additional Functional Requirements can be found in Attachment F – MEMS Functional Requirements under the Utilization Management tab.

Section 30.070—Takeover of Current KYMMIS

The SOW(SOW) for the KYMMIS Takeover Project provides the information necessary to understand taking over the Medicaid services, systems, and operations that is the KYMMIS. The Vendor awarded a Contract is to provide management plans to identify timelines, provide sufficient resources (including qualified staff), define processes, and identify standards to accomplish all of the tasks contained in this RFP.

The Takeover Section of this RFP includes all responsibilities of the current KYMMIS Fiscal Agent Vendor. These responsibilities include maintaining and operating UM. For details regarding UM see Section 30.060.260.030 of this RFP. Section 30.070.010—IdentityTheft Prevention and Reporting Requirements

The selected Vendor is responsible for any mitigation, cleanup and reporting costs from Identity Theft, system breach or breach as defined under the HIPAA Privacy Rule. For even a single knowing violation of these Identity Theft Prevention and Reporting

Requirements, the vendor agrees that the Commonwealth may terminate for default the contract(s) and may withhold payment(s) owed to the vendor in an amount sufficient to pay the cost of notifying Commonwealth customers of unauthorized access or security breaches. The awarded vendor must attest/certify to DMS that it has established and will share a breech notification policy and program.

Section 30.070.020

—

The awarded Vendor shall adhere to the COT security and enterprise policies and procedures and the CHFS security policies and procedures or submit appropriate request for exception for review and approval by the Commonwealth.

1. COT Enterprise policies can be viewed at

http://technology.ky.gov/governance/Pages/policies.aspx 2. COT Security Procedures can be viewed at

https://gotsource.ky.gov/docushare/dsweb/Get/Document-329691

3. CHFS Security Policies are available at http://chfs.ky.gov/os/oats/policies.htm

Section 30.070.020.010

—

1. NIST baseline should be moderate.

2. Provide annually a SSAE 16 (or comparable review) to the CHFS for the Frankfort office location of the selected vendor. The data center where the system is hosted must also provide an annual SSAE 16.

3. The awarded Vendor must perform a Risk Assessment following HIPAA guidelines every three hundred and sixty-five (365) days

4. Security Testing is required by the selected Vendor on functional, technical and infrastructure components to ensure the system meets all system security requirements. Security Testing scenarios and strategy shall be approved by the CHFS Information Security Office (CHFS ISO) prior to execution and all Security Testing results shall be approved by CHFS and CHFS ISO. Additionally, the selected Vendor is required to conduct its own security risk assessment prior to the Commonwealth engaging a Third Party Vendor to conduct the Independent Security Assessment. The selected Vendor shall provide a report of the results of its security risk assessment, including all tools used, such as code scanning and application scanning tools, and an action plan of remediation for vulnerabilities identified. The Vendor should have a third party security assessment done annually as required by CHFS/COT Policies.

5. The awarded Vendor shall establish and maintain appropriate levels of disaster recovery and regularly test the established disaster recovery. The Vendor should discuss options available as part of the solution related to disaster recovery. It is the preference of CHFS that this include local hot swap/hot fail over redundancy in all critical components as well as hot site operations with database

replication.

Section 30.070.020.020

—

The Security and the Privacy Impact Assessment should be included as a separate document.

1. Provide a detailed in-depth data flow diagram of the KYMMIS system illustrating the security mechanisms.

2. Provide a detailed in-depth architectural diagram for the KYMMIS system to include all infrastructure.