CMS Regulations – Top 4 Tips to Stay Compliant

CMS regulations are constantly evolving – and the risks of non-compliance are steep. As the backbone of numerous health plan payers, HealthEdge is responsible for adhering to CMS’s constantly changing regulations.

How do we do that? We have a team of 11 CMS subject matter experts. These Payment Policy Analysts have a wealth of knowledge and are deeply entrenched in CMS and its ever-changing regulations. They spend all year researching, prepping, and implementing CMS regulations to ensure that Source – our payment integrity platform – stays compliant.

When we asked the team – how can a payer stay up to date on CMS regulations? These were their top 4 CMS compliance tips.

  1. Understand the risks of non-compliance

CMS regulatory updates need to be completed accurately and on time. If this does not happen, it significantly impacts payers’ ability to process claims accurately and on time – which can lead to recruitment issues, overpayment, underpayment, increased member and provider abrasion, and decreased provider confidence in the payer.

Furthermore, CMS actively audits health plan payers to ensure compliance. Non-compliance with CMS regulations can result in fines and their star rating can be decreased.

  1. Plan & Prepare

CMS updates can be released multiple times a year. With every upcoming CMS change, they release a proposal outlining the upcoming change. The time between the release of that proposal and the final rule varies.

As soon as a proposal is released, our team reviews it with a fine-toothed comb and begins preparations. With this, the team fully understands the upcoming changes and lays the internal foundation to be able to implement the changes as soon as the CMS final rule is released. This is critical to ensuring on time implementation of new CMS regulations.

  1. Have Dedicated Resources

CMS regulations are complicated and specialized. HealthEdge manages this complexity with a team of expert Payment Policy Analysts. Having a dedicated team of experts is key to understanding, managing, and accurately adhering to CMS regulations.

  1. Leverage Automated Technology

CMS regulatory changes require constant vigilance. To maximize this, our team has implemented automated processes:

  • Website monitors: this technology automatically scans the CMS website to look for changes that our Payment Policy Analysts need to be aware of
  • CMS Notifications: Our team also subscribes to CMS notifications

The key here is to be proactive about looking for upcoming CMS regulatory changes.

Learn more

CMS regulatory compliance is a critical part of HealthEdge’s payment integrity platform Source. Source is a cloud-based platform that is the only prospective payment integrity solution that natively brings together up-to-date regulatory data, claims pricing and editing, and real-time analytics tools into a single IT ecosystem. This transformational approach allows payers to make payments with total confidence and make business decisions with real intelligence. Learn more here.

Healthcare Cybersecurity: Top Threats and Industry Trends

Industry Trend Comparison

The Department of Health and Human Services (HHS) has reported an 84% increase in the number of data breaches against health care organizations from 2018-2021. Data reported through the first half of the year is consistent with the rate of increase reported each year.

Screenshot 29

Top 3 Cyber Threats

  1. Basic Web Application Attacks (BWAA)

Web applications are ideal targets for adversaries – they are intentionally exposed publicly, are always available, and can be a door to a database containing potentially sensitive information.  Also known as application-layer attacks, these exploits take advantage of web services that are designed to receive requests and provide responses. When not properly secured, web applications may divulge information to an attacker in response to requests or through manipulation of the application’s logic.  The seven most common types of web application attacks are:

  • Cross-site scripting (XSS)
  • SQL injection (SQLi)
  • Path traversal
  • Local file inclusion
  • DDoS attacks
  • Cross-site request forgery (CSRF)
  • XML external entity (XXE)

Source: HHS.Gov


The healthcare sector has seen the greatest increase in BWAAs relative to other industries, and web applications are to mission-critical to achieving the goals of HealthEdge. A layered defense strategy must be used to protect applications. HealthEdge employs a variety of protective and defensive measures that work together and complement one another to reduce possible opportunities for exploitation.

Screenshot 28

  1. System and Network

Zero-day attacks take advantage of previously unknown vulnerabilities that, as a result, have no known patch available. The vulnerability is discovered by the security community at the same time that its exploit becomes known. Because no time exists between the discovery of the vulnerability and the patch, these exploits are collectively referred to as “zero-day vulnerabilities,” “zero-day exploits,” or simply “zero-days”. Because code and vulnerability scanners, security posture management tools, and behavior monitoring technologies rely on previously identified vulnerabilities and exploits, these normally useful tools are less effective as a means of prevention or detection of zero days. Instead, security teams strive to prevent large-scale damage and minimize collateral damage in the event that the initial defenses fail.

While there is no silver bullet to preventing zero-day attacks, the opportunities for exploit can be reduced through multiple controls and best practices:

  • Data and network isolation – Prevent lateral movement such that if a single system is compromised, the damage or access is limited to that system.
  • Penetration testing and bug bounty – Also known as security researchers, penetration testers or bug bounty-hunters are software engineers that get paid to intentionally attempt to exploit systems in any way to potentially find their own zero days and the bad guys to the punch.
  • Patching deployment planning – Once zero days have been discovered “in the wild,” it is of critical importance that the patch is received, applied, tested, and deployed to the production environment. This requires internal technology teams to be at the ready and know their role to patch the system as soon as possible.
  • Monitoring and alerting – This continuous effort is important in identifying strange activities and responding to events that are validated as security incidents. This is commonly achieved through firewalls that inspect the network’s traffic, access control monitoring, audit logging, and automation capability to detect and notify anomalous activities to stop malicious actors in their tracks.


  1. Insider Threats

Another common threat that is central to the focus of security teams is the insider threat. An insider can be anyone who has authorized network, system, or application access, be it an employee, a third-party contractor, or business partner.

An insider threat does not imply that the insider is malicious, nor do insider threats require malicious or disgruntled actors at all. Instead, anyone who uses their authorized access, wittingly or unwittingly, to harm to the organization falls into this category. Threats include espionage, unauthorized viewing, modifying, disclosure of information, theft, loss, or unacceptable use of organizational resources or capabilities.  Administrative and technical controls must be implemented for all possibilities to mitigate risk.

  • Annual training is just as important as regularly informing all users about current phishing campaigns, cybersecurity trends, and other current events. Strong organizational awareness ensures each of us are aware of our responsibilities as the first layer of defense.
  • Least privilege and minimum necessary principles ensure that a user account cannot gain access to information beyond the scope of the user’s job requirements, even if that account were compromised. This limits the total damage that can be done by any single individual.
  • Access controls and regular validation of provisioned access ensures users are appropriately provisioned for their role and that access creep is minimized. Access controls requiring strong passwords and multifactor authentication help prevent account takeovers.
  • Zero-trust architecture is a relatively new security concept with a slogan of “never trust, always verify.” The core belief of zero trust is that no user, system, network, or service operating outside or even within the security perimeter is implicitly trusted, even if they previously authenticate. In simpler terms, acquiring legitimate access to one system or network should never automatically confer access to another without additional validation. This security model limits damage that can be done if a single security control fails at any location within an organization’s ecosystem.

Screenshot 27

HealthEdge & Cybersecurity

HealthEdge understands what it means to be a good steward of customer data and we take this responsibility seriously. Our teams work around the clock to ensure maturity when it comes to pillars of security. Follow us next month when we dive further into cybersecurity for health plans.

California Advancing & Innovation Medi-Cal Enhanced Care Management: Everything You Need to Know

CalAIM Introduction

California Advancing and Innovating Medi-Cal, also known as CalAIM, is a multi-year plan to transform California’s Medi-Cal program and make it integrate more seamlessly with the care delivery and payment reform initiative led by the California Department of Health Care Services (DHCS). DHCS has come up with a framework of renewals that broaden delivery systems, program, & payment reform across the Medi-Cal Program. CalAim focuses on improving health equity, quality of care and wellbeing for Medi-Cal members by expanding access to coordinated, whole-person care and addressing health-related social needs of the population.

The key priorities of CalAIM are to leverage Medicaid as a tool to address complex challenges faced by California’s residents with complex needs.

This proposal highlights the opportunity to fund non-clinical treatments through Medi-Cal that address socioeconomic determinants of health and lessen health disparities and inequities. These interventions will be centered on a whole-person care approach.

CalAIM will establish new programs and make significant changes to many of their current programs, in addition to the $782 million allocated from the general fund in the 2021–22 budget and more in succeeding budget years. This will result in large federal matching funds as an outcome.

CalAIM also includes larger system, program, and payment improvements that enable the state to provide services with a population health, person-centered approach and put the emphasis on enhancing outcomes for all Californians. Achieving such objectives will have major impacts on a person’s health and quality of life, as well as eventually lower the per-capita cost through iterative system reform. DHCS understands the critical need to explore these concerns and their priorities within the state budget process and intend to collaborate with the Administration, Legislature, and other partners. These proposals ultimately depend upon the funding available.

CalAIM Background

Because of changes by the Affordable Care Act, Medi-Cal has expanded and changed over the last 10 years and brought in federal regulations and policy changes. During this time, DHCS upgraded many benefits through Medi-Cal plans to provide care coordination and care management through a fee-for-service system with a broader array of services by supporting and stabilizing the Medi-Cal members. In January 2022, the initial reforms will go into effect and more improvements will follow through 2027. For several CalAIM covered activities, a waiver from the Centers for Medicare & Medicaid Services were to be approved and this decision was anticipated in December 2021. The state’s HCBS program will receive a total of $4.3 billion in funding from CalAIM. This will lower the possibility of service interruptions during emergencies for those who depend on HCBS to keep safe and healthy. Additionally, CMS states that under section 9817 of the American Rescue Plan Act of 2021, California qualifies for a temporary 10 % point raise in the federal medical assistance percentage for specific Medicaid costs for HCBS.

Who CalAIM Will Help:

CalAIM helps all of the Medi-Cal enrollees, whose main focus is to improve care for people with complex medical needs and behavioral health needs, such as those with mental illness, serious emotional disturbance and/or substance use disorder, senior citizens with disabilities, people released from jail or prison, homelessness who have complex behavioral and physical needs, children with a chronic medical illness like cancer, epilepsy or congenital heart disease, or young children in foster care.

Key Goals:

  • Identify and manage comprehensive needs through whole-person care approaches and social drivers of health.
  • Improve quality outcomes, reduce health disparities, and transform the delivery system through value‑based initiatives, modernization, and payment reform.
  • Make Medi-Cal a more consistent and seamless system for enrollees to navigate by reducing complexity and increasing flexibility.

The outcomes require plans and incentivize public health systems to be more responsive, equitable, and outcome focused by:

  • Increasing equity by getting the right patients to the right services at the right time for all of the population.
  • Implementing payment reform, thus laying the framework for paying physical and behavioral health professionals according to outcomes rather than services.
  • Enforcing Medi-Cal managed care plans to coordinate access to services offered by counties and community-based groups to provide more responsibility for these plans.

Key components of CalAIM:

The key components are to support members with complex health and social needs and to expand care coordination. Key components include:

  • Behavioral health payment reform
  • Enhanced care management (ECM)
  • Community Supports
  • Providing access and transforming health (PATH)
  • Substance use disorder services and initiatives
  • Supporting coordination and integration for dual eligible
  • Improve MediCal dental benefits, delivery system transformation and alignment

ECM: Through extensive coordination of health and health-related services, the new state-wide Medi-Cal benefit known as “Enhanced Care Management” (ECM) will meet the clinical and non-clinical requirements of the most severely underserved members, whether they are at home, in the doctor’s office, at a shelter, or on the street. The delivery of physical, behavioral, dental, developmental, and social services will be coordinated by a single, lead treatment manager for beneficiaries, making it simpler for members to receive the proper care at the appropriate time.

Community Supports: Community supports are designed to address the health-related social needs without the formality of ECM. Plans choose to offer community services when, where and to whom every six months to provide new plan offerings and different services for each county. The most common services offered are medically supportive food/meals, tailored meals, asthma remediation, housing transition navigation services, housing, tenancy and sustaining services. Some community supports, such as nursing facility transition/diversion to assisted living facilities, will correspond with future CalAIM components such as the transfer of institutional long-term care duty to managed care and are more likely to be put into place in 2023.

Population Health Management (PHM):

Parallel to CalAIM, DCHS introduced PHM to provide Medi-Cal participants with access to comprehensive management that will help them live longer, healthier lives. PHM will establish a detailed, accountable plan with their networks and partners who they serve by addressing member needs as well as the continuum of care, engage members and foster trust, evaluate data-driven risk stratification that offers predictive analysis and care gaps to standardize processes, upstream wellness and preventive services, provide care management approaches across the delivery systems, and reduce health disparities. By 2023, all plans must adhere to the DHCS PHM Standards as well as the NCQA PHM Standards.

The goal of CalAIM’s PHM program is to identify care needs and provide tailored solutions. More than 90% of Medi-Cal beneficiaries are anticipated to be accountable for care. PHM focuses primarily on parents and their kids, expectant mothers, older persons with chronic illnesses or impairments, and people with disabilities in order to create systems that are person-centric and help people live longer, healthier lives with improved health outcomes.

DHCS is creating a state-wide PHM Service to collect and aggregate various data to support the PHM goal while the PHM program is being implemented.

In particular, the PHM Service will:

  • Allow Medi-Cal members, Medi-Cal plans, clinicians, counties, and other authorized users access to more up-to-date, accurate, and thorough data on the members’ health histories and needs in order to improve care and avoid duplication of effort.
  • Enhance the functions of risk segmentation, risk tiering, and stratification.
  • Establish trustworthy relationships between members and their care team by making it easier for members to update their information, enabling them with access to health education, their rights and associated benefits, and details on how their data is used, among other things.
  • Provide the ability for DHCS to understand population health trends


The managed care plans, physical and behavioral health care providers, county agencies, and social service providers that make up the core of CalAIM must be able to aggregate data and share information in real time about patients or clients they have in common. For instance, to stratify the various Medi-Cal needs and conduct the proactive, person-centered outreach that is essential to preventive treatment, CalAIM’s PHM program will need to exchange health data in a reliable and efficient manner. To organize care and services for people with complex needs, enhanced care managers will also rely on efficient data interchange. In order to make whole-person care possible, local and state data sharing initiatives must be successful.




Is your care management platform compliant with CalAIM?

California Advancing & Innovation Medi-Cal Enhanced Care Management (CalAIM) is designed to improve the level of whole person care that is given to the population. This is especially true for members that need additional help and non-traditional services in order to be able to attend to their physical health and wellbeing. This includes individuals who don’t have housing, transportation, and/or need assistance with getting meals to live a healthy lifestyle.

How can care management platforms support these vulnerable members with complex needs and be compliant with CalAIM?

A member-centric approach is key – where the care management platform coordinates all the pieces of their healthcare, including care management, utilization management, and access to healthcare services and support. With this, it is imperative that each member has a comprehensive care plan that includes all facets of their health, and their providers can access that plan and collaborate on it.

What should you be looking for in a care management platform to meet CalAIM’s requirements and support vulnerable populations?

  1. Evidence-based Assessments for Diverse Population Needs

Safety net populations represent a complex and diverse set of members and healthcare needs. To support them, care management platforms need to provide a comprehensive, customizable set of evidence-based assessments and the ability to centrally manage care from one application for all healthcare needs/providers.

  1. Utilization Tracking & Budget Management

Members with complex needs, especially when part of a population with challenging circumstances, need to clearly and easily understand what services they truly need, what their benefits are, and how to access those services.

It’s critical that the care management platform can:

  • Assess their healthcare & support services needs
  • Understand their benefits

With this information, the care management platform can drive their plan of care, which can also drive their need for some of the enhanced care management services.

  1. Mobile Application

A comprehensive care management platform with a mobile application empowers the care team to meet the member where they are and still be able to assess them in offline mode. Care is no longer dependent on a member’s transportation or won’t be interrupted because of lack of internet access.

One of the biggest challenges CalAIM is facing is reaching and supporting the homeless population. Care management platforms that are mobile and don’t rely on the internet enable care providers to support these members.

 GuidingCare and Whole Person Care

GuidingCare care management platform was purpose built to be able to serve the most complex and vulnerable populations. From the start, GuidingCare’s member-centric approach has been focused on coordinating all aspects of member’s care. GuidingCare offers over 260 evidence-based assessments that drive care plans and can be configured to meet specific state and population requirements. Learn more here.


Healthcare Payers: True Digital Transformation

Healthcare Payers: True Digital Transformation

Healthcare organizations and leaders are thinking about how to provide the experiences that patients and consumers have come to expect from the healthcare system. However, the legacy technology platforms that many organizations have today–especially payers– often get in the way of that digital transformation.

In a recent episode of The Healthcare Solutions Project podcast, Sagnik Battacharya, EVP at HealthEdge, talks about how payers can accomplish true business transformation, both in terms of data capabilities and interoperability, and the reasons why they should.

Incentives to Drive Interoperability

Provider-to-provider interoperability has taken significant strides forward in the last decade, but interoperability between payers and between payers and providers isn’t yet at the same level. EHR vendors have done a good job of integrating disparate systems, showing that there is a real opportunity for tighter integration and interoperability between existing payer systems.

Incentives and rules being put in place by the government, such as the 21st Century Cures Act, are now being implemented through various rules published by CMS and are driving a focus on interoperability, especially for payers.

The key to interoperability goes beyond having the correct tools, such as APIs, FIHR, and CCDs. These capabilities don’t matter if the information is not available to the right person when and where they need it and in a format that is easily digestible. Oftentimes, providers are getting too much information to sort through in the limited time that they have. When interoperability is executed correctly, the technical capabilities seemingly fade into the background and the result is patients and providers have the information they need at their fingertips.

Digital Transformation Requires Both Technology and Mindset

Businesses run on technology – but that technology is not always created equal. Businesses need to ask themselves if the platforms and technology they are using are allowing them to move their business at the pace that they want. While every business transformation takes time, if technology is your rate-limiting step, then you would be hard-pressed to call yourself a digital business.

But digital transformation requires more than just having the appropriate technology infrastructure. Sagnik Battacharaya emphasizes that it requires “a mindset that allows an organization to move at the pace of consumer expectations over the next ten years,” and points to digital companies like Amazon, Apple and Google as examples of companies that healthcare businesses can learn from.

These digital companies are incredibly end-user-focused. They have a high degree of quality and incredibly high service levels, but providing amazing member experiences is not enough. If you want to be truly digital, you also need to be agile enough to know what consumers are going to expect 10 years from now.

What’s Driving Businesses Toward a Digital Transformation?

The areas of growth within the health insurance markets today are centered around Medicare Advantage, Medicaid and healthcare exchanges. Compared to employer-provided plans, individuals have more choices available to them when selecting one of these options. Numerous plans could be competing for their attention through services or the experiences they provide resulting in individuals who are selecting plans not only based on the premiums but on the services and digital experiences they desire.

Benefits of Digital Transformation

According to a recent survey of HealthEdge customer executives, their highest strategic priority over the next couple of years is operation efficiency. They want to take better care of their members, and one way they can do this is by increasing efficiency – resulting in less spending. These savings can then be passed onto their members.

Weaknesses within legacy systems include the inability to be agile and make business transformations faster and easier. Sagnik discusses how customers leveraging digital technology from HealthEdge during the Covid outbreak were able to very rapidly make changes to comply with the new rules that CMS was pushing out. He states “because we had built this really configurable system that put control in the hands of the business users and the clinical users, they were able to make those changes in less than a week…”

A digital transformation could help an organization improve other key business metrics as well. Member loyalty and retention is increasingly important as individuals are given more choices. According to Sagnik, one member health plan has seen 99% member retention because they have successfully engaged with their members digitally.

Another metric closely monitored by health plans are auto adjudication rates. HealthEdge regularly sees their clients who are able to attain over 90% auto adjudication rates, which would be pretty difficult to accomplish with legacy systems.

Learn more about becoming a digital payer here.