Maine's Medicaid Mistakes

On Friday, Jan. 21, 2005,the state of Maine cut the ribbon on its new, Web-based Maine Medicaid Claims System for processing $1.5 billion in annual Medicaid claims and payments. The new $25 million program, which replaced the state’s old Honeywell mainframe, was hailed as a more secure system that would clear claims faster, track costs better and give providers more accurate information on claims status.

But within days of turning on the new system, Craig Hitchings knew that something was seriously wrong.

There had been problems right from the start—an unusually high rate of rejected claims—but Hitchings, director of information technology for the state of Maine’s Department of Human Services (DHS), had assumed they were caused by providers using the wrong codes on the new electronic claim forms. By the end of the month, he wasn’t so sure. The department’s Bureau of Medical Services, which runs the Medicaid program, was being deluged with hundreds of calls from doctors, dentists, hospitals, health clinics and nursing homes, angry because their claims were not being paid. The new system had placed most of the rejected claims in a "suspended" file for forms that contained errors.

Tens of thousands of claims representing millions of dollars were being left in limbo.

Hitchings’ team—about 15 IT staffers and about 4 dozen employees from CNSI, the contractor hired to develop the system—were working 12-hour days, writing software fixes and performing adjustments so fast that Hitchings knew that key project management guidelines were beginning to fall by the wayside. And nothing seemed to help.

Day after day, the calls kept coming. The bureau’s call center was so backed up that many providers could not get through. And when they did, they had to wait on the phone for a half hour to speak to a human.

By the end of March, the number of Medicaid claims in the suspended bin had reached approximately 300,000, and the state was falling further and further behind in its ability to process them. With their bills unpaid, some of Maine’s 262,000 Medicaid recipients were turned away from their doctors’ offices, according to the Maine Medical Association. Several dentists and therapists were forced to close their doors, and some physicians had to take out loans to stay afloat. With the Medicaid program accounting for one-third of the entire state budget, Maine’s finances were in shambles, threatening the state’s financial stability and its credit rating. Yet Hitchings was at a loss to explain what was causing all the suspensions.

And every day brought hundreds more.

Today, more than a year later, it’s fair to say that the Maine Medicaid Claims System project has been a disaster of major proportions. Since the new system went live, it has cost the state of Maine close to $30 million. The fallout has been broad and deep. In December 2005, Jack Nicholas, the commissioner of the DHS who oversaw the project, resigned.

As of press time, Maine is the only state in the union not in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA)—a striking irony given that the new system was designed to facilitate that compliance. Although federal authorities have said they will work with the state in extending the deadline, the failure has been a black eye on Maine’s ability to manage the health of hundreds of thousands of its residents. And it has become an issue in this year’s race for governor.

State IT officials say they have fixed most of the bugs in the new Web services system and that it is now processing 85 percent of claims (although physician groups dispute this). With 20/20 hindsight, they can now look back and see where the project went wrong. Hiring a vendor, CNSI, that had no experience in developing Medicaid claims systems was the first mistake. And that was compounded by the decision to build a new and relatively unproven technology platform for the entire system rather than, as other states have done, integrating a Web-based portal with back-end legacy systems. Thirdly, IT switched over to the new system overnight with no backup system in case something went wrong. And making matters worse, no end-to-end testing or training was conducted before the switch over. Indeed, the story of the Maine Medicaid Claims System is a classic example of how not to develop, deploy and manage an advanced Web services system.

"By the first of March, it was clear that we were missing any sort of basic management of this project and were in complete defensive mode," recalls Dick Thompson, then head of procurement for the state of Maine and now its CIO.

"We could not see our way out of this."

Out with the Old

In the late 1990s, states were moving fast to overhaul their Medicaid claims processing systems. Driving the transformation was HIPAA, which required numerous changes in managing patient health and records, the most significant of which was protecting patient privacy. Maine, like other states, had to upgrade its systems to better secure Medicaid patient records. Under HIPAA, the state had until Oct. 1, 2002, to have a system in place that would secure and limit access to that information.

At the same time, the federal Medicaid program was becoming more complex. As additional health services were added, the number of codes and subcodes for services grew, and payments to doctors and hospitals were parsed accordingly. Maine also needed to give providers a way to check the eligibility of Medicaid patients and the status of their claims. Making this information available online, they hoped, would cut down on the number of calls to the state Bureau of Medical Services, thereby saving the state money.

State officials knew that upgrading the old system would be a Herculean task. Maine processes more than 120,000 Medicaid claims per week, and the existing claims processing system—a 1970s vintage Honeywell mainframe—was not up to the job, nor could it meet HIPAA’s demands or provide online access. The state’s IT managers reasoned that a new end-to-end system would be easier and cheaper to maintain. (Other states reached different conclusions. Massachusetts, for example, decided to build a new front-end Web portal for providers and Medicaid patients that could be integrated with the state’s existing legacy systems. For more on this, read "Opening a Virtual Gateway to Better Health," online at

The development of the new system was assigned to the IT staff in the DHS, which decided it wanted a system built on a rules-based engine so that as Medicaid rules changed, the changes could be programmed easily into the system.

Some service providers, such as EDS, offered states the opportunity to outsource claims processing systems. But the DHS staff believed building its own system would give it more flexibility. The staff also believed it could manage the system better than an outsourcer. "We had a track record of running the old system for 25 years," Thompson explains.

In April 2001, the state of Maine issued an RFP for the new system. But by the end of the year, the state had received only two proposals: one from Keane (for $30 million) and another from CNSI (for $15 million).

Typically, agencies like to see several bids within a close range. That way, procurement officials are confident that the requirements are doable and the bids realistic. In this case, the low bidder, CNSI, had no experience in building Medicaid claims processing systems. In contrast, Keane had some experience in developing Medicaid systems, and the company had worked on the Maine system for Medicaid eligibility.

The paucity of bidders and the 100 percent difference in price between the two bids should have been red flags, says J. Davidson Frame, dean of the University of Management and Technology in Arlington, Va. "Only two bidders is a dangerous sign," he says, adding that the low response rate indicated that potential bidders knew the requirements of the RFP were unreasonable. "Thompson should have realized immediately something was wrong with the solicitation, and redone it," Frame says. "Even if they missed the [HIPAA] deadline, it would have saved time and money in the long run."

The Seeds of Failure

CNSI proposed building the new system with J2EE software language, arguing that it was needed to get the scalability state officials were asking for, according to Hitchings. J2EE is a powerful programming language, the Ferrari of software code, which some of the largest corporations are now using to run their global operations. Experts say deploying such advanced technology, especially in state government, increased the risk in an already risky project. Most Medicaid claims systems contain bundles of code that have been tinkered with for decades to adjust rates, services and rules. Attempting to translate all of that human intelligence, gathered over thousands of person-years, into a system built from the ground up, was, at best, problematic. "It was a big misstep," Frame says.

But Thompson argues that the state was in a corner. Maine’s budget was tight. State revenue was dropping, and saving money was critical. Also, the deadline to become compliant with HIPAA was looming, and Thompson decided that the six months that would have been needed to redo the RFP was too much. "We had a requirement to get something in place soon," Thompson says.

In October 2001, the state awarded the contract to CNSI, giving the company 12 months to build and deploy a new high-end processing system by the HIPAA deadline of Oct. 1, 2002. As head of procurement, Thompson signed off on the contract.

Almost immediately, it became evident that the state was not going to meet the deadline. To begin with, the 65-person team composed of DHS IT staffers and CNSI representatives assigned to the project had difficulty securing time with the dozen Medicaid experts in the Bureau of Medical Services to get detailed information about how to code for Medicaid rules. As a result, the contractors had to make their own decisions on how to meet Medicaid requirements. And then they had to reprogram the system after consulting with a Medicaid expert, further slowing development.

The system also was designed to look at claims in more detail than the old system in order to increase the accuracy of payments and comply with HIPAA security requirements. The legacy system checked three basic pieces of information: that the provider was in the system, the eligibility of the patient and whether the service was covered. The new system checked 13 pieces, such as making sure the provider was authorized to perform that service on the date the service was provided, and the provider’s license. "There were a lot more moving parts," Thompson explains.

Looking back, Thompson says the DHS team was seriously understaffed. But Thompson says he was afraid to ask for more resources. "That is a significant problem in government," Thompson says. "If I say I need 60 to 70 percent more staff because we need to work this project for two years, the response would be, ‘What, are you crazy?’ So, we just couldn’t make the turnaround times."

In the fall of 2002, just months away from the HIPAA deadline, the DHS team got a reprieve. The federally run Center for Medicare and Medicaid Services pushed back the deadline to Oct. 1, 2003.

For the next two years, CNSI and Maine’s DHS IT shop worked long hours writing code. Errors kept cropping up as programmers had to reprogram the system to accept Medicaid rule changes at the federal and state levels. The changes created integration problems. The developers also had to add more storage capacity and computing power to accommodate the increase in information generated by the new rules, and that further delayed the development.

In January 2003, John Baldacci was inaugurated governor. One of Baldacci’s campaign promises was to streamline state government, and part of the plan called for merging Maine’s Department of Behavioral and Developmental Services with the Department of Human Services to create the Department of Health and Human Services (HHS). That meant consolidating systems and databases that had resided in both departments and creating new business processes, diverting crucial resources from the development of the claims system. Thompson says the merger also diverted executives’ attention. Meanwhile, the cost of the project rose, increasing 50 percent to more than $22 million.

1 2 Page 1
Page 1 of 2
Security vs. innovation: IT's trickiest balancing act