• This page, MassHealth Robotics Processing Automation (RPA) Policy, is offered by
  • MassHealth

MassHealth Robotics Processing Automation (RPA) Policy

Robotic process automation (RPA) is the use of software automation to perform high-volume, repetitive, labor-intensive online tasks that previously required humans to perform. RPA involves robotic rules-based decision making to simulate human interaction with digital systems and software. RPA is also commonly referred to as the use of bots.

MassHealth providers, business partners, and relationship entities may officially use bots on MassHealth’s Medicaid Management Information System (MMIS) Provider Online Service Center (POSC).

This site provides information about MassHealth’s RPA policy and related requirements. It also describes the process to request approval to use bots on the POSC.

Table of Contents

Overview

Effective July 1, 2022, MassHealth requires that all MassHealth providers, business partners, and relationship entities, hereafter referred to as organizations, obtain approval from MassHealth to use Robotics Processing Automation (RPA) tools (bots) on MassHealth’s Medicaid Management Information System (MMIS) Provider Online Service Center (POSC) before the implementation of any bot.

MassHealth understands that RPA tools can reduce the administrative burden of manual data entry and improve operational efficiencies.  However, it’s important that MassHealth manage how these tools interact with the POSC.

Please review the following information regarding MassHealth’s RPA policy and learn how to submit an RPA registration request for MassHealth approval.

Additional Resources for Overview

RPA Stage I Registration Request

Organizations that intend to implement a bot on the POSC must complete the Stage I Registration Form:

  • The organization must submit the MassHealth RPA Stage I Registration Form to MassHealth at functional.coordination@mass.gov.
  • MassHealth will evaluate the RPA Stage I Registration Form to determine approval or rejection:
    • If MassHealth cannot approve the submitted Stage I request Registration Form, you will receive a request to provide additional information.
    • If MassHealth determines that it cannot approve the resubmitted Form, or the form is not returned to MassHealth within 7 calendar days, the Stage I Registration request will be rejected.
  • Once MassHealth approves a Stage I Registration Form, a Stage I preliminary approval number will be assigned, and a Stage I approval notification will be sent to the organization.

Additional Resources for RPA Stage I Registration Request

RPA Stage II Registration Request

Organizations that have received a Stage I approval notification from MassHealth and the accompanying preliminary approval number may submit a Stage II Registration Form when they are ready to request approval to implement the bot. 

Please note: The Grandfathered Entities provision that allowed organizations that were using a bot on the POSC prior to July 1, 2022 has been terminated.

All organizations must follow the process below:

  • The organization must submit the MassHealth RPA Stage II Registration Form along with all the supporting documentation to MassHealth at functional.coordination@mass.gov.
  • The organization must submit the following supporting documentation:
    • Signed MassHealth RPA Agreement
    • Systems Design Documentation, which must include
      • A detailed process flows for each bot transaction that includes every POSC screen that the bot will engage in the process, and
      • The full end-to-end activity of each bot transaction the organization is seeking approval.
    • Test Scenarios which must include a list of successfully executed test scenarios for each transaction that each bot will perform on the POSC. The test scenarios must:
      • Cover the full end-to-end activity of the bot
      • Address each POSC screen accessed by the bot, and
    • Ensure compliance with Section 2 of the MassHealth RPA Policy. This compliance may also be demonstrated via documented statements where applicable.
  • Organizations must test the bots in MassHealth's Trading Partner Testing (TPT) environment only.  Users can log on to the TPT environment with their production POSC user ID and password.  Do not develop and test the bot in the POSC. The POSC is used for submitting and exchanging official transactions only.
  • MassHealth will evaluate the applicable Stage II Registration Form, the signed MassHealth RPA Agreement, and supporting documentation to determine approval or rejection.
    • If MassHealth cannot approve the submitted Stage II Registration Form, you will receive a request to provide additional information.
    • If MassHealth determines that it cannot approve the resubmitted Form, RPA agreement, supporting documentation, or the form is not returned to MassHealth within 7 calendar days, the Stage I Registration request will be rejected.
  • Once MassHealth approves the Stage II Registration Form, MassHealth RPA Agreement, and other required attachments, a Stage II approval notification will be sent to the organization.
  • MassHealth will approve up to a maximum of five bots per Provider ID/Service Location (PID/SL).

 

RPA User ID

When MassHealth approves the Stage II Registration Form and RPA Agreement, an official RPA User ID will be assigned to each approved bot.

Before using any approved bot on the POSC, the organization must generate and assign the MassHealth-issued RPA User ID to the bot that will perform the approved function for that specific PID/SL. Organizations must follow specific instructions to generate the assigned RPA User ID.

Neither the RPA User ID assigned by MassHealth may be used for any other purpose than the RPA activity outlined in the approved registration request.

Additional Resources for RPA Stage II Registration Request

Technical Guidelines and Requirements

Organizations that request approval to use RPA tools on the POSC must ensure that they, at a minimum, comply with the guidelines and requirements below. All the RPA requirements are outlined in the RPA Agreement that each organization must sign, and in the MassHealth RPA Policy.

  • The approved bot must perform only the function it was approved to perform. If an organization wants one of its bots to perform another function, it must first obtain approval from MassHealth.
  • Each bot must perform tasks on the POSC in the same manner as a human would perform them. Specifically, the bot must:
    • Sign in and perform activities within the POSC sequentially.
    • Conduct no more than three login attempts before terminating the activity. The bot must be programmed to alert the end user that an issue has occurred.
    • Not be multi-threaded—that is, it must not perform more than one task at a time.
    • Not conduct concurrent sessions. It must perform one activity at a time within the POSC.
    • Not submit duplicate transactions.
  • The organization may not share its assigned User ID or password with anyone. These credentials  must not be used for any purpose other than the approved RPA tool activity outlined in the approved RPA Stage I and Stage II Registration Forms.
  • Passwords assigned to the bot User IDs must adhere to EOHHS security password standards. These standards require that each password contain at least 12 characters, including:
    • 1 lowercase letter
    • 1 uppercase letter
    • 1 numeral, and
    • 1 special character.
  • In addition, passwords must be changed every 60 days, and at least 2 characters must be changed from all previous passwords.
  • The organization must process all RPA product upgrades in a timely manner to ensure that the most efficient and secure version of the bot is being used.
  • Approved organizations must test each bot within the MassHealth Trading Partner Testing environment before using it on the POSC. Organizations must also make sure that the bot is maintained and synchronized with any applicable MassHealth MMIS POSC modifications.

Please note that MassHealth may require that the bot function as an “attended” bot—that is, a bot that is supervised or aided by a human user.

Maintenance

Organizations that have been approved to use RPA tools on the POSC must notify MassHealth of any changes to the bot that are outside the scope of the approved Stage II Registration Form. Organizations must submit a Modification Request Form to MassHealth at functional.coordination@mass.gov for approval before making the modifications, where applicable.

This includes the following types of modification:

  • An RPA tool that was approved by MassHealth that will be replaced
  • A bot that will be retired or deactivated (notification only)
  • Modifying the bot to perform an additional sequential transaction within the same bot session
  • Modifying the bot to reduce the activity that it performs per session
  • Modifying contact information (notification only)
  • Significantly increasing the average number of transactions the bot will perform
  • Other modifications that an organization would like to make to an approved bot that are not listed above

Upon receipt, MassHealth will evaluate the RPA Modification Form to determine approval or rejection of the proposed bot modification:

  • If MassHealth cannot approve the submitted Modification Request Form, you will receive a request to provide additional information.
  • If MassHealth determines that it cannot approve the resubmitted Form, or the form is not returned to MassHealth within 7 calendar days, the modification request will be rejected.
  • Any bot modification that results solely in activities that fall within the scope of the organization’s approved Stage II Registration Form may be carried out without notification to MassHealth. For example, if the bot will begin to interact with other data elements within a previously approved POSC screen, no notification will be needed.

Additional Resources for Maintenance

Monitoring, Enforcement, and Compliance

MassHealth will monitor the status of all RPA registration requests and each organization’s adherence to the RPA policy.  Some of the key provisions of monitoring, enforcement and compliance are listed below.

  • Each approved bot request will be monitored through activation and stabilization.
  • All approved bots will be monitored on an on-going basis to validate that the activity performed on the POSC is consistent with the relevant RPA approval.
    • Organizations that use bots that perform functions inconsistent with the approved use will be subject to one or more of the following:
      • Outreach and validation.
      • Remediation of violation (opportunity to cure). 
      • Suspension or termination of the bot User ID.
      • Prohibition from performing functions on the POSC.
      • Organization-wide ban on the ability to use RPA tools on the POSC.
      • Other  remedial actions or sanctions that  MassHealth determines to be appropriate. See 130 CMR 450.238: Sanctions: General.

MassHealth will continue to monitor its MMIS to identify any bot used on the POSC that has not been approved by MassHealth. Any organization that uses a bot that has not been approved by MassHealth will be subject to the following:

  • Outreach and validation.
  • Compliance mandate. The organization must complete the RPA registration process.
  • If compliance is not achieved within mutually agreed upon timeframes, the organization will be subject to:
    • Suspension or termination of the bot User ID.
    • Prohibition from performing functions on the POSC.
    • Organization-wide ban on ability to use RPA tools on the POSC.
    • Other penalties or remedial actions as determined by MassHealth after outreach  to the organization.

Each approved organization is wholly responsible for the actions of its bot within the MMIS POSC and must attest to that fact by signing the RPA Agreement and submitting it with the RPA Stage II Registration Form. The terms of this RPA Policy are incorporated into the RPA Agreement.

Using a bot on the POSC is a convenience to organizations. Any organization that violates the MassHealth RPA Policy may have its access to submit transactions via the POSC using RPA technology revoked.

Please review the RPA policy to view the full scope of the monitoring, enforcement, and compliance requirements.

Frequently Asked Questions

Please see the page below for frequently asked questions about the RPA policy and process.

Key Actions for Frequently Asked Questions

Contact us

Please submit any RPA registration and modification requests, correspondence, and inquiries to MassHealth at functional.coordination@mass.gov.

Help Us Improve Mass.gov with your feedback

Feedback