Skip to Main Content

insightsarticles

mDL technical specifications: Background, terms, and topics

By:

Jake is a Consultant in BerryDunn’s Justice and Public Safety Practice in the Government Consulting Group. He has worked on various justice and public safety projects including system implementations, point-in-time assessments, business process mapping, and vendor procurements. He is a Prosci®-certified Change Management Practitioner.

Jake Spaulding
12.20.21

Read this if you are a division of motor vehicles, or interested in mDLs.

It can be challenging to learn about the technical specifications that must be met to safely acquire, implement, and use emerging technologies. And why wouldn’t it be? Technical specifications are full of jargon only a technical expert can understand, and seem to appear out of thin air. Well, BerryDunn is here to help. When it comes to mobile driver’s licenses (mDLs), we’ve got the scoop.

Technical standards are developed by a few large international organizations. The International Organization for Standardization (ISO) is a Swiss-based organization responsible for the development of international standards for technical, industrial, and commercial industries in 165 countries. The International Electrotechnical Commission (IEC) is an international standards organization that develops and publishes standards for electronic technologies. The ISO and IEC have been collaborating on international technical standards for mDL technology. Recently, the ISO/IEC finalized and published these standards, which can be purchased on ISO’s website for $198 Swiss francs (about $213 US).

These technical standards cover three key components: 

  • Data exchanged during an mDL transaction
  • Security during online and offline mDL transaction scenarios
  • mDL data model to ensure mDL interoperability 

Data exchange/transaction

Data exchange is the process by which an mDL device is used to provide credentials (e.g., verify age or identity) to an mDL reader. Broadly speaking, data exchange consists of three phases: initialization (activating your device at a store to confirm your identity), device engagement (the mDL device creates a connection with the mDL reader), and data retrieval (the mDL reader requests the appropriate data to continue a transaction). The process can occur when the mDL has an internet connection (online retrieval) or when it does not have an internet connection (offline retrieval). Offline data retrieval can be conducted using a combination of Bluetooth Low Energy (BLE), Near-Field Communication (NFC), or Wi-Fi Aware technologies. These are all methods by which an mDL can connect to mDL readers at short ranges, functionally similar to Apple Pay. Online Data retrieval can be conducted using a web-based application programming interface (WebAPI) or OpenID Connect (OIDC). These are methods by which mDLs connect with the mDL issuer, confirm the mDL holder’s identity, and allow the mDL issuer to transfer data to the mDL reader. In short, an mDL transaction might look something like this:

  1. Initialization: An mDL holder attempts to purchase alcohol from a local store. The mDL holder opens their device, enters their mDL application using a PIN or biometric security feature, and uses NFC or a QR code to initiate a connection between the mDL and mDL reader.
  2. Device engagement: The mDL and mDL reader connect using NFC or a QR code.
  3. Data retrieval: The mDL reader either asks the mDL for data to confirm the holder’s age, or asks the mDL issuer to confirm the mDL holder’s age. Either the mDL or mDL issuer sends appropriate data to the mDL reader to confirm the holder’s age. Once validated, the mDL-reading establishment and mDL holder are free to complete the transaction. 

Security for mobile driver’s licenses 

mDL security aims to protect against four primary threats.

  1. mDL forgery/forgery of data elements
  2. mDL cloning/cloning of data elements
  3. mDL communication eavesdropping
  4. Unauthorized mDL access 

mDL security needs to cover online scenarios, in which an mDL-holder’s device is connected to the internet, as well as offline scenarios, when an mDL holder’s device does not have internet connectivity. Potential mDL security options include: 

  • Authentication of mDL data to protect against data cloning
  • Authentication of the legitimacy of the mDL reader to prevent alteration of communications between the mDL and mDL reader 
  • Session encryption to preserve mDL data confidentiality and prevent mDL data alteration or unauthorized data access
  • Issuer data authentication to ensure the mDL data originates at a legitimate issuing authority

During online retrieval scenarios, mDLs can employ transport layer security (TLS) to preserve the confidentiality of mDL data, or use a JavaScript Object Notation (JSON) Web Token (JWT) to authenticate mDL data origin.  

mDL technical specifications: Key terms and definitions

Technical specifications are an important, yet confusing aspect of IT system implementations, particularly for emerging technologies where expertise has not yet been established within the market. The same holds true for mDLs. Understanding mDL technical specifications requires understanding the specific terms used to describe the technical specifications along with general mDL terminology. Here’s a list of mDL-related and technical specification terms and definitions.

Key terms and definitions
 

Terms Definitions
Bluetooth Low Energy (BLE) A form of Bluetooth that provides a wireless connectivity of similar range to traditional Bluetooth at reduced device power consumption.
IEC International Electrotechnical Commission
ISO International Organization for Standardization
JavaScript Object Notation (JSON)  An open standard file format and data interchange format that uses human-readable text to store and transmit data objects.
JSON Web Token (JWT) An object used to transfer information between two parties over the web.
mDL issuer  The department of motor vehicles or bureau of motor vehicles responsible for administering rights to, and overseeing distribution of, mDL data to mDL holders.
mDL holder The person whose data is contained in, and represented by, the mDL.
mDL reader The hardware technology used to consume mDL data from an mDL holder’s device.
mDL-reading establishment The institution consuming mDL data via an mDL reader (e.g., law enforcement, liquor store, Transportation Safety Administration).  
Near-Field Communication (NFC) Communication protocols that allow electronic devices to communicate over distances of 1.5 inches or less (e.g., Apple Pay).
Offline retrieval The mDL holder’s device is not directly connected to an internet network via Wi-Fi or cellular data, requiring the mDL device to hold some mDL data—behind security features (e.g., PIN, or biometric lock)—and, at a minimum, confirm holder identity, driving privileges, age, and residence.
Online retrieval  The mDL holder’s device is connected to an internet network via Wi-Fi or cellular data. Upon request, the mDL holder can initiate a transfer of mDL data using a QR code or web token to approve the sharing of mDL data between the mDL issuer and mDL reader. 
OpenID Connect (OIDC) OpenID Connect is an authentication protocol that allows for the verification of end user identity.
Transport Layer Security (TLS) A cryptographic protocol that provides communication security over a computer network (e.g., between an mDL reader and mDL issuer).
Web Application Programming Interface (API)   An interface for a web server or web browser.
Wi-Fi Aware A Wi-Fi capability that allows devices to discover potential Wi-Fi connections nearby without connecting to them. Wi-Fi Aware runs in the background, and does not require users to have current Wi-Fi or cellular connections.


If you have any questions regarding mDLs and technical requirements, please contact us. We’re here to help. 

Related Services

Related Professionals

Principals

  • Doug Rowe
    Principal
    Justice and Public Safety
    T 207.541.2330

BerryDunn experts and consultants

Read this if you are a division of motor vehicles, or interested in mDLs.

Successful acquisition and implementation of a mobile driver’s license (mDL) program requires knowledge of the specific functional needs mDLs must satisfy to help ensure mDL programs provide security and convenience to mDL holders. These functional needs span mDL-reading equipment, issuing authorities (e.g., departments of motor vehicles), law enforcement and other mDL-reading establishments, and mDLs themselves.  

Per the American Association of Motor Vehicle Administrators (AAMVA) Functional Needs White Paper, functional needs span eight broad categories: operations, trust, identity, cross-jurisdictional/vendor use, data privacy, remote management, ease of use, and other. The table below organizes these categories, briefly explains associated functional needs, and assigns a level of criticality to each functional need. Critical functionality must be accommodated by mDL programs in some manner. Desired functionality is optional, but heavily encouraged.

Table 1: Key Terms and Definitions
mDL Functional Needs Breakdown
Category Description Required/Desired
Operation – Online and Offline mDL holders must be able to validate their identity when either the mDL holder, the mDL reader, or both lack access to the internet.  At a minimum, offline use must allow citizens to confirm their identities, driving privileges, age, and residence. Critical
Operation – Attended mDL holders and mDL-reading establishments must be physically present when an mDL holder’s identity is established as credible, typically using the mDL portrait image. Critical
Operation – Unattended mDLs must function when the mDL-reading establishment is not present during a transaction with an mDL holder. Desired
Trust mDL holders must be able to establish that data comprising the mDL was issued by the relevant issuer and that information has not been changed, unless via an update through the relevant issuer. Critical
Trust mDL-reading establishments must employ readers they trust to obtain and validate information from mDLs. Critical
Identity – Portrait Image mDLs must have portrait image of the mDL holder. Critical
Identity – Portrait Image mDLs must have the ability to retrieve the portrait image from the issuing jurisdiction using a one-time token. Critical
Identity – Portrait Image mDL readers must read portrait images from mDLs, retrieve it from the issuing jurisdiction, and display the image. Critical
Identity – Portrait Image Law enforcement must have mobile mDL readers in order to review the mDL portrait image and mDL holder simultaneously. Desired
Identity – Biometric mDL-reading establishments must have trusted equipment to obtain the mDL holder’s biometric information. Desired
Identity – Biometric mDLs and readers must support a one-to-one  comparison of the mDL and holder biometric information, executed by the mDL-reading establishment or mDL issuer. Desired
Identity – PIN mDLs must support the use of a personal identification number (PIN) to authenticate the legitimacy of an mDL and its holder. Critical
Identity – PIN mDL holders must trust that mDL readers will not compromise their PIN when entering it.

mDL readers must trust that the PIN accurately validates mDL holder information when the authentication process occurs on the mDL holder’s device.
Critical
Cross-Jurisdictional & Vendor Use mDL readers must be able to read mDLs from multiple issuing jurisdictions and multiple vendors. Critical
Cross-Jurisdictional & Vendor Use mDLs require interfacing with the relevant issuer, with the ability to control how mDL data is uploaded to holder devices and updated. Critical
Cross-Jurisdictional & Vendor Use mDLs require in-real-time interfacing with the holder’s device and the reader. Critical
Data Privacy As with physical DLs, mDLs require a process for granting holder consent prior to information release. Critical
Data Privacy mDL holders must be able to release selective information (e.g., age, driving credentials) without releasing all personal information stored on the mDL (data minimization). Critical
Data Privacy Issuing authorities must be able to allow unrestricted access to an mDL, without the holder’s consent, in cases where the holder is unconscious, nonresponsive, etc., e.g., following a major car accident, law enforcement might need to verify whether an individual is an organ donor. Desired
Data Privacy mDLs must be linkable to the government-related transactions they are used for (e.g., interacting with the DMV, law enforcement), allowing local and state officials to review the history of transactions related to a specific mDL. Desired
Data Privacy mDLs must be unlinkable from the private-industry transactions they are used for, preventing mDL-reading establishments from tying mDL holders to specific transactions. Desired
Data Privacy The mDL should grant the mDL holder visibility into all personal data contained in the mDL. Critical
Remote mDL Management1 mDL issuing authorities must have the ability to perform the following actions to mDLs remotely:
  • Add, update, and revoke (temporarily and permanently) driving privileges.
  • Update the application storing the mDL.
  • Revoke the mDL entirely (in the case of suspected fraud)
Critical
Remote mDL Management mDL holders must have the ability to remotely update their mDL data, including revoking their mDL in the case of a lost or stolen mDL. Critical
Remote mDL Management mDLs with combined offline/online functionality must expire should the mDL holder not connect their mDL to issuer’s system within a defined period of time. Critical
Remote mDL Management mDLs must support the ability to be returned to the issuer prior to the issue of a new mDL to a holder.

mDLs must support the ability to be returned to the issuer, marked as void, and returned to the holder prior to the issue of a new mDL to the holder.
Optional
Remote mDL Management mDLs must allow law enforcement officers from a holder’s home jurisdiction to suspend a holder’s mDL under specified circumstances. Critical
Remote mDL Management mDLs must support the ability for issuing authorities to change mDLs to IDs (in the case of driving privilege revocation) and change IDs to mDLs (when driving privileges are gained). Desired
Remote mDL Management mDLs must support the ability to transfer devices, either online (desired) or by visiting issuing authorities in person (critical). Desired/Critical
Ease of Use mDLs must not require mDL-reading establishments to handle the mDL holder’s device during a transaction. Critical
Ease of Use mDLs must operate during different weather conditions (rain, snow, intense sunlight, etc.) Desired
Ease of Use mDLs must function at all times, regardless of the level of ambient light. Critical
Ease of Use mDLs must function in various environments (office, traffic stop, etc.) Critical
Ease of Use mDLs must minimize the amount and cost of additional equipment that law enforcement and other mDL-reading establishments require when processing mDL transactions. Desired
Other – Processing     Time mDL readers must be able to process an mDL transaction with comparable time to physical DL transactions. Critical
Other – Non-reliance on Device Security by Consumer mDL readers must be able to authenticate mDL data without relying on the security of an mDL holder’s device (e.g., biometric readers). Critical

1Remote mDL management assumes at least a partial level of online mDL functionality. mDLs cannot be remotely managed in offline scenarios.

If you have questions about mDLs or about your specific agency, please contact the team. We’re here to help.      

Article
Functional needs for a successful mobile Driver's License (mDL) program

Read this if you are a division of motor vehicles, or interested in mDLs.

You drive to the airport, and are pulled over by law enforcement. They check your driver’s license. You arrive at the airport, and rush through the TSA checkpoint. They check your driver’s license. You buy a drink in the airport bar to calm your nerves. They check your driver’s license. You board your plane, take off, land in your destination, and rent a car. They check your driver’s license. You drive to the hotel and check yourself in. They check your driver’s license. From run-ins with law enforcement, to traveling, to purchasing alcohol, driver’s licenses are necessary and versatile parts of every citizen’s identification arsenal—and soon, they will be mobile. But this new frontier of electronic identification—despite widespread applicability and increased holder convenience—brings challenges for mDL issuers and mDL-reading establishments.

The mDLs must function in a range of scenarios, each of which with distinct business processes, differing levels of holder data control, and various levels of online functionality. The widespread applicability of mDLs mean that state, county, and local issuing authorities need to simultaneously anticipate the range of mDL holder scenarios, identify the functionality required to meet these scenarios, and anticipate implementation challenges.     

Additionally, understanding mDL functionality requires understanding the specific terms used to describe that functionality, and these terms vary. From the participants in mDL transactions, to the kinds of transactions occurring, to the various screens and data validation methods, this terminology quickly becomes complicated. 

Table 1, Key Terms and Definitions below contains a list of mDL-related terms and definitions used within this blog, and accompanying future functional needs blogs.

Table 1: Key Terms and Definitions
Terms Definitions
mDL issuer The department of motor vehicles or bureau of motor vehicles responsible for administering rights to, and overseeing distribution of, mDL data to mDL holders.
mDL holder The person whose data is contained in, and represented by, the mDL.
mDL reader The hardware technology used to consume mDL data from an mDL holder's device.
mDL-reading establishment The institution consuming mDL data via an mDL reader, e.g., law enforcement, liquor store, Transportation Safety Administration.
Portrait image The image of the mDL holder used to verify the holder's ownership of the mDL by visual means.
Attended operation The mDL-reading establishment is physically present when the mDL holder is certified as the owner of the mDL data. E.g., checking in at a hotel, buying alcohol at a liquor store, verifying ID during a traffic stop scenario.
Unattended operation The mDL-reading establishment is not physically present when the mDL holder is certified as the owner of the mDL data. E.g., verifying age during an internet transaction.
Personal Identification Number (PIN) A number (usually 4 digits) created by an mDL holder and used to validate their identity during transactions.
Use Case A situation in which a holder will rely upon an mDL to convey their data to mDL-reading establishments, for a defined purpose.


Table 2, mDL Use Cases below lists situations in which mDL transactions are common, called use cases, and marks them as primary or future mDL use cases. Table 2 also categorizes whether the transactions occur with online/offline functionality (or both); and whether the transactions require both parties to be present during the transaction (attended), do not require both parties to be present during the transaction (unattended), or both. 

Note that mDL use cases are ever evolving, as is the functionality required to complete them. For the most up-to-date content, consider reviewing resources developed by the American Association of Motor Vehicle Administrators (AAMVA) or the International Organization for Standardization (ISO).

Table 2: Standard mDL Use Cases
Use Case Online/Offline Functionality Attended v. Unattended Operation
Primary Use Cases
mDL holder is involved in a traffic stop with law enforcement. Both Both
mDL holder goes through a Transportation Security Administration (TSA) checkpoint at an airport. Both Attended
mDL holder purchases alcohol in person. Both Attended
mDL holder rents a car. Both Both
mDL holder checks into a hotel. Both Both
mDL holder confirms identity with financial institutions. E.g., banks. Both Attended
mDL holder obtains social services. Both Both
mDL holder confirms identity when voting. Note: This use case might not be required in all jurisdictions. Both Attended
mDL holder confirms identity to gain access to federal facilities (if appropriate). Both Attended
Future Use Cases
mDL holder proves age for age-restricted purchases via the internet. Online Unattended
mDL holder signs a document electronically.  Online Unattended
mDL holder opens a bank account online.  Online Unattended


If you have questions about mDLs or about your specific agency, please contact the team. We’re here to help. 

Article
Mobile Driver's License (mDL) functional needs: Definitions and use cases

Read this if you are a division of motor vehicles, or interested in mDLs.

What is a mobile driver’s license?

A mobile driver’s license (mDL) is a solution that allows citizens to access, update, and use their driver’s license via a smart phone or other internet-accessible device (e.g., laptop, tablet, smart watch). An mDL is a form of electronic identification (eID), but where eIDs include other forms of licensure like hunting/fishing/gaming licenses or military IDs, mDLs are used to designate driving privileges and, in some cases, to designate age-based/identity privileges for citizens who cannot drive (e.g., buying alcohol, TSA PreCheck®).

Why should you care?

Technology has replaced physical product functionality within various areas of modern life. Many people have transitioned to electronic credit/debit card payments (e.g., Apple Pay), making paying for everyday items faster, easier, and cleaner, while also introducing risks to consumer data security. Similar functionality will soon exist within the eID space, starting with mDLs. This provides challenges for departments of motor vehicles (DMVs), businesses, and consumers; however, the benefits of adopting mDL functionality outweigh the growing pains of establishing the programs.

How does it work and when will it be implemented?

The mDL will function similarly to electronic credit cards and mobile payment applications: an mDL user loads their mDL to their mobile device using a mobile application and can use it to verify their age and driving credentials at mDL-reading establishments and with law enforcement. Relevant establishments will require both hardware and software solutions to read mDLs. 

mDLs aren’t intended to replace physical licenses—at least not yet. While state and county pilot programs resolve some of the challenges associated with mDLs, physical IDs will remain required for years to come. 

Additionally, the American Association of Motor Vehicle Administrators (AAMVA) created two groups—a Card Design Standard Committee and Electronic Identification Working Group—to develop interoperable standards to assist license issuing authorities (e.g., DMVs) in developing their mDL programs. These standards will ensure that mDLs work using different hardware, software, vendor applications, and within different jurisdictions. 

Benefits and challenges

Benefits

mDLs provide numerous benefits to citizens and DMVs alike, including information security, user convenience, and administrative convenience.

Information security

  • mDLs are harder to fake than physical driver’s licenses due to the mDL’s connection to back-end license data within the DMV system. 

  • mDLs allow users the option to communicate specific data to the receiving party without sharing all of the user’s license information (e.g., confirming the user is over age 21 without sharing their specific age or street address). 

User convenience

  • Users will be able to update their credentials fully online and see in-real-time updates.
  • mDLs will possess single sign-on verification and use for users via a biometric lock or PIN, making them quick to access and easy to use.

Administrative convenience

  • The decline in DMV wait times due to online-update functionality will save DMVs money in administrative costs.

Challenges

As with all technological advancement, there are several challenges around the development of mDLs. The primary challenge is ensuring the protection of user data while also rolling out the complex—and often costly—infrastructure needed to support mDL use across a region. 

Information security 

  • Issuing agencies can choose whether some, none, or all mDL user data is stored on the user’s device and must ensure all data stored this way is done so securely.

  • mDLs must ensure hands-free exchange of information with law enforcement to protect user data when presenting identification.

  • Technological errors are bound to occur: if an mDL-reading establishment is not able to read a citizen's mDL for any reason, a citizen will require a physical license to complete the transaction.

Program rollout

  • States and mDL vendors will need to support interoperable mDL standards to ensure that an mDL works with different vendor software and across jurisdictions.

  • Establishments and law enforcement will need the necessary mDL-reading hardware (smart phone, smart watch, tablet, laptop, point-of-sale terminal) and software (QR code readers, Bluetooth functionality, Wi-Fi Aware, Nearfield Communication, etc.) to read mDLs.

  • mDLs must be able to function in both offline and online scenarios to ensure the security of consumer data and proper functionality.

The future

mDLs are just the beginning of the opportunities eID technology will bring. Once established by DMVs, eID technology can and will be used to find and buy insurance services, check medical prescriptions, apply for social/welfare benefits, open hunting/fishing/gaming accounts and display appropriate credentials, and access pension information. 

The versatility that eID technology provides will streamline American citizens’ identification arsenal, and the advancing mDL technology puts us on the path to get there. The question is not will mDLs become widespread, but when.
 

Article
Introduction to mobile driver's licenses (mDLs): What are they and why are they important?

Read this if you are a behavioral health agency leader looking for solutions to manage mental health, substance misuse, and overdose crises.

As state health departments across the country continue to grapple with rising COVID-19 cases, stalling vaccination rates, and public heath workforce burnout, other crises in behavioral health may be looming. Diverted resources, disruption in treatment, and the mental stress of the COVID-19 pandemic have exacerbated mental health disorders, substance use, and drug overdoses.

State agencies need behavioral health solutions perhaps now more than ever. BerryDunn works with state agencies to mitigate the challenges of managing behavioral health and implement innovative strategies and solutions to better serve beneficiaries. Read on to understand how conducting a needs assessment, redesigning processes, and/or establishing a strategic plan can amplify the impact of your programs. 

Behavioral health in crisis

The prevalence of mental illness and substance use disorders has steadily increased over the past decade, and the pandemic has exacerbated these trends. A number of recently released studies show increases in symptoms of anxiety, depression, and suicidal ideation. One CDC study indicates that in June 2020 over 40% of adults reported an adverse mental or behavioral health condition, which includes about 13% who have started or increased substance use to cope with stress or emotions related to COVID-19.1 

The toll on behavioral health outcomes is compounded by the pandemic’s disruption to behavioral health services. According to the National Council for Behavioral Health, 65% of behavioral health organizations have had to cancel, reschedule, or turn away patients, even as organizations see a dramatic increase in the demand for services.2,3 Moreover, treatment facilities and harm reduction programs across the country have scaled back services or closed entirely due to social distancing requirements, insufficient personal protective equipment, budget shortfalls, and other challenges.4 These disruptions in access to care and service delivery are having a severe impact.

Several studies indicate that patients report new barriers to care or changes in treatment and support services after the onset of the pandemic.5, 6 Barriers to care are particularly disruptive for people with substance use disorders. Social isolation and mental illness, coupled with limited treatment options and harm reduction services, creates a higher risk of suicide ideation, substance misuse, and overdose deaths.

For example, the opioid epidemic was still surging when the pandemic began, and rates of overdose have since spiked or elevated in every state across the country.7 After a decline of overdose deaths in 2018 for the first time in two decades, the CDC reported 81,230 overdose deaths from June 2019 to May 2020, the highest number of overdose deaths ever recorded in a 12-month period.8 

These trends do not appear to be improving. On October 3, the CDC reported that from March 2020 to March 2021, overdose deaths have increased 29.6% compared to the previous year, and that number will only continue to climb as more data comes in.9  

As the country continues to experience an increase in mental illness, suicide, and substance use disorders, states are in need of capacity and support to identify and/or implement strategies to mitigate these challenges. 

Solutions for state agencies

Behavioral health has been recognized as a priority issue and service area that will require significant resources and innovation. In May, the US Department of Health and Human Services' (HHS) Secretary Xavier Becerra reestablished the Behavioral Health Coordinating Council to facilitate collaborative, innovative, transparent, equitable, and action-oriented approaches to address the HHS behavioral health agenda. The 2022 budget allocates $1.6 billion to the Community Mental Health Services Block Grant, which is more than double the Fiscal Year (FY) 2021 funding and $3.9 billion more than in FY 2020, to address the opioid epidemic in addition to other substance use disorders.10 

As COVID-19 continues to exacerbate behavioral health issues, states need innovative solutions to take on these challenges and leverage additional federal funding. COVID-19 is still consuming the time of many state leaders and staff, so states have a limited capacity to plan, implement, and manage the new initiatives to adequately address these issues. Here are three ways health departments can capitalize on the additional funding.

Conduct a needs assessment to identify opportunities to improve use of data and program outcomes

Despite meeting baseline reporting requirements, state agencies often lack sufficient quality data to assess program outcomes, identify underserved populations, and obtain a holistic view of the comprehensive system of care for behavioral health services. Although state agencies may be able to recognize challenges in the delivery or administration of behavioral health services, it can be difficult to identify solutions that result in sustained improvements.

By performing a structured needs assessment, health departments can evaluate their processes, systems, and resources to better understand how they are using data, and how to optimize programs to tailor behavioral health services and promote better health outcomes and a more equitable distribution of care. This analysis provides the insight for agencies to understand not only the strengths and challenges of the current environment, but also the desires and opportunities for a future solution that takes into account stakeholder needs, best practice, and emerging technologies. 

Some of the benefits we have seen our clients enjoy as a result of performing a needs assessment include: 

  • Discovering and validating strengths and challenges of current state operations through independent evaluation
  • Establishing a clear roadmap for future business and technological improvements
  • Determining costs and benefits of new, alternative, or enhanced systems and/or processes
  • Identifying the specific business and technical requirements to achieve and improve performance outcomes 

Timely, accurate, and comprehensive data is critical to improving behavioral health outcomes, and the information gathered during a needs assessment can inform further activities that support programmatic improvements. Further activities might include conducting a fit-gap analysis, performing business process redesign, establishing a prioritization matrix, and more. By identifying the greatest needs and implementing plans to address them, state agencies can better handle the impact on behavioral health services resulting from the COVID-19 pandemic and serve individuals with mental health or substance use disorders more efficiently and effectively.

Redesign processes to improve how individuals access treatment and services

Despite the availability of behavioral health services, inefficient business and technical processes can delay and frustrate individuals seeking care and in some cases, make them stop seeking care altogether. With limited resources and increasing demands, behavioral health agencies should analyze and redesign work flows to maximize efficiency, security, and efficacy. Here are a few examples of process improvements states can achieve through process redesign:

  • Streamlined data processes to reduce duplicative data entry 
  • Automated and aligned manual data collection processes 
  • Integrated siloed health information systems
  • Focused activities to maximize staff strengths
  • Increased process transparency to improve communication and collaboration 

By placing the consumer experience at the core of all services, state health departments can redesign business and technical processes to optimize the continuum of care. A comprehensive approach takes into account all aspects that contribute to the delivery of behavioral health services, including both administrative and financial processes. This helps ensure interconnected activities continue to be performed efficiently and effectively. Such improvements help consumers with co-occurring disorders (mental illness and substance use disorder) and/or developmental disorders find “no wrong door” when seeking care. 

Establish a strategic plan of action to address the impact of the COVID-19 pandemic

With the influx of available dollars resulting from the American Recovery Plan Act and other state and federal investments, health departments have a unique opportunity to fund specific initiatives to enhance the delivery and administration of behavioral health services. Understanding how to allocate the millions of newly awarded dollars in an impactful and sustainable way can be challenging. Furthermore, the additional reporting and compliance requirements linked to the funding can be difficult to navigate in addition to current monitoring obligations. 

The best way to begin using the available funding is to develop and implement strategic plans that optimize funds for behavioral health programs and services. You can establish priorities and identify sustainable solutions that build capacity, streamline operations, and promote the equitable distribution of care across populations. A few of the activities state health departments have undertaken resulting from the strategic planning initiatives include: 

  • Modernizing IT systems, including data management solutions and Electronic Health Records systems to support inpatient, outpatient, and community mental health and substance use programs 
  • Promoting organizational change management 
  • Establishing grant programs for community-driven solutions to promote health equity for the underserved population
  • Organizing, managing, and/or supporting stakeholder engagement efforts to effectively collaborate with internal and external stakeholders for a strong and comprehensive approach

The prevalence of mental illness and substance use disorder were areas of concern prior to COVID-19, and the pandemic has only made these issues worse, while adding more administrative challenges. State health departments have had to redirect their existing staff to work to address COVID-19, leaving a limited capacity to manage existing state-level programs and little to no capacity to plan and implement new initiatives. 

The federal administration and HHS are working to provide financial support to states to work to address these exacerbated health concerns; however, with the limited state capacity, states need additional support to plan, implement, and/or manage new initiatives. BerryDunn has a wide breadth of knowledge and experience in conducting needs assessments, redesigning processes, and establishing strategic plans that are aimed at amplifying the impact of state programs. Contact our behavioral health consulting team to learn more about how we can help. 

Sources:
Mental Health, Substance Use, and Suicidal Ideation During the COVID-19 Pandemic, CDC.gov
COVID-19 Pandemic Impact on Harm Reduction Services: An Environmental Scan, thenationalcouncil.org
National Council for Behavioral Health Polling Presentation, thenationalcouncil.org
The Impact of COVID-19 on Syringe Services Programs in the United States, nih.gov
COVID-19 Pandemic Impact on Harm Reduction Services: An Environmental Scan, thenationalcouncil.org
COVID-19-Related Treatment Service Disruptions Among People with Single- and Polysubstance Use Concerns, Journal of Substance Abuse Treatment
Issue Brief: Nation’s Drug-Related Overdose and Death Epidemic Continues to Worsen, American Medical Association
Increase in Fatal Drug Overdoses Across the United States Driven by Synthetic Opioids Before and During the COVID-19 Pandemic, CDC.gov
Provisional Drug Overdose Death Counts, CDC.gov
10 Fiscal Year 2022 Budget in Brief: Strengthening Health and Opportunity for All Americans, HHS.gov

Article
COVID's impact on behavioral health: Solutions for state agencies

Read this if you are a Chief Financial Officer, Chief Compliance Officer, FINOP, or charged with governance of a broker-dealer.

The results of the Public Company Accounting Oversight Board’s (PCAOB) 2020 inspections are included in its 2020 Annual Report on the Interim Inspection Program Related to Audits of Brokers and Dealers. There were 65 audit firms inspected in 2020 by the PCAOB and, although deficiencies declined 11% from 2019, 51 firms still had deficiencies. This high level of deficiencies, as well as the nature of the deficiencies, provides insight into audit quality for broker-dealer stakeholders. Those charged with governance should be having conversations with their auditor to see how they are addressing these commonly found deficiencies and asking if the PCAOB identified any deficiencies in the auditor’s most recent examination. 

If there were deficiencies identified, what actions have been taken to eliminate these deficiencies going forward? Although the annual report on the Interim Inspection Program acts as an auditor report card, the results may have implications for the broker-dealer, as gaps in audit quality may mean internal control weaknesses or misstatements go undetected.

Attestation Standard (AT) No. 1 examination engagements test compliance with the financial responsibility rules and the internal controls surrounding compliance with the financial responsibility rules. The PCAOB examined 21 of these engagements and found 14 of them to have deficiencies. The PCAOB continued to find high deficiency rates in testing internal control over compliance (ICOC). They specifically found that many audit firms did not obtain sufficient, appropriate evidence about the operating effectiveness of controls important to the auditor’s conclusions regarding the effectiveness of ICOC. This insufficiency was widespread in all four areas of the financial responsibility rules: the Reserve Requirement rule, possession or control requirements of the Customer Protection Rule, Account Statement Rule, and the Quarterly Security Counts Rule.

The PCAOB also identified a firm that included a statement in its examination report that referred to an assertion by the broker-dealer that its ICOC was effective as of its fiscal year-end; however, the broker-dealer did not include that required assertion in its compliance report.

AT No. 2 review engagements test compliance with the broker-dealer’s exemption provisions. The PCAOB examined 83 AT No. 2 engagements and found 19 of them to have deficiencies. The most significant deficiencies were that audit firms:

  • Did not make required inquiries, including inquiries about controls in place to maintain compliance with the exemption provisions, and those involving the nature, frequency, and results of related monitoring activities.
  • Similar to AT No. 1 engagements, included a statement in their review reports that referred to an assertion by the broker-dealer that it met the identified exemption provisions throughout the most recent fiscal year without exception; however, the broker-dealers did not include that required assertion in their exemption reports.

The majority of the deficiencies found were in the audits of the financial statements. The PCAOB did not examine every aspect of the financial statement audit, but focused on key areas. These areas were: revenue, evaluating audit results, identifying and assessing risks of material misstatement, related party relationships and transactions, receivables and payables, consideration of an entity’s ability to continue as a going concern, consideration of materiality in planning and performing an audit, leases, and fair value measurements. Of these areas, revenue and evaluating audit results had the most deficiencies, with 45 and 27 deficiencies, or 47% and 26% of engagements examined, respectively.

Auditing standards indicate there is a rebuttable presumption that improper revenue recognition is a fraud risk. In the PCAOB’s examinations, most audit firms either identified a fraud risk related to revenue or did not rebut the presumption of revenue recognition as a fraud risk. These firms should have addressed the risk of material misstatement through appropriate substantive procedures that included tests of details. The PCAOB noted there were instances of firms that did not perform any procedures for one or more significant revenue accounts, or did not perform procedures to address the assessed risks of material misstatement for one or more relevant assertions for revenue. The PCAOB also identified deficiencies related to revenue in audit firms’ sampling methodologies and substantive analytical procedures. Other deficiencies of note, that were not revenue related, included:

  • Incomplete qualitative and quantitative disclosure information, specifically in regards to revenue from contracts with customers and leases.
  • Missing required elements from the auditor’s report.
  • Missing auditor communications:
    • Not inquiring of the audit committee (or equivalent body) about whether it was aware of matters relevant to the audit.
    • Not communicating the audit strategy and results of the audit to the audit committee (or equivalent body).
  • Engagement quality reviews were not performed for some audit and attestation engagements.
  • Audit firms assisted in the preparation of broker-dealer financial statements and supplemental information.

Although there have been improvements in the amounts of deficiencies found in the PCAOB’s examinations, the 2020 annual report shows that there is still work to be done by audit firms. Just like auditors should be inquiring of broker-dealer clients about the results of their most recent FINRA examination, broker-dealers should be inquiring of auditors about the results of their most recent PCAOB examination. Doing so will help broker-dealers identify where their auditor may reside on the audit quality spectrum. If you have any questions, please don’t hesitate to reach out to our broker-dealer services team.

Article
2020 Annual Report on the Interim Inspection Program Related to Audits of Brokers and Dealers

Read this if you are a director or manager at a Health and Human Services agency in charge of modernizing your state's Health and Human Services systems.

With stream-lined applications, online portals, text updates, and one-stop offices serving programs like Medicaid, SNAP, and Child Welfare, states are rapidly adopting integrated systems serving multiple programs. As state leaders collaborate on system design and functionality to meet federal and state requirements, it is equally important to create a human-centered design built for the whole family.

We know families are comprised of a variety of people with various levels of need, and blended families ranging from grandparents to infants may qualify for a variety of programs. We may connect with families who are on Medicaid, aged and disabled or SNAP, but also have cases within child support or with child welfare. 

If your state is considering updating a current system, or procuring for an innovative design, there are key strategies and concepts to consider when creating a fully integrated system for our most vulnerable populations. Below are a few advantages for building a human-centric system:

  • The sharing of demographic, contact, and financial information reduces duplication and improves communication between state entities and families seeking services
  • Improvement of business services and expedited eligibility determinations, as a human-centric model gathers information upfront to reduce a stream of verification requests
  • The cost of ownership decreases when multiple programs share design costs
  • Client portals and services align as a family-focused model

Collaboration and integrated design

How many states use a separate application for Medicaid and SNAP? More specifically, is the application process time consuming? Is the same information requested over and over for each program? 

How efficient (and wonderful) would it be for clients to complete task-based questions, and then each program could review the information separately for case-based eligibility? How can you design an integrated system that aligns with business and federal rules, and state policy?

Once your state has decided a human-centered design would be most beneficial, you can narrow your focus—whether you are already in the RFP process, or within requirements sessions. You can stop extraneous efforts, and change your perspective by asking the question: How can we build this for the entire family? The first step is to see beyond your specific program requirements and consider the families each program serves. 

Integrated design is usually most successful when leaders and subject matter experts from multiple programs can collaborate. If all personnel are engaged in an overarching vision of building a system for the family, the integrated design can be fundamentally successful, and transforming for your entire work environment across agencies and departments.

Begin with combining leadership and subject matter experts from each geographic region. Families in the far corners of our states may have unique needs or challenges only experts from those areas know about. These collaborative sessions provide streamlined communications and ideas, and empower staff to become actively involved and invested in an integrated system design. 

Next, delve into the core information required from each family member and utilize a checklist to determine if the information meets the requirements of the individual programs. Finally, decide which specific data can streamline across programs for benefit determinations. For example, name, address, age, employment, income, disability status, and family composition are standard pieces of information. However, two or more programs may also require documentation on housing, motor vehicle, or retirement accounts.

Maintaining your focus on the families you serve

When designing an integrated system, it is easy to lose focus on the family and return to program-specific requirements. Your leaders and subject matter experts know what their individual programs need, which can lead to debates over final decisions regarding design. It is perfectly normal to develop tunnel vision regarding our programs because we want to meet regulations and maintain funding.

Below are recommendations for maintaining your focus on building for the family, which can start as soon as the RFP. 

  • Emphasize RFP team accountability
    • Everyone should share an array of family household examples who benefit from the various programs (Medicaid, SNAP, TANF, etc.), to help determine how to deliver a full spectrum of services. 
    • Challenge each program with writing their program-specific sections of the RFP and have one person combine the responses for a review session.
  • If the integrated system design is in the requirements phase, brainstorm scenarios, like the benefit example provided in recommendation number one. When information is required by one program, but not another, can the team collaborate and include the information knowing it could benefit an entire family?
  • When considering required tasks, and special requests, always ask: Will this request/change/enhancement help a family, or help staff assist a family?
  • Consider a universal approach to case management. Can staff be cross trained to support multiple programs to reduce transferring clients to additional staff?

We understand adopting a human-centered design can be a challenging approach, but there are options and approaches to help you through the process. Just continue to ask yourself, when it comes to an integrated approach, are you building the system for the program or for the family?

Article
Integrated design and development for state agencies: Building for the family

Read this if you are a State Medicaid Director, State Medicaid Chief Information Officer, State Medicaid Project Manager, or State Procurement Officer—or if you work on State Medicaid Enterprise System (MES) certification or modernization efforts.

As states transition to the Centers for Medicare & Medicaid Services' (CMS) Outcomes-Based Certification (OBC), many jurisdictions are also implementing (or considering implementation of) an Integrated Eligibility System (IES). Federal certification for a standalone Medicaid Enterprise System (MES) comes with its own challenges, especially as states navigate the recent shift to OBC for Medicaid Eligibility and Enrollment (E&E) services. Certification in the context of an IES creates a whole new set of considerations for states, as Medicaid eligibility overlaps with that of benefit programs like the Supplemental Nutrition Assistant Program (SNAP), Temporary Assistance for Needy Families (TANF), and others. We’ve identified the following areas for consideration in your own state's IES implementation: 

  • Modernizing MES 
    It's likely your state has considered the pros and cons of implementing an IES, since CMS' announcement of increased federal funds for states committed to building new and/or enhanced Medicaid systems. Determining whether an IES is the right solution is no small undertaking. From coordinating on user design to system security, development of an IES requires buy-in across a wider range of programs and stakeholders. Certification will look different from that of a standalone MES. For example, your state will not only need to ensure compliance with CMS' Minimum Acceptable Risk Standards for Exchanges (MARS-E), but also account for sensitive data, such as medical information, across program interfaces and integration. 

    BerryDunn recommends one of the first steps states take in the planning phase of their IES implementation is to identify how they will define their certification team. Federal certification itself does not yet reflect the level of integration states want to achieve with an IES, and will require as much subject matter expertise per program included in the IES as it requires an understanding of your state's targeted integration outcomes and desired overlap among programs.
  • Scale and scope of requirements
    Once your agency commits to designing an IES, the scope of its solution becomes much broader. With this comes a wider range of contract requirements. Requirements can be program-specific (e.g., relevant only to Medicaid) or program-agnostic (e.g., general technical, "look-and-feel", and security requirements that apply throughout the solution). Common requirements across certain programs (e.g., certain eligibility criteria) will also need to be determined. Requirements validation and the development of Requirements Traceability Matrixes (RTM) per program are critical parts of the development phase of an IES implementation.

    BerryDunn recommends a comprehensive mapping process of requirements to OBC and other federal certification criteria, to ensure system design is in compliance with federal guidance prior to entering go/no-go for system testing phases.
  • Outcomes as they apply across programs
    CMS' transition to OBC changed the way states define their Medicaid program outcomes. Under this new definition outcomes are the value-add, or the end result, a state wishes to achieve as the result of its Medicaid eligibility solution enhancements. In the context of an IES, Medicaid outcomes have to be considered in terms of their relation to other programs. For example, presumptive eligibility (PE) between SNAP and Medicaid and/or cross-program referrals might become more direct outcomes when there is an immediate data exchange between and among programs.

    BerryDunn recommends consideration of what you hope to achieve with your IES implementation. Is it simply an upgrade to an antiquated legacy system(s), or is the goal ultimately to improve data sharing and coordination across benefit programs? While certification documentation is submitted to individual federal agencies, cross-program outcomes can be worked into your contract requirements to ensure they are included in IES business rules and design.
  • Cost allocation
    In the planning phase of any Design, Development, and Implementation (DDI) project, states submit an Advance Planning Document (APD) to formally request Federal Financial Participation (FFP), pending certification review and approval. This APD process becomes more complex in an IES, as states need to account for FFP from federal programs in addition to CMS as well as develop a weighted cost allocation methodology to distribute shares equitably across benefit programs.

    BerryDunn recommends States utilize the U.S. Department of Health & Human Services (HHS), Administration for Children & Families (ACF), Office of Child Support Enforcement's (OCSE) Cost Allocation Methodologies (CAM) Toolkit to inform your cost allocation model across benefit programs, as part of the APD development process
  • Timeline
    A traditional MES implementation timeline accounts for project stages such as configuration sessions, requirement mapping, design validation, testing, CMS' Operational Readiness Review (ORR), etc. The project schedule for an IES is dependent on additional factors and variables. Scheduling of federal certification reviews for OBC and/or other programs might be held up by project delays in another area of the implementation, and project teams must be agile enough to navigate such changes

    BerryDunn recommends development of a thoughtful, comprehensive project schedule allowing ample time for each project phase across programs. We also recommend states cultivate relationships with federal partners including, but not limited to, CMS, to communicate when a development delay is anticipated. Engaging federal partners throughout the DDI phases will be a critical part of your IES implementation.

In theory, an IES benefits stakeholders on both sides of the system. Caseworkers avoid duplication of efforts, reduce administrative costs, and ensure program integrity, while individuals and families on the receiving end of public benefit programs experience a more efficient, streamlined application process. In practice, the development of a comprehensive business rules, case management, and workflow system across human services programs can prove to be a heavy lift for states, including but not limited to considerations around certification to secure FFP. Planning for the implications of an IES implementation ahead of time will go a long way in preparing your agency and state for this comprehensive certification effort.
 
For further reading
Keep an eye out for the next blog in this series, highlighting certification guidelines across an IES implementation (for CMS and other Federal programs). You can read more on OBC here

If you have questions about your specific situation, please contact the Medicaid Consulting team. We’re here to help. 

Article
States transition to Outcomes-Based Certification: Considerations and recommendations

Read this if you are a State Medicaid Director, State Medicaid Chief Information Officer, State Medicaid Project Manager, or State Procurement Officer—or if you work on a State Medicaid Enterprise System (MES) certification or modernization efforts.

You can listen to the companion podcast to this article, Organization development: Shortcuts for states to consider, here: 

Over the last two years, the Centers for Medicare and Medicaid Services (CMS) has undertaken an effort to streamline MES certification. During this time, we have been fortunate enough to be a trusted partner in several states working to evolve the certification process. Through this collaboration with CMS and state partners, we have been in front of recent certification trends. The content we are covering is based on our experience supporting states with efforts related to CMS certification. We do not speak for CMS, nor do we have the authority to do so.

What organization development (OD) shortcuts can state Medicaid agencies consider when faced with competing priorities and challenges such as Medicaid modernization projects in flight, staffing shortages, and a retiring workforce?

The shortcuts include rapid development and understanding of the “why”. This requires the courage to challenge assumptions, especially around transparency, to allow for a consistent understanding of the needs, data, environment, and staff members’ role in impacting the health of the people served by a state’s Medicaid program. To rapidly gain an understanding of the “why”, state Medicaid agencies should:

  1. Accelerate the transparency of information and use of data in ways that lead to a collective understanding of the “why”. Accelerating a collective understanding of the why requires improved communication mechanisms. 
  2. Invest time to connect with staff. The insistence, persistence, and consistency of leaders to stay connected to their workforce will help keep the focus on the “why” and build a shared sense of connection and purpose among teams.
  3. Create the standard that planning involves all stakeholders (e.g., policy, operations, systems staff, etc.) and focus on building consensus and alignment throughout the organization. During planning, identify answers to the following questions: What are we trying to achieve, what are the outcomes, and what is the vision for what we are trying to do?
  4. Question any fragmentation. For example, if there is a hiring freeze, several staff are retiring, and demand is increasing, it is a good idea to think about how the organization manages people. Question boundaries related to your staff and the business processes they perform (e.g., some staff can only complete a portion of a business process because of a job classification). Look at ways to broaden the expectations of staff, eliminate unnecessary handoffs, and expect development. Leaders and teams work together to build a culture that is vision-driven, data-informed, and values-based.

What are some considerations when organizations are defining program outcomes and the “why” behind what they are doing? 

Keep in mind that designing system requirements is not the same as designing program outcomes. System requirements need to be able to deliver the outcomes and the information the organization needs. With something like a Medicaid Enterprise System (MES) modernization project, outcomes are what follow because of a successful project or series of projects. For example, a state Medicaid agency looking to improve access to care might develop an outcome focused on enabling the timely and accurate screening and revalidation for Medicaid providers. 

Next, keeping with the improving access to care example, state Medicaid agencies should define and communicate the roles technology and staff play in helping achieve the desired outcome and continue communicating and helping staff understand the “why”. In Medicaid we impact people’s lives, and that makes it easy to find the heart. Helping staff connect their own motivation and find meaning in achieving an outcome is key to help ensure project success and realize desired outcomes. 

Program outcomes represents one of the six major categories related to organizational health: 

  1. Leadership
  2. Strategy
  3. Workforce
  4. Operations and process improvement 
  5. Person-centered service
  6. Program outcomes

Focusing on these six key areas during the analysis, planning, development, and integration will help organizations improve performance, increase their impact, and achieve program outcomes. Reach out to the BerryDunn’s Medicaid and Organization Development consulting team for more information about how organization develop can help your Medicaid agency.
 

Article
Outcomes and organization development, part II