Listen to: "Understanding MARS-E Compliance: Health Insurance Exchanges Security"
If your organization is an Affordable Care Act administering entity — or a contractor or subcontractor thereof — you’re required to be in compliance with MARS-E. But what exactly is MARS-E, how does it affect your organization and how can you ensure you stay compliant?
What Is MARS-E?
In 2010, the Patient Protection and Affordable Care Act — or ACA — was enacted, creating the state and federal health insurance exchanges — also referred to as marketplaces. Under Section 1561 of the ACA, the Department of Health and Human Services — or HHS — is required to develop secure protocols and standards that enable the safe electronic enrollment of individuals in these marketplaces.
Since there’s no single comprehensive approach to privacy and security that aligns with all federal requirements, in 2012, the Centers for Medicare and Medicaid Services — or CMS — published the Minimum Acceptable Risk Standards for Exchanges — or MARS-E. It was based on the National Institute of Standards and Technology — or NIST — Special Publication 800-53 and provided security guidelines for federal and state marketplaces regarding federal tax information, protected health information and personally identifiable information of U.S. residents and citizen. It also provided guidelines for federal and state health exchanges, as well as their contractors, concerning the minimal level of security controls that need to be established and implemented in order to protect the data and information systems CMS manages.
In 2015, CMS released MARS-E 2.0 to align with the updated security guidelines as published in NIST Special Publication 800-53r4, which addressed the increasing challenges to online security, including advanced persistent threats; insider threats; supply chain risks; application security; and the assurance, trustworthiness and resilience of cloud and mobile computing systems. As such, MARS-E 2.0 provided updated guidelines to address the availability, confidentiality and integrity of protected health information, personally identifiable information and federal tax information in health exchanges.
How Does MARS-E Affect Your Organization?
MARS-E imposes Federal Information Security Information Act — or FISMA — requirements, Health Insurance Portability and Accountability Act — or HIPAA — requirements and several other stringent sets of federal requirements onto ACA administering entities. This includes federal and state marketplaces or exchanges, state Medicaid agencies, state agencies administering the Basic Health Program and Children’s Health Insurance Program agencies. It also imposes them on their contractors or subcontractors — in short, on any organization that handles protected health information, personally identifiable information or federal tax information of U.S. citizens and residents.
That means your organization needs to establish and implement policies and procedures aimed at protecting data security and privacy under the ACA. These policies and procedures need to be managed effectively so they’re adhered to throughout the organization — plus, they need to be adapted when required by any updates to MARS-E. In addition, you may need to provide attestation of your organization’s compliance with MARS-E by having your policies and procedures audited by an independent third party.
Note that failure to be in compliance with MARS-E 2.0 can result in hefty penalties.
How Can You Stay Compliant?
Currently, there is no formal certification process for MARS-E. However, the following are a few strategies that you can employ to ensure you’re in compliance with MARS-E 2.0:
1. Comply with FedRAMP standards.
This is a government-wide initiative that offers a standardized approach to authorization, security assessment and ongoing monitoring for cloud services and products. Although FedRamp does not specifically focus on MARS-e, the MARS-e control requirement and objectives are very closely aligned. Because FedRAMP includes controls that go above and beyond the standard NIST Special Publication 800-53r4 to include the unique challenges faced in cloud environments, it ensures that all federal information is kept secure in cloud environments.
2. Have a Readiness Assessment Performed.
If you’re looking for guidance before an attestation engagement, we can perform a readiness assessment to identify gaps in your compliance with respect to MARS-E.
3. Develop New Policies and Procedures Based on MARS-E 2.0.
This requires the careful assessment of your current state in relation to MARS-E 2.0, as well as the creation of a roadmap to achieve the desired state that can be implemented throughout the organization. It also involves the independent assessment by a third party to attest that your systems and processes are MARS-E 2.0 compliant.
Do You Need General Consulting & Training on MARS-E Compliance Requirements?
If your organization needs to be MARS-E 2.0 compliant, contact IS Partners LLC for expert help. We can assist you in determining whether or not your organization is compliant. For more information, please call us at 215-675-1400, or request a quote online.