Listen to: "Understanding MARS-E Compliance: Health Insurance Exchanges Security"

If your organization is an Affordable Care Act administering entity — or a contractor or subcontractor thereof — you’re required to be in compliance with MARS-E. But what exactly is MARS-E, how does it affect your organization and how can you ensure you stay compliant?

What Is MARS-E?

In 2010, the Patient Protection and Affordable Care Act — or ACA — was enacted, creating the state and federal health insurance exchanges — also referred to as marketplaces. Under Section 1561 of the ACA, the Department of Health and Human Services — or HHS — is required to develop secure protocols and standards that enable the safe electronic enrollment of individuals in these marketplaces.

Since there’s no single comprehensive approach to privacy and security that aligns with all federal requirements, in 2012, the Centers for Medicare and Medicaid Services — or CMS — published the Minimum Acceptable Risk Standards for Exchanges — or MARS-E. It was based on the National Institute of Standards and Technology — or NIST — Special Publication 800-53 and provided security guidelines for federal and state marketplaces regarding federal tax information, protected health information and personally identifiable information of U.S. residents and citizen. It also provided guidelines for federal and state health exchanges, as well as their contractors, concerning the minimal level of security controls that need to be established and implemented in order to protect the data and information systems CMS manages.

In 2015, CMS released MARS-E 2.0 to align with the updated security guidelines as published in NIST Special Publication 800-53r4, which addressed the increasing challenges to online security, including advanced persistent threats; insider threats; supply chain risks; application security; and the assurance, trustworthiness and resilience of cloud and mobile computing systems. As such, MARS-E 2.0 provided updated guidelines to address the availability, confidentiality and integrity of protected health information, personally identifiable information and federal tax information in health exchanges.

How Does MARS-E Affect Your Organization?

MARS-E imposes Federal Information Security Information Act — or FISMA — requirements, Health Insurance Portability and Accountability Act — or HIPAA — requirements and several other stringent sets of federal requirements onto ACA administering entities. This includes federal and state marketplaces or exchanges, state Medicaid agencies, state agencies administering the Basic Health Program and Children’s Health Insurance Program agencies. It also imposes them on their contractors or subcontractors — in short, on any organization that handles protected health information, personally identifiable information or federal tax information of U.S. citizens and residents.

That means your organization needs to establish and implement policies and procedures aimed at protecting data security and privacy under the ACA. These policies and procedures need to be managed effectively so they’re adhered to throughout the organization — plus, they need to be adapted when required by any updates to MARS-E. In addition, you may need to provide attestation of your organization’s compliance with MARS-E by having your policies and procedures audited by an independent third party.

Note that failure to be in compliance with MARS-E 2.0 can result in hefty penalties.

How Can You Stay Compliant?

Currently, there is no formal certification process for MARS-E. However, the following are a few strategies that you can employ to ensure you’re in compliance with MARS-E 2.0:

1. Comply with FedRAMP standards.

This is a government-wide initiative that offers a standardized approach to authorization, security assessment and ongoing monitoring for cloud services and products. Although FedRamp does not specifically focus on MARS-e, the MARS-e control requirement and objectives are very closely aligned. Because FedRAMP includes controls that go above and beyond the standard NIST Special Publication 800-53r4 to include the unique challenges faced in cloud environments, it ensures that all federal information is kept secure in cloud environments.

2. Have a Readiness Assessment Performed.

If you’re looking for guidance before an attestation engagement, we can perform a readiness assessment to identify gaps in your compliance with respect to MARS-E.

3. Develop New Policies and Procedures Based on MARS-E 2.0.

This requires the careful assessment of your current state in relation to MARS-E 2.0, as well as the creation of a roadmap to achieve the desired state that can be implemented throughout the organization. It also involves the independent assessment by a third party to attest that your systems and processes are MARS-E 2.0 compliant.

Do You Need General Consulting & Training on MARS-E Compliance Requirements?

If your organization needs to be MARS-E 2.0 compliant, contact IS Partners LLC for expert help. We can assist you in determining whether or not your organization is compliant. For more information, please call us at 215-675-1400, or request a quote online.

Author Picture

Request a Quote

Get hassle-free pricing in 3 easy steps:

  • Step 1: Send us a message
  • Step 2: Allow us to create a customized plan
  • Step 3: We’ll get you an accurate, no-obligation quote
[form_name]

Start Here

Request a Quote

Please fill out the fields below and one of our specialists will contact you shortly. Want to speak to us now? Call us at (866) 335-6235

Request a Quote (ACTIVE)

I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.

Sending
I.S. Partners

Your choice regarding cookies on this site

This website stores cookies on your computer. These cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, see our Privacy Policy.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference not to be tracked.