MARS-E Compliance

What is MARS-E

Federal and state health insurance exchanges (HIXs) were established after the Patient Protection and Affordable Care Act (ACA) was passed in 2010. As a result, the Minimum Acceptable Risk Standards for Exchanges (MARS-E) was published by the Centers for Medicare and Medicaid Services (CMS) to ensure patient health information and federal tax information are handled securely. MARS-E is a set of privacy and security standards for ACA administering entities, as well as their contractors and sub-contractors, put in place to allow people to safely enroll electronically in these marketplaces.

MARS-E applies to the following organizations:

• Federal and state marketplaces or exchanges
• State Medicaid agencies
• State agencies that administer the Basic Health Program or Children’s Health Insurance Program
• Contractors and subcontractors of the above organizations

How to Achieve MARS-E Compliance

There isn’t a formal MARS-E certification program. Marketplaces and exchanges must submit annual Security Assessment Reports to the CMS. Contractors and sub-contractors can provide their reports to customers and prospects as needed to secure new business.

The MARS-E security framework mirrors NIST 800-53, which consists of 20 control families. Within those 20 families are more than 1,000 individual controls. Organizations can customize their scope to meet their specific needs. The NIST 800-53 control families are:

• Access Control
• Awareness and Training
• Audit and Accountability
• Assessment, Authorization, and Monitoring
• Configuration Management
• Contingency Planning
• Identification and Authentication
• Incident Response
• Maintenance
• Media Protection
• Physical and Environmental Protection
• Planning
• Program Management
• Personnel Security
• Personally Identifiable Information (PII) Processing and Transparency
• Risk Assessment
• System and Services Acquisition
• System and Communications Protection
• System and Information Integrity
• Supply Chain Risk Management

MARS-E privacy controls fall into the following domains:

• Authority and purpose
• Accountability, audit, and risk management
• Data quality and integrity
• Data minimization and retention
• Individual participation and redress
• Security
• Transparency
• Use limitation

MARS-E and HIPAA

MARS-E streamlines compliance with several federal requirements, including HIPAA and FISMA for ACA-administering entities and their contractors. HIPAA compliance does not always check every box for MARS-E compliance, but organizations compliant with HIPAA’s privacy, security, and breach notification rules will be in a good position to start their MAR-S journey. A HIPAA compliance report does not meet CMS reporting requirements; a MARS-E compliance assessment is needed to meet ACA requirements.

The Risks of Noncompliance

If your organization is an ACA administering entity, or a contractor/subcontractor, it needs to be MARS-E compliant. Failure to do so can result in significant fines.

How We Can Help

CompliancePoint's MARS-E assessment process helps state-sponsored HIXs reach compliance with the MARS-E framework. Our experts can help you assess your current compliance status, develop the necessary policies and procedures, and develop an action plan for remediation and ongoing compliance.