What is MARS-E

Federal and state health insurance exchanges (HIXs) were established after the Patient Protection and Affordable Care Act (ACA) was passed in 2010. As a result, the Minimum Acceptable Risk Standards for Exchanges (MARS-E) was published by the Centers for Medicare and Medicaid Services (CMS) to ensure patient health information and federal tax information are handled securely. MARS-E is a set of privacy and security standards for ACA administering entities, as well as their contractors and sub-contractors, put in place to allow people to safely enroll electronically in these marketplaces.

MARS-E applies to the following organizations:

  • Federal and state marketplaces or exchanges
  • State Medicaid agencies
  • State agencies that administer the Basic Health Program or Children’s Health Insurance Program
  • Contractors and subcontractors of the above organizations

How to Achieve MARS-E Compliance

There isn’t a formal MARS-E certification program. Marketplaces and exchanges must submit annual Security Assessment Reports to the CMS. Contractors and sub-contractors can provide their reports to customers and prospects as needed to secure new business.

The MARS-E security framework mirrors NIST 800-53, which consists of 20 control families. Within those 20 families are more than 1,000 individual controls. Organizations can customize their scope to meet their specific needs. The NIST 800-53 control families are:

  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Assessment, Authorization, and Monitoring
  • Configuration Management
  • Contingency Planning
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Physical and Environmental Protection
  • Planning
  • Program Management
  • Personnel Security
  • Personally Identifiable Information (PII) Processing and Transparency
  • Risk Assessment
  • System and Services Acquisition
  • System and Communications Protection
  • System and Information Integrity
  • Supply Chain Risk Management

 

MARS-E privacy controls fall into the following domains:

  • Authority and purpose
  • Accountability, audit, and risk management
  • Data quality and integrity
  • Data minimization and retention
  • Individual participation and redress
  • Security
  • Transparency
  • Use limitation

 

MARS-E and HIPAA

MARS-E streamlines compliance with several federal requirements, including HIPAA and FISMA for ACA-administering entities and their contractors. HIPAA compliance does not always check every box for MARS-E compliance, but organizations compliant with HIPAA’s privacy, security, and breach notification rules will be in a good position to start their MAR-S journey. A HIPAA compliance report does not meet CMS reporting requirements; a MARS-E compliance assessment is needed to meet ACA requirements.

The Risks of Noncompliance

If your organization is an ACA administering entity, or a contractor/subcontractor, it needs to be MARS-E compliant. Failure to do so can result in significant fines.

How We Can Help

CompliancePoint's MARS-E assessment process helps state-sponsored HIXs reach compliance with the MARS-E framework. Our experts can help you assess your current compliance status, develop the necessary policies and procedures, and develop an action plan for remediation and ongoing compliance.

What is MARS-E

Federal and state health insurance exchanges (HIXs) were established after the Patient Protection and Affordable Care Act (ACA) was passed in 2010. As a result, the Minimum Acceptable Risk Standards for Exchanges (MARS-E) was published by the Centers for Medicare and Medicaid Services (CMS) to ensure patient health information and federal tax information are handled securely. MARS-E is a set of privacy and security standards for ACA administering entities, as well as their contractors and sub-contractors, put in place to allow people to safely enroll electronically in these marketplaces.

MARS-E applies to the following organizations:

  • Federal and state marketplaces or exchanges
  • State Medicaid agencies
  • State agencies that administer the Basic Health Program or Children’s Health Insurance Program
  • Contractors and subcontractors of the above organizations

How to Achieve MARS-E Compliance

There isn’t a formal MARS-E certification program. Marketplaces and exchanges must submit annual Security Assessment Reports to the CMS. Contractors and sub-contractors can provide their reports to customers and prospects as needed to secure new business.

The MARS-E security framework mirrors NIST 800-53, which consists of 20 control families. Within those 20 families are more than 1,000 individual controls. Organizations can customize their scope to meet their specific needs. The NIST 800-53 control families are:

  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Assessment, Authorization, and Monitoring
  • Configuration Management
  • Contingency Planning
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Physical and Environmental Protection
  • Planning
  • Program Management
  • Personnel Security
  • Personally Identifiable Information (PII) Processing and Transparency
  • Risk Assessment
  • System and Services Acquisition
  • System and Communications Protection
  • System and Information Integrity
  • Supply Chain Risk Management

 

MARS-E privacy controls fall into the following domains:

  • Authority and purpose
  • Accountability, audit, and risk management
  • Data quality and integrity
  • Data minimization and retention
  • Individual participation and redress
  • Security
  • Transparency
  • Use limitation

 

MARS-E and HIPAA

MARS-E streamlines compliance with several federal requirements, including HIPAA and FISMA for ACA-administering entities and their contractors. HIPAA compliance does not always check every box for MARS-E compliance, but organizations compliant with HIPAA’s privacy, security, and breach notification rules will be in a good position to start their MAR-S journey. A HIPAA compliance report does not meet CMS reporting requirements; a MARS-E compliance assessment is needed to meet ACA requirements.

The Risks of Noncompliance

If your organization is an ACA administering entity, or a contractor/subcontractor, it needs to be MARS-E compliant. Failure to do so can result in significant fines.

How We Can Help

CompliancePoint's MARS-E assessment process helps state-sponsored HIXs reach compliance with the MARS-E framework. Our experts can help you assess your current compliance status, develop the necessary policies and procedures, and develop an action plan for remediation and ongoing compliance.

Why take chances? Failure to comply with relevant requirements can have a devastating impact on your organization and lead to hefty penalties.