Minimum Acceptable Risk Standards For Exchanges (MARS-E)

The enactment of the Patient Protection and Affordable Care Act (ACA) of 2010 gave way to the creation of the federal and state Health Insurance Exchanges (HIXs or marketplaces) which facilitate the purchase of health insurance by consumers and small businesses. The Exchanges handle Personally Identifiable Information (PII), Protected Health Information (PHI), and Federal Tax Information (FTI) and the functions of the Exchanges require data from various federal agencies, including the Department of Health and Human Services (HHS), Internal Revenue Service (IRS), Social Security Administration (SSA), and Department of Homeland Security (DHS).

The federal government is required by law to protect the security and privacy of its IT systems, the information contained within those systems and with whom data is shared. For enrollees of Administering Entities (AEs), MARS-E defines a minimum set of standards for acceptable security risk that the Exchanges must address and aims to facilitate compliance with the myriad of potentially applicable federal requirements under FISMA, HIPAA, HITECH, ACA, Tax Information Safeguarding Requirements, and state requirements.

If your organization is defined as an ACA Administering Entity (AE) under MARS-E, you are required to implement policies and procedures necessary to protect the security and privacy of information as mandated by the ACA.

AARC-360 can either issue an Attestation of Compliance report in accordance with AICPA’s Statement on Standards for Attestation Engagements No. 18 (AT-C Section 105, Concepts Common to All Attestation Engagements; AT-C section 315, Compliance Attestation) for the MARS-E Security Standards.  Alternatively, should the organization need a report only for internal use, AARC-360 can issue an Assessment report with results of our assessment including gaps wherever identified and recommendations to remediate them.