• +1 866 576 4414
  • info@AARC-360.com
  • 3525 Piedmont Rd, 7 Piedmont Center, 3rd Fl Atlanta, GA - 30305

Minimum Acceptable Risk Standards for Exchanges (MARS-E)

The enactment of the Patient Protection and Affordable Care Act (ACA) of 2010 gave way to the creation of the federal and state Health Insurance Exchanges (HIXs or marketplaces) which facilitate the purchase of health insurance by consumers and small businesses. The Exchanges handle Personally Identifiable Information (PII), Protected Health Information (PHI), and Federal Tax Information (FTI) and the functions of the Exchanges require data from various federal agencies, including the Department of Health and Human Services (HHS), Internal Revenue Service (IRS), Social Security Administration (SSA), and Department of Homeland Security (DHS).

The federal government is required by law to protect the security and privacy of its IT systems, the information contained within those systems and with whom data is shared. For enrollees of Administering Entities(AEs), MARS-E defines a minimum set of standards for acceptable security risk that the Exchanges must address and aims to facilitate compliance with the myriad of potentially applicable federal requirements under FISMA, HIPAA, HITECH, ACA, Tax Information Safeguarding Requirements, and state requirements.

If your organization is defined as an ACA Administering Entity (AE) under MARS-E, you are required to implement policies and procedures necessary to protect the security and privacy of information as mandated by the ACA.

  • We will assist you by performing an attestation engagement to determine your organization’s compliance with the MARS-E requirements.  We can also assist you in getting prepared for the attestation of compliance by performing a readiness assessment that will identify any gaps in your compliance with respect to MARS-E and also provide you with recommendation to remediate the identified gaps.

Other Compliance Solutions

We will evaluate the organization’s incident response and breach reporting procedures against the HITECH requirements.

We will issue a Findings and Recommendations report that will contain details of the procedures performed including documentation of the system..

The GLBA of 1999 requires financial institutions – companies that offer consumers financial products or services – to explain their information-sharing practices to their customers and to safeguard sensitive data.


We’d Love to Hear From You. Get In Touch!