MARS-E Certification Minimum Acceptable Risk Standards for Exchanges

More information


Minimum Acceptable Risk Standards for Exchanges

The enactment of the Patient Protection and Affordable Care Act (ACA) of 2010 gave way to the creation of the federal and state Health Insurance Exchanges (HIXs or marketplaces) which facilitate the purchase of health insurance by consumers and small businesses.

The Exchanges handle Personally Identifiable Information (PII), Protected Health Information (PHI), and Federal Tax Information (FTI) and the functions of the Exchanges require data from various federal agencies, including the Department of Health and Human Services (HHS), Internal Revenue Service (IRS), Social Security Administration (SSA), and Department of Homeland Security (DHS).

The federal government is required by law to protect the security and privacy of its IT systems, the information contained within those systems and with whom data is shared. For enrollees of Administering Entities(AEs), MARS-E defines a minimum set of standards for acceptable security risk that the Exchanges must address and aims to facilitate compliance with the myriad of potentially applicable federal requirements under FISMA, HIPAA, HITECH, ACA, Tax Information Safeguarding Requirements, and state requirements.

If your organization is defined as an ACA Administering Entity (AE) under MARS-E, you are required to implement policies and procedures necessary to protect the security and privacy of information as mandated by the ACA.

Policy Development and Management

We will assist you in developing the policies and procedures needed for compliance and certification and then help with the ongoing management of these policies and adherence to them across your organization.

ControlCase Attestation Services

We will assist you by performing an attestation engagement to determine your organization's compliance with the MARS-E requirements.

We can also assist you in getting prepared for the attestation of compliance by performing a readiness assessment that will identify any gaps in your compliance with respect to MARS-E and also provide you with recommendation to remediate the identified gaps.