Understanding Minimum Acceptable Risk Standards Exchanges “MARS-e”
The purpose of the Minimum Acceptable Risk Standards Exchanges MARS-E is to provide a starting point for security guidance that Exchanges can use in implementing and operating their IT systems in support of the Affordable Care Act.
The Minimum Acceptable Risk Standards for Exchanges – provides guidance to Exchanges and their contractors regarding the minimum level security controls that must be implemented to protect information and information systems for which CMS has oversight responsibility.
Each Exchange system owner is responsible for incorporating the security controls defined in MARS-e along with state-appropriate security and privacy requirements for protecting PII against anticipated threats or unlawful use.
Depending on the information processed, an Exchange’s IT system may be required to meet additional security control requirements as mandated by specific federal, state, legal, program, or accounting sources.
For example, depending on the data being processed, an Exchange may be a “covered entity” under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009/ (HITECH). When Exchanges handle PHI, they are subject to these laws. In addition, Internal Revenue Code (IRC) 26 U.S.C. §6103 applies if an Exchange IT system receives Federal Tax Information. Therefore, Exchanges must develop their IT systems to comply with these more stringent standards6 when applicable.
Exchanges must document such requirements and the control implementation details in their System Security Plans (SSP). Exchanges also are required to define system risks in an Information Security (IS) Risk Assessment (RA). The guidance in the MARS-E neither relieves nor waives any other federal, state, or other applicable laws, guidance, policies, or standards.
Section 155.260 (a)(3) of the HHS Final Rule on ACA Exchanges requires each Exchange to establish and implement privacy and security standards consistent with the principles stated in §155.260 of the Rule.
MARS-e Compliance Hurdles
There is no integrated, comprehensive approach to security and privacy that respects applicable federal requirements under FISMA, HIPAA, HITECH, ACA, the Privacy Act, Tax Information Safeguarding Requirements, and state and other federal regulations.
The laws and guidance provided by other federal agencies and the National Institute for Standards and Technology remain the authoritative source. Depending on the information processed, an Exchange’s IT system may be required to meet additional security control requirements as mandated by specific federal, state, legal, program, or accounting sources. For example, when Exchanges handle PHI, they are subject to HIPAA regulations and standards.
In addition, IRC §6103 applies if an Exchange IT system receives FTI. Therefore, Exchanges must develop their IT systems to comply with these more stringent standards2 when applicable. The guidance in the MARS-E neither relieves nor waives any other federal, state, or other applicable laws, guidance, policies, or standards.
Applicable Federal Laws and regulations to Consider:
1.) Federal Information Security Management Act (FISMA), which controls the development, documentation, and implementation of programs to provide security for information and information systems
2.) Health Insurance Portability and Accountability Act of 1996 (HIPAA), which establishes national standards for electronic healthcare transactions and national identifiers for providers, health insurance plans, and employers, and sets forth privacy and security standards for handling health information
3.) Department of Health and Human Services Final Rule on Exchange Establishment Standards and Other Related Standards under the Affordable Care Act, 45 CFR Parts 155, 156, and 157, March 12, 2012, which establishes privacy and security controls required for processing Exchange applicant information
4.) Internal Revenue Code (IRC), 26 U.S.C. §6103, which establishes criteria for handling Federal Tax Information (FTI)
5.) In addition, numerous other federal and state regulations impact the processes for securing information. For example, the Privacy Act of 1974 places limitations on the collection, disclosure, and use of certain personal information, including PHI.
6.) The e-Government Act of 2002 requires federal agencies to conduct privacy impact assessments (PIA) associated with collecting, maintaining, and disseminating PII.
7.) The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) promotes the adoption and meaningful use of HIT.
8.) State statutes, such as the California Senate Bill CSB 1381, protect in varying degrees the privacy of PII and PHI.
To facilitate compliance with the myriad of security requirements for Exchange and common program enrollment systems, CMS developed this Minimum Acceptable Risk Standards for Exchanges – Exchange Reference Architecture Supplement (hereafter simply “MARS-E”).
How we can help ease the burden of implementing MARS-e
With all of the nuances Praetorian Secure LLC leaned on our strong history in compliance consulting to develop a service offering to guide organizations through the complex issues of dealing with comprehensive compliance through a less complicated approach ending in comprehensive compliance. Additionally, we designed a program through our managed security services division Managed Defense LLC to provide managed security services and software demonstrating compliance.
Need MARS-e Compliance and Implementation Consulting
We can help call 1.855.519.7328 !