Cyber Threat Report

MARS-E and the Impact on Healthcare Organizations


The healthcare industry is full of acronyms. ACA, HIPAA, HHS, CHIP, and MARS-E are just a few. Understanding them is critical to your organization's success.

Keep reading for a MARS-E guide that tells you what you need to know about these important standards.

What Is MARS-E?

The Minimum Acceptable Risk Standards for Exchanges, or MARS-E, is a set of privacy and security standards that applies to federal and state health exchanges under the Affordable Care Act (ACA). ACA administering entities, as well as their contractors and sub-contractors, must comply with MARS-E.

When Congress enacted the ACA, it required the Department of Health and Human Services to develop protocols for securely handling sensitive data in healthcare exchanges. A comprehensive federal policy related to privacy and security didn't exist yet. The Centers for Medicare and Medicaid Services (CMS) published MARS-E to address this lack.

MARS-E provides guidelines for federal and state marketplaces regarding:

  • Federal tax information
  • Protected health information
  • Personally identifiable information of marketplace users

These guidelines define the minimum security standards necessary to protect this data.

NIST Special Publication 800-53

CMS-based MARS-E on NIST SP 800-53. NIST 800-53 is a cybersecurity standard and compliance framework. It defines standards, controls, and assessments for cybersecurity. The framework is based on risk, cost-effectiveness, and the capabilities of the organization.

NIST 800-53 is very comprehensive. It covers the majority of risk factors most organizations face.

MARS-E 2.2

MARS-E 2.2 is the latest version of the healthcare security guidelines. CMS released version 2.0 in 2015. It reflected the updated security guidelines in NIST SP 800-53r4. The changes responded to growing challenges to online security such as:

  • Advanced persistent threats
  • Insider threats
  • Supply chain risks
  • Application security
  • Cloud and mobile computing security

MARS-E 2.0 included a new catalog of privacy controls. All administering entities must document how they are implementing these privacy controls. MARS-E 2.2 is an interim release. It reflects updates from CMS since 2015.

Who Needs to Comply with MARS-E?

All ACA administering entities must follow MARS-E. This includes:

  • Federal and state exchanges and marketplaces
  • State Medicaid agencies
  • State agencies that administer the Basic Health Program and Children's Health Insurance Program

Contractors and subcontractors of these agencies and programs must also comply. Essentially, compliance applies to any organization that handles:

  • PHI (Protected health information)
  • PII (Personally identifiable information)
  • Federal tax information

Complying with MARS-E also helps ensure you're in compliance with other regulations.

How to Comply with MARS-E

The government doesn't currently have a formal certification process for MARS-E. However, MARS-E aligns closely with the US Federal Risk and Authorization Management Program (FedRAMP). This is because MARS-E and FedRAMP are both aligned with NIST SP 800-53r4.

FedRAMP has a standardized authorization process but focuses specifically on cloud services.

A FedRAMP assessment and authorization provide a useful framework for evaluating MARS-E compliance. The standards that MARS-E defines should help organizations follow other data security standards. Federal requirements that may also apply to healthcare organizations include:

  • Tax Information Safeguarding Requirements

Complying with MARS-E helps ensure you're in compliance with other regulations.

System Security and Privacy Plan

A System Security and Privacy Plan (SSP) is a requirement for compliance with MARS-E.

An SSP has two main purposes. First, it describes the security and privacy environment for IT systems. Secondly, it documents the implementation of security and privacy controls.

These controls must address all relevant ACA data that a healthcare organization handles. It includes data that the entity receives, stores, processes, and transmits.

The SSP has three parts:

  • System identification
  • Implementation of security and privacy controls
  • SSP attachments

The system identification describes the IT system and service environment. Security and controls tables show how the SSP has been implemented. Attachments can include:

  • Equipment list
  • Software list
  • Detailed configuration setting standards

A reevaluation of the SSP should occur at least once a year. More frequent reviews may be necessary. For example, IT system modifications could affect your security and privacy processes. This is one reason for an SSP review.

MARS-E Readiness and Compliance Assessments

A readiness assessment evaluates your current and security controls. It tells you how your processes compare to the MARS-E standards. A comprehensive analysis will also examine your current SSP.

A complete audit reviews your full MARS-E compliance. It includes:

  • Policies and procedures
  • Documentation
  • System configurations

The audit will identify any gaps in your procedures or documentation. The auditor will work with you to develop a remediation prioritize the necessary changes and get back into compliance more efficiently.

Importance of MARS-E Compliance

Following MARS-E standards is critical to protect users and healthcare organizations. Non-compliance can result in fines and penalties. Maintaining robust cybersecurity practices as found in MARS-E protects user data. It also protects the ACA marketplace or other administering entities. The number of cyber attacks continues to grow, and a successful cyber attack can deal a critical blow to an organization. It ultimately undermines user confidence.

Simplify Your MARS-E Compliance

With the implementation of the Affordable Care Act, MARS-E compliance became a requirement for states. Since then, JANUS has helped numerous organizations with their MARS-E assessments, and we can do the same for you.


JANUS Associates has been helping organizations navigate complex compliance regulations since 1988. We'll examine your current processes. We'll collaborate with you to design a solution that meets your business needs. Our decades-long experience has allowed us to achieve deep expertise in every specialty and operational sector, including yours.

We’re friendly, nimble, and flexible. We listen well and always focus on what's best for your business. Contact Chris Kniffin, Corporate Director, to find out how a team of affordable professionals can help you secure your organization and meet your regulatory compliance goals.