The 3 Classes of MARS-E for ACA Compliance

Written by Kristina Sink on Wednesday, August 19th 2015 — Categories: HIPAA Compliance

The Patient Protection and Affordable Care Act of 2010 (ACA) requires each state to have a health insurance Exchange, a marketplace where consumers can easily shop around for health insurance and find the best option for them by comparing price, benefits, services, and quality. In order to obtain Health Insurance Exchange (HIX) compliance, Section 1561 requires that certain security standards and protocols be met by these Exchanges in order to make every effort to protect and ensure the confidentiality, integrity, and availability of the system and its users.

MARS-E encompasses Management, Technical, and Operational classesThese Minimum Acceptable Risk Standards for Exchanges (MARS-E) are separated into three different classes: technical, operational, and management. These classes consist of nineteen various control families, handling everything from Personally Identifiable Information (PII) to Protected Health Information (PHI), and Federal Tax Information (FTI).





White Paper

HIPAA Checklist for Cloud Servers

Requirements & best practices to keep in mind for a HIPAA compliant cloud server deployment


There is one last control family that is not a part of one of the three classes, and that is FTI Safeguards, the additional controls required by the IRS Publication 1075, which puts in place safeguards for protecting Federal Tax Returns and Return Information.



When launching a MARS-E or HIX compliance program the first step you should take is getting to know the federal and state requirements. Then you go on to assess your levels of compliance within your company, and identify areas that are at risk or could be improved. You will also want to establish your system to monitor ongoing compliance, so that you can ensure compliancy at all times.

Chat Now