As part of the ongoing implementation of the Affordable Care Act (ACA), the Centers for Medicare and Medicaid Services (CMS) recently began permitting direct enrollment entities (qualified health plan issuers and web-brokers) to host their own enrollment applications on their websites instead of proxying enrollment interactions to Healthcare.gov. This is an optional program called Enhanced Direct Enrollment (EDE), which will go into effect during the open enrollment period for PY 2019.
EDE provides issuers, web brokers, and cloud service providers (CSPs) a way to foster a better consumer experience during the enrollment process. As part of EDE, entities that elect to participate must implement a stringent set of functional requirements to ensure the consumer experience they will be hosting directly meets or exceeds the consumer experience currently provided by Healthcare.gov and state-run health insurance exchanges.
This includes expectations for:
‘the data and tools necessary to fully manage customer relationships, the ability to update applications when necessary, as well as to verify that consumers have effectuated policies, and assist consumers with remedying open consumer DMIs/SVIs and payment issues.’
Because this change in CMS strategy represents a fundamental shift in how CMS manages and oversees ACA enrollment, CMS is also imposing strict oversight and accountability requirements on entities that elect to pursue EDE. This includes reporting expectations to ensure CMS maintains visibility into the security posture of the EDE entity. It also requires that EDE entities engage an independent, third-party auditor to conduct a security review of the system as well as a functional review of the entity’s implementation of EDE requirements.
To be ready to service open enrollment in PY 2019, CMS is expecting interested direct enrollment entities to be compliant with the new EDE requirements by August 15, 2018 in order to participate.
Coalfire exceeds the recommended requirements for independent auditors in the CMS EDE program and is one of the few auditors to have completed the required training by CMS. As an assessor of cloud service providers through our experience as the leading third-party assessment organization (3PAO) in the FedRAMP program, and as a HITRUST CSF accredited assessor, we’ve been helping direct enrollment entities quickly meet the program requirements.
CMS strongly recommends that any auditors selected for assessments by direct enrollment entities have experience with FISMA assessments. Our work for the FedRAMP program (a FISMA and NIST SP 800-53-based framework for evaluating the security of cloud service providers for government workloads) suitably fulfills this requirement. And, as mentioned, Coalfire has completed the mandatory CMS training for conducting the business requirements, and privacy and security audits.