The CMS Allows Health Plans to Host Their Own Enrollment Applications for Improved Consumer Experience

Andrew Williams, Product Director, Coalfire

As part of the ongoing implementation of the Affordable Care Act (ACA), the Centers for Medicare and Medicaid Services (CMS) recently began permitting direct enrollment entities (qualified health plan issuers and web-brokers) to host their own enrollment applications on their websites instead of proxying enrollment interactions to This is an optional program called Enhanced Direct Enrollment (EDE), which will go into effect during the open enrollment period for PY 2019.

EDE provides issuers, web brokers, and cloud service providers (CSPs) a way to foster a better consumer experience during the enrollment process. As part of EDE, entities that elect to participate must implement a stringent set of functional requirements to ensure the consumer experience they will be hosting directly meets or exceeds the consumer experience currently provided by and state-run health insurance exchanges.

This includes expectations for:

‘the data and tools necessary to fully manage customer relationships, the ability to update applications when necessary, as well as to verify that consumers have effectuated policies, and assist consumers with remedying open consumer DMIs/SVIs and payment issues.’

Because this change in CMS strategy represents a fundamental shift in how CMS manages and oversees ACA enrollment, CMS is also imposing strict oversight and accountability requirements on entities that elect to pursue EDE. This includes reporting expectations to ensure CMS maintains visibility into the security posture of the EDE entity. It also requires that EDE entities engage an independent, third-party auditor to conduct a security review of the system as well as a functional review of the entity’s implementation of EDE requirements.

To be ready to service open enrollment in PY 2019, CMS is expecting interested direct enrollment entities to be compliant with the new EDE requirements by August 15, 2018 in order to participate.

Coalfire exceeds the recommended requirements for independent auditors in the CMS EDE program and is one of the few auditors to have completed the required training by CMS. As an assessor of cloud service providers through our experience as the leading third-party assessment organization (3PAO) in the FedRAMP program, and as a HITRUST CSF accredited assessor, we’ve been helping direct enrollment entities quickly meet the program requirements.

CMS strongly recommends that any auditors selected for assessments by direct enrollment entities have experience with FISMA assessments. Our work for the FedRAMP program (a FISMA and NIST SP 800-53-based framework for evaluating the security of cloud service providers for government workloads) suitably fulfills this requirement. And, as mentioned, Coalfire has completed the mandatory CMS training for conducting the business requirements, and privacy and security audits.

Andrew Williams


Andrew Williams — Product Director, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS