Behind the Scenes with HIPAA and MARS-E Compliance


Sue Eaton is a compliance officer at Gravie. She’s responsible for making sure the services and products we offer comply with state and federal laws. Because we understand the importance of compliance and staying on top of ever changing rules and regulations, Sue will be contributing her wisdom regularly to the Gravie Blog. Look for more posts from Sue! 

One of the most frequent questions our compliance department receives from both employers and employees alike is, “How does Gravie protect the personal information of the people shopping for coverage through its website?”

It’s a smart question to ask. It seems like not a week goes by when we don’t read headlines about another company within the healthcare industry that has experienced a privacy breach.

At Gravie, we’re subject to two very strict federal privacy and security requirements:

Because of our relationship with insurance carriers, we are required to comply with Title II of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as a Business Associate. Title II of the law sets out policies, procedures and guidelines to protect the privacy and security of an individual’s health information.

We become subject to a second set of requirements as part of our contract with the Centers for Medicare & Medicaid Services (CMS) to act as a web-broker on the federal Marketplace. This set of standards is called the Minimum Acceptable Risk Controls for Exchanges (MARS-E). MARS-E required us to create in-depth policies and procedures to protect our customer’s privacy and security. One of the requirements for compliance is that our procedures are audited each year by a third party.

At Gravie, all employees receive training on the specific requirements of both HIPAA and MARS-E when they join the company and then must pass a refresher course every year. Additionally, Gravie even has monthly compliance quizzes to keep employees on their toes. Everyone at Gravie understands the importance of keeping our customer’s personal health information private, even if they don’t work with this information directly. We take steps, both large and small, to protect privacy. For example, when we walk away from our computer, we lock the computer screen and when we are done with documents containing private information, we put them in the shredder instead of the trash.

As an employer you will see these privacy and security policies in action when, for instance, Gravie asks you to upload an employee rosters to a secure website rather than send it to us in an email or when you visit the privacy policy link at the bottom of the Gravie website. 

When your business signs up with Gravie, you can rest assured knowing that you have a team of compliance experts on your side always going the extra mile to protect your employees’ private health information. If you have questions about HIPPA or other compliance related topics, send them to

Want to learn more about Gravie? Visit our Employers’ Frequently Asked Questions page or download the e-book below: