Related Posts
Subscribe via Email
Subscribe to our blog to get insights sent directly to your inbox.
If your organization is governed by CMS privacy and security requirements, ARC-AMPE isn’t just a new acronym. It’s a significant change that redefines how healthcare, ACA, Medicaid, and partner entities must plan, execute, and document their security and privacy programs.
Not familiar with ARC-AMPE or why it’s replacing MARS-E? Start with What Is ARC-AMPE and Why It Matters for ACA and Medicaid Organizations, a quick overview of the framework and who it affects.
Once you’re up to speed, here are six of the most important changes introduced by ARC-AMPE and what your team should be doing now to prepare for the March 4, 2026 deadline.
ARC-AMPE introduces the Personally Identifiable Information Processing and Transparency (PT) family, which brings privacy directly into the security framework. This was previously handled separately in MARS-E v2.2.
Controls like PM-18 require a formal Privacy Program Plan that includes executive approval, role-specific privacy training, and privacy impact assessments (PIAs). There are also new requirements for responding to privacy-related security events and protecting sensitive data like Social Security Numbers.
ARC-AMPE introduces PL-11, which allows you to tailor your control baseline. But tailoring must maintain or improve the CMS-defined standard. You can adjust any listed parameters as long as they are made more stringent or introduce new controls not found in ARC-AMPE.
AC-2(8), Dynamic Account Management, from NIST SP 800-53 Rev 5 is specifically prohibited from being added. Tailoring must be documented in the Entity-Specific Tailoring section of your System Security and Privacy Plan (SSPP).
Two new control families were introduced in ARC-AMPE:
Each family requires defined roles, annual reviews, and integration into your risk program.
ARC-AMPE removes the allowance for offshore data processing. All ACA-related data must now be stored and processed within U.S. legal jurisdiction.
ARC-AMPE no longer distinguishes between cloud and on-prem environments. All systems are expected to meet the same security and privacy standards. This includes stronger access controls, automation, and adopting zero trust principles.
ARC-AMPE expands System and Services Acquisition (SA) controls. Security is now expected to be part of planning, procurement, and design—not added after deployment.
It requires security impact assessments (SIA) and privacy impact assessments (PIA) before any system changes and mandates equal protections for preproduction environments.
To meet the March 2026 deadline, your team should begin:
The full ARC-AMPE Compliance Guide includes more detail on each control family, planning tips, and readiness recommendations.
Have questions about how these changes impact your organization? Contact a NuHarbor ARC-AMPE expert to start your compliance planning today.
Don't miss another article. Subscribe to our blog now.
Subscribe to our blog to get insights sent directly to your inbox.