Migration from EDE to ARC-AMPE Risk Assessment Controls

This white paper serves as a guide for Direct Enrollment Entities (DEEs) to transition their Enhanced Direct Enrollment (EDE) System Security and Privacy Plans (SSPPs) to the Acceptable Risk Controls for ACA, Medicaid, and Provider Entities (ARC-AMPE). It outlines the purpose of the migration, which is to enhance security and privacy compliance in line with the Affordable Care Act (ACA) regulations. The document details the framework of ARC-AMPE, which includes a significant increase in the number of required controls from the previous EDE baseline. The paper also discusses the oversight role of the Centers for Medicare & Medicaid Services (CMS) in ensuring DEEs comply with federal regulations, including rigorous audits and data protection measures. Additionally, it provides a mapping of controls from the EDE to ARC-AMPE and emphasizes the importance of risk assessment controls in safeguarding consumer data and maintaining the integrity of healthcare services. The compliance date for DEEs is set for June 2026.