United States Government Accountability Office GAO Report to Congressional Requesters August 2012 MEDICARE CMS Needs an Approach and a Reliable Cost Estimate for Removing Social Security Numbers from Medicare Cards To access this report electronically, scan this QR Code. Don't have a QR code reader? Several are available for free online. GAO-12-831 August 2012 MEDICARE CMS Needs an Approach and a Reliable Cost Estimate for Removing Social Security Numbers from Medicare Cards Highlights of GAO-12-831, a report to congressional requesters Why GAO Did This Study What GAO Found More than 48 million Medicare cards The Centers for Medicare & Medicaid Services’ (CMS) 2011 report to Congress display the SSN, which increases proposed three options for removing Social Security numbers (SSN) from Medicare beneficiaries’ vulnerability to Medicare cards. One option would truncate the SSN displayed on the card, but identity theft. GAO was asked to beneficiaries and providers would continue to rely on the SSN. The other two review the options and associated options would replace the SSN with a new identifier that would be displayed on costs for removing SSNs from the the card and either be used only by beneficiaries, or by both beneficiaries and Medicare card. This report those who provide Medicare services. CMS, however, has not selected or (1) describes the various options for committed to implementing any of these options. The Departments of Defense removing the SSN from Medicare (DOD) and Veterans Affairs (VA), and private insurers have already removed or cards; (2) examines the potential taken steps to remove SSNs from display on their identification or health benefits and burdens associated with different options; and (3) examines insurance cards. CMS’s cost estimates for removing CMS’s option to replace the SSN with a new identifier for use by both SSNs from Medicare cards. beneficiaries and providers offers the greatest protection against identity theft. To do this work, GAO reviewed CMS’s Beneficiaries’ vulnerability to identity theft would be reduced because the card report, cost estimates, and relevant would no longer display the SSN and providers would not need the SSN to supporting documentation. GAO also provide services or submit claims (negating the need for providers to store the interviewed officials from CMS and SSN). This option would also pose fewer burdens than the other two options other agencies that perform Medicare because beneficiaries would not have to remember an SSN to receive services related activities (the Social Security or to interact with CMS. Providers also would not need to conduct additional Administration and Railroad activities, such as querying a CMS database, to obtain the SSN. The burdens for Retirement Board), as well as officials CMS would generally be similar across all the options, but CMS reported that this from DOD and VA, which have option would require more information technology (IT) system modifications. undertaken SSN removal efforts. GAO also interviewed private health Risk of Identity Theft with Medicare Card under CMS’s Three Proposed Options insurance companies and relevant stakeholder groups. What GAO Recommends GAO recommends that CMS (1) select an approach for removing SSNs from Medicare cards that best protects beneficiaries from identity theft and minimizes burdens for providers, beneficiaries, and CMS and (2) develop an accurate, well- documented cost estimate for such an option. CMS concurred with our recommendations. VA, DOD, and RRB CMS reported that each of the three options would cost over $800 million to had no substantive comments. SSA implement, and that the option to replace the SSN with a new identifier for use by had a technical comment. both beneficiaries and providers would be somewhat more expensive, largely because of the IT modifications. However, the methodology and assumptions CMS used to develop its estimates raise questions about their reliability. For example, CMS did not use appropriate guidance, such as GAO’s cost-estimating guidance, when preparing the estimates to ensure their reliability. Additionally, View GAO-12-831. For more information, CMS could provide only limited documentation related to how it developed the contact Kathleen King at (202) 512-7114 or estimates for the two largest cost areas, both of which involve modifications to IT firstname.lastname@example.org, or Daniel Bertoni at (202) systems. 512-7215 or email@example.com. United States Government Accountability Office Contents Letter 1 Background 5 Options for Removing SSNs from Medicare Cards Include Altering the Display or Replacing the Number with a Different Identifier 8 Replacing SSN with a New Identifier for Beneficiary and Provider Use Offers Greatest Protection Against Identity Theft and Minimizes Burdens 15 CMS Reported Significant Costs Associated with Removing SSNs from Medicare Cards, but These Estimates May Not Be Reliable 21 Conclusions 29 Recommendations for Executive Action 30 Agency Comments and Our Evaluation 30 Appendix I Burdens of CMS’s Proposed Options for Removal of SSN from Medicare Card (Accessible Text) 32 Appendix II Comments from the Centers for Medicare & Medicaid Services 33 Appendix III Comments from the Railroad Retirement Board 36 Appendix IV GAO Contacts and Staff Acknowledgments 37 Tables Table 1: Examples of Interactions Requiring the Health Insurance Claim Number (HICN) 7 Table 2: Display and Use of the Identifier in Various CMS Options for Removing the SSN from Medicare Cards 11 Table 3: Agency Cost Estimates for CMS Options for Removing SSNs from Medicare Cards 22 Page i GAO-12-831 Removal of SSNs from Medicare Cards Figures Figure 1: Medicare Card 6 Figure 2: Risk of Identity Theft with Medicare Card under CMS’s Three Proposed Options 16 Figure 3: Burdens of CMS’s Proposed Options for Removal of SSNs from Medicare Cards 18 Abbreviations CMS Centers for Medicare & Medicaid Services DOD Department of Defense EDIPI Electronic Data Interchange Person Identifier HHS Department of Health and Human Services HICN health insurance claim number IT information technology MBI Medicare Beneficiary Identifier RRB Railroad Retirement Board SSA Social Security Administration SSN Social Security number VA Department of Veterans Affairs VIC Veterans Identification Card This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Page ii GAO-12-831 Removal of SSNs from Medicare Cards United States Government Accountability Office Washington, DC 20548 August 1, 2012 The Honorable Sam Johnson Chairman Subcommittee on Social Security Committee on Ways and Means House of Representatives The Honorable Lloyd Doggett Ranking Member Subcommittee on Human Resources Committee on Ways and Means House of Representatives More than 48 million Medicare cards display Social Security numbers (SSN). Thieves can steal the information from these cards to commit various acts of identity theft, such as opening bank or credit card accounts or receiving medical services in a beneficiary’s name. In 2010, 7 percent of households in the United States, or about 8.6 million households, had at least one member age 12 or older who experienced identity theft, according to U.S. Department of Justice figures. The estimated financial cost of identity theft during that time was approximately $13.3 billion. 1 Additionally, theft of this information could result from a data breach—the unauthorized disclosure of a beneficiary’s personally identifiable information. 2 Between September 2009 and March 2012, the Department of Health and Human Services’ (HHS) Office for Civil Rights identified over 400 reports of provider data breaches involving protected health information that each affected more than 500 individuals. 3 1 Lynn Langston, Identity Theft Reported by Households, 2005-2010, NCJ 236245 (Washington, D.C.: U.S. Department of Justice, Office of Justice Programs, Bureau of Justice Statistics, November 2011). 2 For the purposes of this report, we define a data breach as the unauthorized acquisition, access, use, or disclosure of individually identifiable information. 3 We use the term provider to refer to any organization, institution, or individual that provides health care services to Medicare beneficiaries. These include hospitals, nursing facilities, physicians, hospices, ambulatory surgical centers, outpatient clinics, and suppliers of durable medical equipment, among others. Page 1 GAO-12-831 Removal of SSNs from Medicare Cards The SSN is displayed on Medicare cards, and it is the main component of the health insurance claim number (HICN). The Social Security Administration (SSA) and the Railroad Retirement Board (RRB) assign the HICNs to eligible Medicare beneficiaries. HHS’s Centers for Medicare & Medicaid Services (CMS) administers the Medicare program, 4 and relies on the HICN for numerous Medicare purposes. For example, CMS requires beneficiaries to provide the HICN to document eligibility for Medicare services; requires providers to use the number to bill for services; and uses the number and claims information to analyze Medicare’s performance and conduct program integrity efforts. 5 Each beneficiary is issued a Medicare card that prominently displays the HICN, and CMS advises beneficiaries to carry this card with them at all times and show this card to medical providers when receiving services. As we have reported, however, the explicit display and use of the SSN poses a threat of identity theft. 6 The importance of enhancing security protections for SSN display and use has resulted in multiple actions by federal and state governments and the private sector. For example, SSA has advised for years that individuals not carry their Social Security card with them. In 2007, the Office of Management and Budget issued a directive to all federal agencies to develop a plan for reducing the unnecessary use of SSNs and exploring alternatives to their use. 7 Many federal agencies, including the Departments of Defense (DOD) and Veterans Affairs (VA), have taken significant steps to remove SSNs from their health insurance and identification cards. In the private sector, health insurers have also removed SSNs from their insurance cards in an effort to comply with state laws and protect beneficiaries from identity theft. 4 Medicare is the federal health insurance program for individuals over the age of 65, individuals under the age of 65 with certain disabilities, and individuals with end-stage renal disease. 5 CMS’s program integrity efforts for Medicare include the detection of improper billing through analysis of claims. 6 See GAO, Social Security Numbers: More Could Be Done to Protect SSNs. GAO-06-586T (Washington, D.C.: Mar. 30, 2006). 7 Office of Management and Budget Memorandum M-07-16. Safeguarding Against and Responding to the Breach of Personally Identifiable Information (Washington, D.C.: May 22, 2007). Page 2 GAO-12-831 Removal of SSNs from Medicare Cards In 2004, we reported that CMS determined it would be cost-prohibitive to remove the SSN from the Medicare card. 8 In a 2006 report to Congress, CMS highlighted an option for removing the SSN from the Medicare card and estimated it would cost over $300 million to do so. 9 In 2010, members of Congress asked CMS to update that report in light of the fact that CMS had not taken actions to remove SSNs from Medicare cards. CMS subsequently issued a report in November 2011. 10 You asked that we review CMS’s 2011 report, including the options it presented for removing the SSN from Medicare cards and the estimated costs. In addition, you asked that we examine the lessons learned from DOD and VA’s efforts to remove SSNs from their insurance cards. Consequently, this report (1) describes the various options for removing the SSN from Medicare cards; (2) examines the potential benefits and burdens associated with the various options for removing SSNs from Medicare cards; and (3) examines CMS’s cost estimates for removing SSNs from Medicare cards. To describe the options for removing SSNs from Medicare cards, we reviewed CMS’s 2011 report to Congress titled Update on the Assessment of the Removal of Social Security Numbers from Medicare Cards, as well as supporting documentation provided by CMS. We interviewed officials from CMS, SSA, and RRB. To obtain a broader perspective on efforts to remove SSNs from health insurance and identification cards, we interviewed officials from DOD, VA, and the following relevant stakeholders: three private health insurers that implemented efforts to remove SSNs from their cards; 11 a provider association for physician group practices; a health insurance industry association; and a membership organization for people age 50 and older, a population that would be significantly affected by the removal of SSNs from Medicare cards. 8 GAO, Social Security Numbers: Governments Could Do More to Reduce Display in Public Records and on Identity Cards, GAO-05-59 (Washington, D.C.: Nov. 9, 2004). 9 Centers for Medicare & Medicaid Services, Report to Congress: Removal of Social Security Number from the Medicare Health Insurance Card and Other Medicare Correspondence (Baltimore, Md.: October 2006). 10 Centers for Medicare & Medicaid Services, Update on the Assessment of the Removal of Social Security Numbers from Medicare Cards (Baltimore, Md.: November 2011). 11 Combined, these three health insurers cover more than 48 million individuals. Page 3 GAO-12-831 Removal of SSNs from Medicare Cards To examine the potential benefits and burdens of the options CMS proposed for removing SSNs from Medicare cards, we interviewed officials from CMS to obtain more information about the options presented in its report. We also interviewed officials from DOD and VA to learn about their efforts to remove SSNs from their cards and the factors they considered when implementing such efforts. During our interviews with private health insurers and other stakeholders, we obtained information about the benefits and burdens faced by providers and beneficiaries when removing SSNs from health insurance cards. We assessed the options presented by CMS based on the following criteria: (1) maximized protection against identity theft; and (2) minimized burdens on beneficiaries, providers, and CMS. These criteria were developed based on prior GAO work on identity theft and informed by information from CMS’s 2011 report and interviews with CMS officials and others. To examine CMS’s cost estimates for removing SSNs from Medicare cards, we interviewed officials at CMS, SSA, and RRB to obtain details about the development of the cost estimates, including the methods and underlying assumptions used to derive them. We also interviewed officials from DOD and VA to obtain information on the costs to those agencies related to their initiatives to remove SSNs from DOD and VA identification cards. When interviewing relevant stakeholders, we obtained information about the costs associated with switching from an SSN-based to a non- SSN based identifier on their health insurance cards, to the extent such information was available. In addition, as part of our assessment of CMS’s cost estimates, we used GAO’s Cost Estimating and Assessment Guide, as appropriate. 12 This guide identifies best practices that should be followed to ensure that a reliable cost estimate is comprehensive, well- documented, accurate, and credible. Our assessment included examining the extent to which CMS cost estimates were documented, and that the assumptions used to develop these estimates were supported and appeared to be reasonable. We conducted this performance audit from January 2012 to July 2012 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our 12 GAO Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Capital Program Costs. GAO-09-3SP (Washington, D.C.: March 2009). Page 4 GAO-12-831 Removal of SSNs from Medicare Cards findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background Medicare, Medicare Cards, Medicare, the federal health insurance program that serves the nation’s and the HICN elderly, certain disabled individuals and individuals with end-stage renal disease, had total program expenditures of $565 billion in 2011, making it one of the largest federal programs. The Medicare program is administered by CMS and consists of four parts: A, B, C, and D. Medicare parts A and B are also referred to as fee-for-service programs. Part A covers hospital and other inpatient stays, hospice, and home health service; and Part B covers hospital outpatient, physician, and other services. The Medicare card is used as proof of eligibility for both of these programs. Part C is Medicare Advantage, under which beneficiaries receive benefits through private health plans. Part D is the Medicare outpatient prescription drug benefit. CMS requires that cards issued by Part C and Part D health plans do not display an SSN. For most individuals, SSA determines eligibility for Medicare and assigns the individual’s HICN. However, for the approximately 550,000 Railroad Retirement beneficiaries and their dependents, the RRB determines Medicare eligibility and assigns this number. CMS or RRB mails paper cards to all beneficiaries, which display the individual’s full name, gender, eligibility status (Part A and/or Part B), their effective date of eligibility, and the SSN-based HICN, referred to on the card as the Medicare Claim Number. (See fig. 1.) Page 5 GAO-12-831 Removal of SSNs from Medicare Cards Figure 1: Medicare Card The HICN is constructed using the 9-digit SSN of the primary wage earner whose work history qualifies an individual for Medicare, followed by a 1- or 2-character code, referred to as the beneficiary identification code, that specifies the relationship of the card holder to the individual who makes the beneficiary eligible for benefits. 13 In most cases, the SSN on the card is the card holder’s own; however, approximately 14 percent of Medicare beneficiaries have cards that contain the SSN of the family member whose work history makes the beneficiary eligible for Medicare benefits. A unique identifier is an essential component for administering health insurance. Such an identifier is used by providers to identify beneficiaries and submit claims for payment. As Medicare’s primary unique identifier, 13 For example, an A suffix indicates the card holder is a retired or disabled worker (primary claimant). The B or B1 suffix indicates a wife or husband, respectively, of the retired wage earner. The C suffix indicates a child of a retiree, or a disabled child or student. The D suffix indicates a widow and an E suffix signifies a widowed mother. Additional letters or numerical digits may also be used as part of the beneficiary identification code to provide more-detailed relationship information. Page 6 GAO-12-831 Removal of SSNs from Medicare Cards the HICN is used by beneficiaries, providers, and CMS and its contractors. State Medicaid programs, which are jointly funded federal- state health care programs that cover certain low-income individuals, use the HICN to coordinate payments for dual-eligible beneficiaries— individuals who are enrolled in both Medicare and Medicaid. 14 (See table 1 for examples of various interactions that require the HICN). Table 1: Examples of Interactions Requiring the Health Insurance Claim Number (HICN) Stakeholder Interactions requiring HICN Beneficiaries • Accessing care from Medicare providers (48.7 million) • Logging into the Medicare website administered by CMS for Medicare beneficiaries • Calling 1-800-MEDICARE (the Medicare help line) for assistance • Submitting appeals for coverage Providers • Verifying Medicare eligibility at the time of service (1.4 million) • Submitting claims to receive payment for services provided • Collecting data for evaluating quality of care • Submitting appeals for coverage Centers for Medicare & • Confirming eligibility Medicaid Services (CMS) • Processing claims submitted by providers and contractors • Paying providers for services rendered • Conducting program integrity activities to prevent or identify Medicare fraud, waste, and abuse State Medicaid programs • Coordinating payments for services provided by a Medicare and Medicaid Source: GAO analysis of Centers for Medicare & Medicaid Services (CMS) information. a This effort is conducted for dual-eligible individuals who are enrolled in both the Medicare and Medicaid programs. 14 Medicare beneficiaries may become eligible for Medicaid if, for example, their income and resources decline below certain thresholds. In addition, Medicaid beneficiaries may become eligible for Medicare by, for example, turning 65 years old. Page 7 GAO-12-831 Removal of SSNs from Medicare Cards Beneficiaries must use their HICN when interacting with CMS, such as when they log into the Medicare website or call 1-800-MEDICARE for assistance. Using their issued card, beneficiaries also provide this information to providers at the time of service, and providers use this information to confirm eligibility and submit claims to receive payment for services. CMS and its contractors operate approximately 50 information technology (IT) systems, 15 many of which are interdependent, that use this information in some manner to process beneficiary services and claims and conduct a number of other activities related to payment and program-integrity efforts. These IT systems vary considerably in terms of age and interoperability, making them difficult to change. Options for Removing SSNs from Medicare Cards Include Altering the Display or Replacing the Number with a Different Identifier CMS Proposed Three In its November 2011 report, CMS proposed three options for removing Options for Removing SSNs from Medicare cards. One option would involve altering the display SSNs from the Medicare of the SSN through truncation, 16 and the other two options would involve the development of a new identifier. 17 All three options would vary with Cards regard to the type of identifier displayed on the card and the actions providers and beneficiaries would need to take in order to use the identifier for needed services. CMS officials told us that they limited their options to those retaining the basic format of the current paper card, and did not consider other options that they believed were outside the scope 15 IT systems refer to systems and databases. 16 Truncation refers to the practice of masking certain digits in the SSN. 17 In all three options, CMS would continue to use the SSN in its internal systems and to communicate with various partners including SSA and RRB. Page 8 GAO-12-831 Removal of SSNs from Medicare Cards of the congressional request. For example, CMS did not consider using machine-readable technologies, such as bar codes or magnetic stripes. 18 • Option 1: Truncating the SSN: Under this option, the first five digits of the SSN would be replaced with ‘X’s (e.g., XXX-XX-1234) for display on the card. However, the full SSN would continue to be used for all Medicare business processes. As a result, when interacting with CMS, beneficiaries would need to recall the full SSN or provide additional personally identifiable information in order for CMS to match the beneficiary with his or her records. 19 To interact with CMS, providers would also need to obtain the complete SSN using an existing resource. This would involve querying an existing database, calling a CMS help line, or asking the beneficiary for the complete SSN or other personally identifiable information. 20 • Option 2: Developing a New Identifier for Beneficiary Use: Under this option, the SSN would be replaced by a new identifier not based on the SSN that would be displayed on the card, similar to private health insurance cards. CMS refers to this new identifier as the Medicare Beneficiary Identifier (MBI). This number would be used by beneficiaries when interacting with CMS. Providers, however, would be required to continue to use the SSN when interacting with CMS and conducting their business processes. To obtain this information, providers would be expected to electronically request it from CMS using the new identifier. CMS said it would need to create a new database for this purpose. 21 18 A bar code is an optical machine-readable representation of data. Bar codes use printed and variously patterned bars and spaces that can be scanned and read into computer memory. A magnetic stripe, such as those found on credit cards, is placed on a card and used to store information that can be read by swiping the card through a machine. 19 Examples of such information include date of birth, address, spouse’s name, or other personal or identifying information that is linked or linkable to a specific individual. This additional information would be necessary because the last four digits of an SSN are not sufficient on their own to uniquely identify an individual because more than one individual may have the same last four digits. 20 The database and help line are efforts maintained by existing CMS contractors. Providers could also use the SSN that is stored in the beneficiary’s record. 21 Providers could also call CMS or ask beneficiaries for their full SSN. Page 9 GAO-12-831 Removal of SSNs from Medicare Cards • Option 3: Developing a New Identifier for Beneficiary and Provider Use: Under this option, the SSN would be replaced by a new identifier not based on the SSN, which would be displayed on the card. As in option 2, CMS referred to this number as the MBI. In contrast to option 2, however, this new number would be used by both beneficiaries and providers for all interactions with CMS. Under this option, the SSN would no longer be used by beneficiaries or providers when interacting with CMS, which could eliminate the need for providers to collect or keep the SSN on file. 22 CMS and its contractors would continue to use the SSN for internal data purposes, such as claims processing. Table 2 summarizes the characteristics of the CMS options. 22 Providers frequently store a beneficiary’s health care identifier in electronic or paper records in order to submit claims for payment. Providers may collect a beneficiary’s SSN for other purposes. Page 10 GAO-12-831 Removal of SSNs from Medicare Cards Table 2: Display and Use of the Identifier in Various CMS Options for Removing the SSN from Medicare Cards New identifier Current New identifier (beneficiary and Display and use of the identifier Medicare card Truncated SSN (beneficiary use only) provider use) Identifier displayed on card SSN Truncated SSN New identifier New identifier Identifier used by beneficiary to SSN SSN New identifier New identifier interact with CMS How beneficiary obtains identifier Refer to card Recall first 5 digits of Refer to card Refer to card a to interact with CMS SSN or call CMS Identifier used by provider to interact SSN SSN SSN New identifier with CMS How provider obtains the identifier Refer to card Use existing resources Electronically request SSN Refer to card b to interact with CMS to obtain full SSN using new identifier Source: GAO analysis of information provided by Centers for Medicare & Medicaid Services (CMS). a When calling CMS, beneficiaries would also need to provide additional personally identifiable information, which could include date of birth, spouse’s name, or address in order to obtain complete information. b Existing resources include an online database or a call-center operated by a CMS contractor. Providers would need to obtain additional personally identifiable information from the beneficiary and submit it to CMS in order to identify the beneficiary. Providers could also request the full Social Security number (SSN) from the beneficiary at the time of service. CMS, SSA, and RRB reported that all three options would generally require similar efforts, including coordinating with stakeholders; converting IT systems; conducting provider and beneficiary outreach and education; conducting training of business partners; and issuing new cards. However, the level and type of modifications required to IT systems vary under each option. These systems are responsible for various business functions that perform claims processing, eligibility verification, health plan enrollment, coordination of benefits, program integrity, and research efforts. According to CMS, between 40 and 48 of its IT systems would require modifications, depending on the option selected. The truncated SSN option would require modifications to 40 systems; the option that uses a new identifier for beneficiary use would require modifications to 44 systems; and the option that uses a new identifier for beneficiary and provider use would require modifications to 48 systems. In its 2011 report, CMS estimated that any of the 3 proposed options would likely take up to 4 years to implement. During the first 3 years, CMS would coordinate with stakeholders; complete necessary IT system conversions; conduct provider and beneficiary outreach and education; and conduct training of business partners. In the fourth year, CMS would issue new Medicare cards to all beneficiaries over a 12-month period. Page 11 GAO-12-831 Removal of SSNs from Medicare Cards CMS officials stated that the agency could not implement any of the options without additional funding from Congress. In its report, CMS noted that the actual time needed for implementation could vary due to changing resources or program requirements. Similar to its 2006 report, CMS has not taken action needed to implement any of the options for removing the SSN it presented in its report. DOD, VA, and Private DOD has taken steps to remove the SSN from display on the Health Insurers Have approximately 9.6 million military identification cards that are used by Taken Steps to Remove active-duty and retired military personnel and their dependents to access health care services. 23 DOD is replacing the SSNs previously displayed SSNs from Cards’ Display on these cards with two different unique identifiers not based on the SSN. 24 In 2008, DOD began its SSN removal effort by removing dependents’ SSNs from display on their military identification cards, but retained the sponsor’s SSN and left SSNs embedded in the cards’ bar codes. The dependents’ cards did not display any unique identifier. On June 1, 2011, DOD discontinued issuing any military identification card that displayed an SSN and began issuing cards that displayed two different unique identifiers; however, SSNs continued to be embedded in the cards’ bar codes. Starting December 1, 2012, DOD will discontinue embedding the SSN in the cards’ bar codes. With the exception of cards issued to retired military personnel, DOD anticipates that the SSNs will be completely removed from all military identification cards by December 2016. 25 DOD officials reported that because retirees’ cards may still contain the SSN as an identifier, and because some contractors providing 23 Military personnel and federal employees provide health care to DOD’s active-duty and retired military personnel and their dependents in military treatment facilities under the military health care program known as TRICARE. Active duty and retired military personnel and their dependents present their military identification cards at the time of service. DOD active duty and retired military personnel and their dependents also access health care through private providers. When beneficiaries access care from private providers, they must present both their military identification card and a separate health care card issued by the DOD contractor administering their TRICARE plan at the time they receive service. 24 The two identifiers are being added only to cards issued after June 1, 2011. One identifier, the Electronic Data Interchange Person Identifier (EDIPI), is used DOD-wide to identify a specific individual. The other identifier, the DOD Benefits Number is assigned to each individual eligible for DOD health benefits and other entitlements. 25 Unlike military identification cards issued to active-duty military personnel and dependents, cards issued to military retirees do not have an expiration date. Page 12 GAO-12-831 Removal of SSNs from Medicare Cards health care services may continue to use the SSN for eligibility purposes and processing claims, DOD’s IT systems will continue to support multiple identifiers, including the SSN, until such time as all SSNs have been replaced with the two new unique identifiers. DOD cards issued to active- duty military personnel also contain a smart chip, which is used for accessing facilities and IT systems, and may be used to access health care services in some facilities. 26 Cardholders’ SSNs are concealed in the smart chip. VA has also taken steps to remove the SSN from display on its identification and health care cards. The Veterans Identification Card (VIC) is issued by VA to enrollees and can be used by veterans to access health care services from VA facilities and private providers. In 2011, 8.6 million veterans were eligible to receive health care services and, according to VA officials, about 363,000 dependents of veterans were eligible to receive care through VA’s dependent-care programs. 27 VA began removing SSNs from display on the VIC in 2004, but the SSN continues to be embedded in the cards’ magnetic stripes and bar codes. Since that time, VA officials report that the department has issued approximately 7.7 million VICs. VA officials also stated that, in the first quarter of fiscal year 2013, VA will start issuing new VICs that will display a new unique identifier for the veteran and embed the new identifier in the card’s magnetic stripe and bar code, replacing the SSN. 28 VA also removed SSNs from display on the cards issued to beneficiaries in VA dependent-care programs without replacing it with a new identifier, and beneficiaries in these programs now provide their SSN verbally at the time of service. 29 26 The smart chip is an integrated circuit chip that can be used to store large amounts of information, including SSNs or other unique identifiers, and can exchange data with other systems and process information. By securely exchanging information, a smart card can authenticate the identity of the individual possessing the card in a more rigorous way than is possible with traditional identification cards. 27 Dependents of veterans may have received health care from: the Civilian Health and Medical Program of the Department of Veterans Affairs; the Spina Bifida program; and the Children of Women Vietnam Veterans program. 28 This new identifier will be the EDIPI. DOD has assigned an EDIPI for 17 million veterans. 29 These cards do not have magnetic stripes or bar codes. Page 13 GAO-12-831 Removal of SSNs from Medicare Cards Representatives from a national organization representing private health insurers told us that, to their knowledge, all private health insurers have removed the SSN from display on insurance cards and replaced it with a unique identifier not based on the SSN. Private insurers use these new identifiers for all beneficiary and provider interactions, including determining eligibility and processing claims. According to these officials, private health insurers took those steps to comply with state laws and protect beneficiaries from identity theft. Consistent with this, representatives from the private health insurers we interviewed reported removing SSNs from their cards’ display and issuing beneficiaries new identifiers not based on the SSN, which are now used in all beneficiary and provider interactions. Officials we interviewed from DOD, VA, and private health insurers all reported that the process to remove the SSN from cards and replace the SSN with a different unique identifier is taking or took several years to implement and required considerable planning. During their transition periods, DOD, VA, and private health insurers reported that they made modifications to IT systems; collaborated with providers and contractors; and educated providers and beneficiaries about the change. One private health insurer we interviewed reported that it allowed for a transition period during which providers could verify eligibility or submit claims using either the SSN or the new unique identifier. This health insurer noted that this allowance, along with the education and outreach it provided to both beneficiaries and providers, resulted in a successful transition. Another health insurer reported that it is providing IT support for both the SSN and the new unique identifier indefinitely in case providers mistakenly use the SSN when submitting claims. Page 14 GAO-12-831 Removal of SSNs from Medicare Cards Replacing SSN with a New Identifier for Beneficiary and Provider Use Offers Greatest Protection Against Identity Theft and Minimizes Burdens CMS’s Option to Replace Replacing the SSN with a new identifier for use by beneficiaries and the SSN with a New providers offers beneficiaries the greatest protection against identity theft Identifier for Use by relative to the other options CMS presented in its report. (See fig. 2.) Under this option, only the new identifier would be used by beneficiaries Beneficiaries and and providers. This option would lessen beneficiaries’ risk of identity theft Providers Offers the in the event that their card was lost or stolen, as the SSN would no longer Greatest Protection be printed on the card. Additionally, because providers would not need to Against Identity Theft collect a beneficiary’s SSN or maintain that information in their files, beneficiaries’ vulnerability to identity theft would be reduced in the event of a provider data breach. Page 15 GAO-12-831 Removal of SSNs from Medicare Cards Figure 2: Risk of Identity Theft with Medicare Card under CMS’s Three Proposed Options The other two options CMS presented in its 2011 report provide less protection against identity theft. For example, replacing the SSN with a new number just for beneficiary use would offer some protection against identity theft for beneficiaries because no portion of the SSN would be visible on the Medicare card. This would reduce the likelihood of identity theft with the SSN if a card is lost or stolen. However, providers would still need to collect and store the SSN, leaving beneficiaries vulnerable to identity theft in the event of a provider data breach. CMS’s truncated SSN option would provide even less protection against identity theft. This option would eliminate full visibility of the SSN on the Medicare card, making it more difficult to use for identity theft. However, we have previously reported that the lack of standards for truncation mean that identity thieves can still construct a full SSN fairly easily using truncated SSNs from various electronic and hard copy records. 30 In addition, under 30 In past work, we have reported that it is possible to reconstruct truncated SSNs by comparing different public records that had truncated SSNs in different ways. See GAO, Social Security Numbers: Federal Actions Could Further Decrease Availability in Public Records, though Other Vulnerabilities Remain, GAO-07-752 (Washington, D.C.: June 15, 2007). Page 16 GAO-12-831 Removal of SSNs from Medicare Cards this option, providers would still store the SSN in their files, thereby making beneficiaries vulnerable to identity theft in the event of a provider data breach. CMS’s Option to Replace We found that CMS’s option to replace the SSN with a new identifier for the SSN with a New use by beneficiaries and providers presents fewer burdens for Identifier for Use by beneficiaries and providers relative to the other options presented in CMS’s 2011 report. (See fig. 3.) Under this option, the new identifier Beneficiaries and would be printed on the card, and beneficiaries would use this identifier Providers Would Minimize when interacting with CMS, eliminating the need for beneficiaries to Burdens for Beneficiaries memorize their SSN or store it elsewhere as they might do under other and Providers options. This option may also present fewer burdens for providers, as they would not have to query databases or make phone calls to obtain a beneficiary’s information to submit claims. 31 Private health insurers we interviewed all reported using a similar approach to remove SSNs from their insurance cards. Representatives from these insurers reported that while there was some initial confusion and issues with claims submission during the transition period, proactive outreach efforts to educate providers about this change, as well as having a grace period during which the SSN or new identifier could be used by providers to submit claims, minimized issues and resulted in a relatively smooth transition. 31 There may be some initial burdens for providers and beneficiaries under any of the three options presented by CMS. For example, according to CMS officials, some providers may be required to update their IT software and beneficiaries may be confused by any change to their identifier. Page 17 GAO-12-831 Removal of SSNs from Medicare Cards Interactive graphic Figure 3: Burdens of CMS’s Proposed Options for Removal of SSNs from Medicare Cards Directions: Roll over each cell for additional information about the burdens related to each option. New identifier (Beneficiary and New identifier Truncated SSN provider use) (Beneficiary use only) Beneficiary 3 Provider 3 3 CMS 3 3 3 Source: GAO analysis of information provided by the Centers for Medicare & Medicaid Services (CMS) and interviews with relevant stakeholders. Print instructions To print text version of this graphic, go to appendix I Page 1 GAO-12-831 Removal of SSNs from Medicare Cards The other two options CMS presented in its 2011 report would create additional burdens for beneficiaries and providers. Beneficiaries may experience difficulties under the truncated SSN option, as they may need to recall their SSN, which could be their own SSN or that of a family member. CMS officials stated that the age of Medicare beneficiaries and the fact that their current identification number may be based on another family member’s SSN could make it difficult for beneficiaries to remember the number. In addition, about 31 percent of Medicare beneficiaries residing in the community have a known cognitive or mental impairment, making recalling their number by memory potentially difficult. 32 Under both of these remaining options, providers would need to perform additional tasks, such as querying a CMS database or calling CMS, to obtain the full SSN to verify eligibility and submit claims. 33 Regardless of option, the burdens experienced by CMS would likely be similar because the agency would need to conduct many of the same activities and would incur many of the same costs. For example, it would need to reissue Medicare cards to current beneficiaries; conduct outreach and education to beneficiaries and providers; and conduct training for business partners. CMS would also likely see increased call volume to its 1-800-Medicare line with questions about the changes. In addition, there would likely be costs associated with changes to state Medicaid IT systems. However, according to CMS officials, the option that calls for replacing the SSN with a new identifier to be used by beneficiaries and providers would have additional burdens because of the more extensive changes required to CMS’s IT systems compared to the other options. This option, however, would also potentially provide an additional benefit to CMS, as the agency would be able to completely “turn off” the identification number and replace it with a new one in the event that a beneficiary’s number is compromised, something that is not possible with the SSN. 34 32 The Kaiser Family Foundation, “Medicare Chartbook, Fourth Edition,” November 2010. 33 Providers may also request the SSN from beneficiaries or rely on the SSN documented in a patient’s records. 34 CMS currently monitors nearly 275,000 compromised HICNs, which are HICNs that have been subject to actual or possible unauthorized disclosure or access as the result of physical or electronic theft. As long as CMS uses the HICN for transactions, the agency must continue to monitor compromised HICNs. Page 19 GAO-12-831 Removal of SSNs from Medicare Cards Other Options Not CMS did not consider in its 2011 report how machine readable Explored by CMS for technologies—such as bar codes, magnetic stripes, or smart chips— Removing SSNs Would could assist in the effort to remove SSNs from Medicare cards. Machine- readable technologies have been implemented to varying degrees by Present Additional DOD and VA. According to DOD and VA officials, DOD is using a smart Burdens for Beneficiaries, chip and barcode to store the cardholder’s personally identifiable Providers, and CMS information, and VA is issuing cards in which such information and other identifiers are stored in magnetic stripes and bar codes. Machine- readable technologies may provide additional benefits, such as increased efficiency for providers and beneficiaries. Furthermore, machine readable technologies provide some additional protection against identity theft, but officials we spoke with stated that the widespread availability of devices to read magnetic stripes and bar codes have made these technologies less secure. Because of this, both DOD and VA have plans to remove SSNs that are stored in these technologies on their cards. If CMS were to use machine-readable technologies, they could present significant challenges to providers. For example, providers could experience difficulties due to the lack of standardization across these technologies. Representatives from one private health insurer we interviewed stated that while the use of cards with magnetic stripes worked well within a small region where they have large market- penetration, implementing such an effort in regions where providers contract with multiple insurers would be more difficult due to this lack of standardization. In addition, use of machine-readable cards would likely require providers to purchase additional equipment and could be problematic for providers that lack the necessary infrastructure, such as high-speed internet connections, to make machine-readable technologies feasible. According to CMS officials, implementing machine-readable technologies may also require cards that cost more than the paper Medicare card currently in use. Removing the SSN from the Medicare card and not replacing it with a new identifier, an option also not considered in CMS’s report to Congress, could reduce beneficiaries’ vulnerability to identity theft, but would create burdens for beneficiaries, providers, and CMS. Complete removal of the SSN from the Medicare card would protect beneficiaries from identity theft in the event that a card is lost or stolen. However, like the truncation option, beneficiaries may have difficulty recalling their SSN at the time of service or when interacting with CMS. This could also be difficult because the SSN needed to show eligibility may not be the beneficiary’s own. In addition, providers would likely need to change their administrative processes to obtain the needed information either by querying a Page 20 GAO-12-831 Removal of SSNs from Medicare Cards database, calling CMS, or obtaining it directly from the beneficiary. Finally, because providers would still need to collect and store the SSN for eligibility verification and claims submission, beneficiaries would remain vulnerable to identity theft in the event of a provider data breach. 35 The VA used this approach to remove SSNs from the approximately 363,000 dependent care program cards, and officials stated that it requires providers to obtain the SSN at the time of service. However, Medicare covers over 48 million beneficiaries who receive services from 1.4 million providers, making such a change more burdensome. In addition, CMS would still encounter similar burdens as in the options presented in its 2011 report to Congress, including the need to educate beneficiaries and providers, and issue new cards, though the extent of the necessary changes to CMS IT systems under such an option is unknown. CMS Reported Significant Costs Associated with Removing SSNs from Medicare Cards, but These Estimates May Not Be Reliable CMS Reported that In its 2011 report to Congress, CMS, in conjunction with SSA and RRB, Removing SSNs from developed cost estimates for the three options to alter the display of the Medicare Cards would SSN on Medicare cards or replace the SSN with a different unique identifier. CMS projected that altering or removing the SSN would cost Cost Over $800 Million between $803 million and $845 million. CMS’s costs represent the majority of these costs (approximately 85 percent); while SSA and RRB’s 35 According to a membership organization for people aged 50 and older, completely removing the SSN from the Medicare card and not replacing it with another identifier would create concerns related to verification of eligibility and could potentially lead to increased incidences of fraud. Page 21 GAO-12-831 Removal of SSNs from Medicare Cards costs represent approximately 12 percent and 0.2 percent, respectively. (See table 3.) 36 Table 3: Agency Cost Estimates for CMS Options for Removing SSNs from Medicare Cards 2. New identifier 3. New identifier Option 1. Truncated SSN (beneficiary use only) (beneficiary and provider use) CMS cost estimates Modifications to existing state Medicaid IT systems and related a costs (federal) $261,000,000 $261,000,000 $261,000,000 Modifications to CMS IT systems 231,790,000 222,055,000 263,725,000 Reissuance of Medicare cards 69,320,000 69,320,000 69,320,000 Beneficiary outreach and education needs 58,200,000 58,200,000 58,200,000 CMS 1-800-Medicare communication plan 48,200,000 48,200,000 48,200,000 Provider outreach and education needs 18,700,000 18,700,000 18,700,000 Training CMS business partners and beneficiaries 166,800 166,800 166,800 b Total CMS costs $687,376,800 $677,641,800 $719,311,800 SSA cost estimates Responding to beneficiary inquires and requests for new cards 62,000,000 62,000,000 62,000,000 Processing undeliverable cards 28,000,000 28,000,000 28,000,000 Online query access for SSA field offices to obtain new identifier 3,000,000 3,000,000 3,000,000 Outreach, training, revisions to current forms, and additional application time 2,000,000 2,000,000 2,000,000 Total SSA costs $95,000,000 $95,000,000 $95,000,000 RRB cost estimates RRB IT system conversions 225,204 444,459 444,459 Issuing new Medicare cards 388,905 388,905 388,905 Responding to beneficiary inquiries 278,912 278,912 278,912 36 The remaining approximately 3.5 percent of the costs are state costs related to Medicaid IT system modifications. However, in its report CMS included these costs under CMS’s total. Page 22 GAO-12-831 Removal of SSNs from Medicare Cards 2. New identifier 3. New identifier Option 1. Truncated SSN (beneficiary use only) (beneficiary and provider use) User costs related to system and procedure changes 145,952 145,952 145,952 Beneficiary education and publications) 52,500 52,500 52,500 c Total RRB costs $1,091,473 $1,310,728 $1,310,728 State costs Modifications to existing state Medicaid IT systems and related a costs (state) 29,000,000 29,000,000 29,000,000 Total state costs $29,000,000 $29,000,000 $29,000,000 d Total estimated costs $812,468,273 $802,952,528 $844,622,528 Source: GAO analysis of data provided by the Centers for Medicare & Medicaid Services (CMS), the Social Security Administration (SSA), and the Railroad Retirement Board (RRB). a CMS estimates that total modifications to existing state Medicaid systems would cost $290 million, of which CMS would be responsible for a federal share of $261 million. The states would be responsible for the remaining $29 million. Related costs include, for example, business process changes, training, and updates to system documentation. b Totals presented in CMS’s report were $716,377,000; $706,642,000; and $748,311,000; however, CMS officials confirmed that state Medicaid costs should have been reported separately from CMS’s costs and that rounding errors were made in some of the totals presented in its report. GAO numbers reflect corrected calculations. c Totals presented in CMS’s report were $1,092,000; $1,311,000; and $1,311,000; however, CMS officials confirmed that rounding errors were made in some totals presented in its report. GAO numbers reflect corrected calculations. d Totals presented in CMS’s report were $812,469,000; $802,952,000; and $844,622,000; however, CMS officials confirmed that rounding errors were made in some totals presented in its report. GAO numbers reflect corrected calculations. Approximately two-thirds of the total estimated costs (between $512 million and $554 million depending on the option) are associated with modifications to existing state Medicaid IT systems and CMS’s IT system conversions. 37 While modifications to existing state Medicaid IT systems and related costs are projected to cost the same across all three options, the estimated costs for CMS’s IT system conversions vary. This variation is due to the differences in the number of systems affected and the costs for modifying affected systems for the different options. CMS would incur costs related to modifying 40 IT systems under the truncated 37 Modifications to state Medicaid IT systems would be needed in order to process information on individuals eligible for both Medicare and Medicaid. CMS would incur $261 million as the federal share of the estimated total of $290 million. The remaining $29 million would be the responsibility of the States. Page 23 GAO-12-831 Removal of SSNs from Medicare Cards SSN option, 44 systems under the new identifier for beneficiary use option, and 48 systems under the new identifier for beneficiary and provider use option. In addition, the cost associated with changes to specific systems varied depending on the option. CMS’s estimates for all non-IT related cost areas are constant across the options. Other significant cost areas for CMS include reissuing the Medicare card, conducting outreach and education to beneficiaries about the change to the identifier, and responding to beneficiary inquires related to the new card. Both SSA and RRB would also incur costs under each of the options described in CMS’s 2011 report. 38 SSA estimated that implementing any of the three options presented in the 2011 report would cost the agency $95 million. SSA’s primary costs included $62 million for responding to inquiries and requests for new Medicare cards from beneficiaries and $28 million for processing new cards mailed by CMS that are returned as undeliverable. SSA officials told us that even though CMS would be responsible for distributing new Medicare cards, SSA anticipated that about 13 percent of the beneficiary population would contact SSA with questions. RRB’s costs totaled between $1.1 million and $1.3 million. Between 21 and 34 percent of RRB’s total costs were related to IT system updates and changes, depending on the option. The rest of RRB’s costs were related to business functions, such as printing and mailing new cards; user costs related to system and procedure changes; and education and outreach. The cost estimates included in CMS’s 2011 report were as much as 2.5 times higher than those estimated in its 2006 report to Congress. 39 CMS attributed these increases to the inclusion of costs not included in the 2006 report, such as those associated with changes to state Medicaid 38 Both SSA and RRB perform Medicare related activities and would need to make changes to their business processes and IT systems as a result of any of the options to remove SSNs from Medicare cards. SSA determines Medicare eligibility for persons who receive or are about to receive Social Security benefits, enrolls those who are eligible into Medicare, and assigns them a HICN. Though CMS prints and distributes the Medicare card, beneficiaries often contact SSA when they need a replacement card. RRB is responsible for determining Medicare eligibility for qualified railroad retirement beneficiaries, enrolling them into Medicare, assigning HICNs to these individuals, and issuing Medicare cards to them. 39 In 2006, CMS estimated that removing the SSN from the Medicare card and replacing it with a new non-SSN based identifier would cost $338 million. Page 24 GAO-12-831 Removal of SSNs from Medicare Cards systems and changes to its IT systems related to Part D, as well as a more thorough accounting of costs associated with many of the other cost areas, including SSA costs. In addition, CMS said in its 2006 report that phasing in a new identifier for beneficiaries over a 5- to 10-year period would reduce costs. However, in its 2011 report, CMS stated that such an option would be cost prohibitive because it would require running two parallel IT systems for an extended period of time. 40 The Methods and There are several key concerns regarding the methods and assumptions Assumptions CMS Used to CMS used to develop its cost estimates that raise questions about the Derive Cost Estimates reliability of its overall cost estimates. First, CMS did not use any cost estimating guidance when developing its estimates. GAO’s Cost Raise Questions about Estimating and Assessment Guide identifies a number of best practices Their Reliability designed to ensure a cost estimate is reliable. 41 However, CMS officials acknowledged that the agency did not rely on any specific cost-estimating guidance, such as GAO’s cost-estimating guidance, during the development of the cost estimates presented in the agency’s report to Congress. The agency also did not conduct a complete life-cycle cost estimate on relevant costs, 42 such as those associated with IT system conversions. 43 CMS officials told us they did not conduct a full life-cycle cost estimate for each option because this was a hypothetical analysis, 40 DOD officials told us that in its effort to remove SSNs from cards, DOD is issuing cards without SSNs as old cards expire and, for retirees, allowing them to keep their current card with the SSN printed on the front indefinitely unless they request a new card. According to DOD officials, the agency does not expect to incur additional costs associated with this phased approach, which is similar to the phased approach CMS described in its 2006 report. 41 GAO-09-3SP. 42 A life-cycle cost estimate provides an exhaustive and structured accounting of all resources and associated cost elements required to develop, produce, deploy, and sustain a particular program. This entails identifying all cost elements that pertain to the program from initial concept all the way through operations, support, and disposal. Life- cycle costing enhances decision making, especially in early planning and concept formulation of acquisition. 43 CMS officials told us that if the agency proceeded with one of the options described in the report, they would conduct a life-cycle cost estimate. Page 25 GAO-12-831 Removal of SSNs from Medicare Cards and doing so would have been too resource intensive for the purpose of addressing policy options. 44 Second, the procedures used to develop estimates for the two largest cost categories—changes to existing state Medicaid IT systems and CMS’s IT system conversions—are questionable and not well documented. For each of CMS’s options, the agency estimated Medicaid IT changes would cost $290 million. 45 Given the size of this cost category, we have concerns about the age of the data, the number of states used to generalize these estimates, as well as the completeness of the information CMS collected. For example, CMS’s estimates for costs associated with its proposed changes were based on data collected in 2008, at which time the agency had not developed all of the options presented in its 2011 report. 46 In addition, while CMS asked for cost data from all states in 2008, it received data from only five states—Minnesota, Montana, Oklahoma, Rhode Island, and Texas—and we were unable to determine whether these states are representative of the IT system changes required by all states. CMS extrapolated national cost estimates based on the size of these states, determined by the number of Medicare eligible beneficiaries in them. However, the cost of IT modifications to Medicaid systems would likely depend more on the specific IT systems and their configurations in use by the state than on the number of Medicare beneficiaries in the state. CMS was unable to provide documentation about the data it requested from states related to its cost projections, or documentation of the responses it received from states on the specific modifications to Medicaid IT systems that would be required. CMS officials also acknowledged that each state is different and their IT systems would require different modifications. 44 HHS also has specific guidance for conducting IT alternative analyses—HHS-IRM-2003- 0002 Policy for Conducting Information Technology Alternative Analysis. CMS officials also told us that although they performed such an analysis, they were unaware of this guidance and followed no specific HHS guidance on alternative analysis or cost estimating. 45 It addition to Medicaid IT system modification costs, this cost category includes related costs, such as business process changes, training, and updates to system documentation. 46 CMS officials told us that the new identifier for beneficiary use, and new identifier for beneficiary and provider use options had already been developed at the time CMS requested data from the states, but the agency did not include the truncation option when it requested data from the states. Page 26 GAO-12-831 Removal of SSNs from Medicare Cards For the CMS IT-system conversion costs, officials told us that CMS derived its IT-system conversion cost estimates by asking its IT system owners for costs associated with changes to the systems affected under each of the three options. 47 However, CMS provided us with limited documentation related to the information it supplied to its system owners when collecting cost data to develop its estimates, and no supporting documentation for the data it received from system owners. The documentation CMS provided asked system owners to provide the basis for their estimates (including, for example, costs related to labor and hardware, and software changes and additions), and laid out general assumptions for system owners to consider. However, because CMS asked for estimates for broad cost categories, the data it received were general in nature and not a detailed accounting of specific projected costs. CMS officials also told us that system requirements changed over the course of their work; however, they provided no documentation related to how these changes were communicated to system owners. In addition, CMS officials told us that they generally did not attempt to verify estimates submitted by system owners. CMS could not explain how or why a number of the systems the agency believed would require modifications would be affected under its three options, or the variance in the costs to modify these systems across the options. Moreover, CMS’s cost estimates for the IT-related costs in its 2011 report were approximately three times higher than the estimate in the agency’s 2006 report. 48 That report stated that the majority of changes necessary to replace the existing number with a non-SSN-based identifier would affect only two systems; 49 however, the agency estimated in its 2011 report that up to 48 systems would require modification, depending on the option selected. 50 Furthermore, CMS’s 2006 report stated that the 47 System owners refer to CMS employees or contractors who manage CMS IT systems. 48 In its 2006 report to Congress, CMS estimated that removal of the SSN from Medicare cards would cost approximately $338 million, of which $80.2 million was attributable to start up costs for IT system modifications. 49 The 2006 report stated that “less extensive, but still significant change to other systems” would be required; however, 85 percent of the system conversion costs were associated with only two systems. 50 CMS’s 2011 report cited 51 systems that would be affected; however, information provided by CMS to GAO shows that between 40 and 48 IT systems would require modifications depending on the option implemented. Page 27 GAO-12-831 Removal of SSNs from Medicare Cards 2 primary IT systems affected—the Medicare Beneficiary Database and the Enrollment Database—account for $70 million, or 85 percent, of the IT-related costs. However, in the 2011 report, these 2 systems accounted for 5 percent or less of the IT-related costs, depending on the option implemented. CMS officials we interviewed were unable to explain the differences in the number of systems affected, or the costs of required modifications to IT systems between the 2006 and 2011 reports. Third, there are inconsistencies in some assumptions used by CMS and SSA in the development of the estimates. For example, CMS and SSA used different assumptions regarding the number of Medicare beneficiaries that would require new Medicare cards. According to CMS officials, the agency based its cost estimates on the number of Medicare beneficiaries at the time the report was prepared (47 million), whereas SSA officials told us the agency based its estimates on the expected number of beneficiaries in 2015 (55 million), the year they estimated the new card would likely be issued. In addition, nearly 30 percent of SSA’s costs were related to processing newly-issued Medicare cards that are returned as undeliverable. However, SSA officials told us that they were not aware that CMS’s cost estimates included plans to conduct an address-verification mailing at a cost of over $45 million prior to issuing new cards. Such a mailing could reduce the number of cards returned as undeliverable, and thus SSA’s costs associated with processing such cards. 51 Finally, CMS did not take into account other factors when developing its cost estimates, including related IT modernization efforts or potential savings from removing the SSN from Medicare cards. In developing its estimates, CMS did not consider ways to integrate IT requirements for removing the SSN from Medicare cards with those necessitated by other IT modernization plans to realize possible efficiencies. DOD and a private health insurer we interviewed reported that when removing SSNs from their cards, they updated their systems to accommodate this change in conjunction with other unrelated system upgrades. CMS officials told us that because many of the agency’s other IT modernization plans are unfunded, the agency does not know when or if these efforts will be undertaken. As a result, the agency is unable to coordinate the SSN 51 SSA officials said that although they were unaware of this planned address verification mailing, they believe their estimate of the percent of cards returned as undeliverable is still appropriate. Page 28 GAO-12-831 Removal of SSNs from Medicare Cards removal effort or to estimate savings from combining such efforts. In its report, CMS also acknowledged that if the agency switched to a new identifier used by both beneficiaries and providers, there would likely be some savings due to improved program integrity and reduced need to monitor SSNs that may be stolen and used fraudulently. However, in developing its estimates, CMS did not include any potential savings the agency might accrue as a result of removing the SSN from Medicare cards. 52 Nearly six years have passed since CMS first issued a report to Congress Conclusions that explored options to remove the SSN from the Medicare card, and five years have elapsed since the Office of Management and Budget directed federal agencies to reduce the unnecessary use of the SSN. While CMS has identified various options for removing the SSN from Medicare cards, CMS has not committed to a plan to remove them. The agency lags behind other federal agencies and the private sector in reducing the use of the SSN. DOD, VA, and private health insurers have taken significant steps to eliminate the SSN from display on identification and health insurance cards, and reduce its role in operations. Of the options presented by CMS, the option that calls for developing a new identifier for use by beneficiaries and providers offers the best protection against identity theft and presents fewer burdens for beneficiaries and providers than the other two. Consistent with the approach taken by private health insurers, this option would eliminate the use and display of the SSN for Medicare processes conducted by beneficiaries and providers. While CMS reported that this option is somewhat more costly than the other options, the methods and assumptions CMS used to develop its estimates do not provide enough certainty that those estimates are credible. Moreover, because CMS did not have well-documented cost estimates, the reliability of its estimates cannot be assessed. Use of standard cost-estimating procedures, such as GAO’s estimating guidance, would help ensure that CMS cost estimates are comprehensive, well documented, accurate and credible. Moving forward, CMS could also explore whether the use of magnetic stripes, bar codes, or smart chips could offer other benefits such as 52 In its 2011 report, CMS noted that the ability to “turn off” a beneficiary’s identifier under one of its proposed options could improve the agency’s ability to combat Medicare fraud, waste, and abuse. Page 29 GAO-12-831 Removal of SSNs from Medicare Cards increased efficiencies. Absent a reliable cost estimate, however, Congress and CMS cannot know the costs associated with this option and how to prioritize it relative to other CMS initiatives. Lack of action on this key initiative leaves Medicare beneficiaries exposed to the possibility of identity theft. In order for CMS to implement an option for removing SSNs from Recommendations for Medicare cards, we recommend that the Administrator of CMS Executive Action • select an approach for removing the SSN from the Medicare card that best protects beneficiaries from identity theft and minimizes burdens for providers, beneficiaries, and CMS, and • develop an accurate, well-documented cost estimate for such an option using standard cost-estimating procedures. We provided a draft of this report to CMS, DOD, RRB, SSA, and VA for Agency Comments review and comment. CMS and RRB provided written comments which and Our Evaluation are reproduced in appendixes II and III. DOD, SSA, and VA provided comments by e-mail. CMS concurred with our first recommendation to select an approach for removing the SSN from Medicare cards that best protects beneficiaries from identity theft and minimizes burdens for providers, beneficiaries, and CMS. The agency noted that such an approach could protect beneficiaries from identity theft resulting from loss or theft of the card and would allow CMS a useful tool in combating Medicare fraud and medical identity theft. CMS also concurred with our second recommendation that CMS develop an accurate, well-documented cost estimate using standard cost-estimating procedures for an option that best protects beneficiaries from identity theft and minimizes burdens for providers, beneficiaries, and CMS. CMS noted that a more rigorous and detailed analysis of a selected option would be necessary in order for Congress to appropriate funding sufficient for implementation, and that it will utilize our suggestions to strengthen its estimating methodology for such an estimate. DOD had no comments and did not comment on the report’s recommendations. RRB stated that the report accurately reflected its input and had no additional comment. SSA provided only one technical comment, which we incorporated as appropriate, but did not comment on the report’s recommendations. VA concurred with our findings, but provided no additional comments. Page 30 GAO-12-831 Removal of SSNs from Medicare Cards We are sending copies to the Secretaries of HHS, DOD and VA, the Administrator of CMS, the Commissioner of SSA, the Chairman of RRB, interested congressional committees, and others. In addition, the report will be available at no charge on the GAO website at http://www.gao.gov. If you or your staffs have questions about this report, you may contact us at: Kathleen King, (202) 512-7114 or firstname.lastname@example.org or Daniel Bertoni, (202) 512-7215 or email@example.com. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made key contributions to this report are listed in appendix IV. Kathleen King Director, Health Care Daniel Bertoni Director, Education, Workforce, and Income Security Issues Page 31 GAO-12-831 Removal of SSNs from Medicare Cards Appendix I: Burdens of CMS’s Proposed Appendix I: Burdens of CMS’s Proposed Options for Removal of SSN from Medicare Card (Accessible Text) Options for Removal of SSN from Medicare Card (Accessible Text) New identifier Truncated (beneficiary and New identifier Social Security provider use) (beneficiary use only) number (SSN) a b c Beneficiary √ d e f Provider √ √ g h i CMS √ √ √ Source: GAO analysis of information provided by the Centers for Medicare & Medicaid Services and interviews with relevant stakeholders. a While any change to the beneficiary identifier could cause initial confusion for beneficiaries, this option creates no additional burden for the beneficiary because the number on the card would be used to receive services and interact with CMS. b While any change for the beneficiary identifier could cause initial confusion for beneficiaries, this option creates no additional burdens to the beneficiary because the number on the card would be used to receive services and interact with CMS. c Could create additional burdens for beneficiaries because they could be required to remember their SSN in order to receive services and interact with CMS. d While any change to the beneficiary identifier could cause initial confusion among providers, this option would not create additional burdens for the provider, as the provider would be able to obtain the number from the card provided by the beneficiary. e Could create an additional burden for providers because it would require the provider to obtain the beneficiary’s SSN either from the beneficiary, by querying a CMS database, or by calling CMS in order to verify eligibility. f Could create an additional burden for providers because it would require the provider to obtain the beneficiary’s SSN either from the beneficiary, by querying a CMS database, or by calling CMS in order to verify eligibility. g According to CMS, this option would require the most significant modifications to its IT systems. All other burdens for CMS would be similar across the three options. h According to CMS, this option would require the least significant modifications to its IT systems. All other burdens for CMS would be similar across the three options. i According to CMS, this option would require more significant modifications to its IT systems than the new identifier- beneficiary use only option, and less significant modifications than the new identifier— beneficiary and provider use option. All other burdens for CMS would be similar across the three options. Page 32 GAO-12-831 Removal of SSNs from Medicare Cards Appendix II: Comments from the Centers for Appendix II: Comments from the Centers for Medicare & Medicaid Services Medicare & Medicaid Services Page 33 GAO-12-831 Removal of SSNs from Medicare Cards Appendix II: Comments from the Centers for Medicare & Medicaid Services Page 34 GAO-12-831 Removal of SSNs from Medicare Cards Appendix II: Comments from the Centers for Medicare & Medicaid Services Page 35 GAO-12-831 Removal of SSNs from Medicare Cards Appendix III: Comments from the Railroad Appendix III: Comments from the Railroad Retirement Board Retirement Board Page 36 GAO-12-831 Removal of SSNs from Medicare Cards Appendix IV: GAO Contacts and Staff Appendix IV: GAO Contacts and Staff Acknowledgments Acknowledgments Kathleen King, (202) 512-7114 or firstname.lastname@example.org or Daniel Bertoni, GAO Contacts (202) 512-7215 or email@example.com. In addition to the contacts named above, the following individuals made Staff key contributions to this report: Lori Rectanus, Assistant Director; Thomas Acknowledgments Walke, Assistant Director; David Barish; James Bennett; Carrie Davidson; Sarah Harvey; Drew Long; and Andrea E. Richardson. (290992) Page 37 GAO-12-831 Removal of SSNs from Medicare Cards GAO’s Mission The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. The fastest and easiest way to obtain copies of GAO documents at no Obtaining Copies of cost is through GAO’s website (www.gao.gov). Each weekday afternoon, GAO Reports and GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, Testimony go to www.gao.gov and select “E-mail Updates.” Order by Phone The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, http://www.gao.gov/ordering.htm. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO on Facebook, Flickr, Twitter, and YouTube. Connect with GAO Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts. Visit GAO on the web at www.gao.gov. Contact: To Report Fraud, Waste, and Abuse in Website: www.gao.gov/fraudnet/fraudnet.htm E-mail: firstname.lastname@example.org Federal Programs Automated answering system: (800) 424-5454 or (202) 512-7470 Katherine Siggerud, Managing Director, email@example.com, (202) 512- Congressional 4400, U.S. Government Accountability Office, 441 G Street NW, Room Relations 7125, Washington, DC 20548 Chuck Young, Managing Director, firstname.lastname@example.org, (202) 512-4800 Public Affairs U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548 Please Print on Recycled Paper.
Medicare: CMS Needs an Approach and a Reliable Cost Estimate for Removing Social Security Numbers from Medicare Cards
Published by the Government Accountability Office on 2012-08-01.
Below is a raw (and likely hideous) rendition of the original report. (PDF)