oversight

Medicare: CMS Needs an Approach and a Reliable Cost Estimate for Removing Social Security Numbers from Medicare Cards

Published by the Government Accountability Office on 2012-08-01.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                             United States Government Accountability Office

GAO                          Report to Congressional Requesters




August 2012
                             MEDICARE

                             CMS Needs an
                             Approach and a
                             Reliable Cost Estimate
                             for Removing Social
                             Security Numbers
                             from Medicare Cards



To access this report
electronically, scan this
QR Code.
Don't have a QR code
reader? Several are
available for free online.




GAO-12-831
                                             August 2012

                                             MEDICARE
                                             CMS Needs an Approach and a Reliable Cost
                                             Estimate for Removing Social Security Numbers
                                             from Medicare Cards
Highlights of GAO-12-831, a report to
congressional requesters




Why GAO Did This Study                       What GAO Found
More than 48 million Medicare cards          The Centers for Medicare & Medicaid Services’ (CMS) 2011 report to Congress
display the SSN, which increases             proposed three options for removing Social Security numbers (SSN) from
Medicare beneficiaries’ vulnerability to     Medicare cards. One option would truncate the SSN displayed on the card, but
identity theft. GAO was asked to             beneficiaries and providers would continue to rely on the SSN. The other two
review the options and associated            options would replace the SSN with a new identifier that would be displayed on
costs for removing SSNs from the             the card and either be used only by beneficiaries, or by both beneficiaries and
Medicare card. This report                   those who provide Medicare services. CMS, however, has not selected or
(1) describes the various options for        committed to implementing any of these options. The Departments of Defense
removing the SSN from Medicare
                                             (DOD) and Veterans Affairs (VA), and private insurers have already removed or
cards; (2) examines the potential
                                             taken steps to remove SSNs from display on their identification or health
benefits and burdens associated with
different options; and (3) examines
                                             insurance cards.
CMS’s cost estimates for removing            CMS’s option to replace the SSN with a new identifier for use by both
SSNs from Medicare cards.                    beneficiaries and providers offers the greatest protection against identity theft.
To do this work, GAO reviewed CMS’s          Beneficiaries’ vulnerability to identity theft would be reduced because the card
report, cost estimates, and relevant         would no longer display the SSN and providers would not need the SSN to
supporting documentation. GAO also           provide services or submit claims (negating the need for providers to store the
interviewed officials from CMS and           SSN). This option would also pose fewer burdens than the other two options
other agencies that perform Medicare         because beneficiaries would not have to remember an SSN to receive services
related activities (the Social Security      or to interact with CMS. Providers also would not need to conduct additional
Administration and Railroad                  activities, such as querying a CMS database, to obtain the SSN. The burdens for
Retirement Board), as well as officials      CMS would generally be similar across all the options, but CMS reported that this
from DOD and VA, which have                  option would require more information technology (IT) system modifications.
undertaken SSN removal efforts. GAO
also interviewed private health              Risk of Identity Theft with Medicare Card under CMS’s Three Proposed Options
insurance companies and relevant
stakeholder groups.

What GAO Recommends
GAO recommends that CMS (1) select
an approach for removing SSNs from
Medicare cards that best protects
beneficiaries from identity theft and
minimizes burdens for providers,
beneficiaries, and CMS and
(2) develop an accurate, well-
documented cost estimate for such an
option. CMS concurred with our
recommendations. VA, DOD, and RRB            CMS reported that each of the three options would cost over $800 million to
had no substantive comments. SSA             implement, and that the option to replace the SSN with a new identifier for use by
had a technical comment.
                                             both beneficiaries and providers would be somewhat more expensive, largely
                                             because of the IT modifications. However, the methodology and assumptions
                                             CMS used to develop its estimates raise questions about their reliability. For
                                             example, CMS did not use appropriate guidance, such as GAO’s cost-estimating
                                             guidance, when preparing the estimates to ensure their reliability. Additionally,
View GAO-12-831. For more information,       CMS could provide only limited documentation related to how it developed the
contact Kathleen King at (202) 512-7114 or   estimates for the two largest cost areas, both of which involve modifications to IT
kingk@gao.gov, or Daniel Bertoni at (202)    systems.
512-7215 or bertonid@gao.gov.
                                                                                         United States Government Accountability Office
Contents


Letter                                                                                      1
               Background                                                                   5
               Options for Removing SSNs from Medicare Cards Include Altering
                 the Display or Replacing the Number with a Different Identifier            8
               Replacing SSN with a New Identifier for Beneficiary and Provider
                 Use Offers Greatest Protection Against Identity Theft and
                 Minimizes Burdens                                                        15
               CMS Reported Significant Costs Associated with Removing SSNs
                 from Medicare Cards, but These Estimates May Not Be Reliable             21
               Conclusions                                                                29
               Recommendations for Executive Action                                       30
               Agency Comments and Our Evaluation                                         30

Appendix I     Burdens of CMS’s Proposed Options for Removal of SSN
               from Medicare Card (Accessible Text)                                       32



Appendix II    Comments from the Centers for Medicare & Medicaid Services                 33



Appendix III   Comments from the Railroad Retirement Board                                36



Appendix IV    GAO Contacts and Staff Acknowledgments                                     37



Tables
               Table 1: Examples of Interactions Requiring the Health Insurance
                        Claim Number (HICN)                                                 7
               Table 2: Display and Use of the Identifier in Various CMS Options
                        for Removing the SSN from Medicare Cards                          11
               Table 3: Agency Cost Estimates for CMS Options for Removing
                        SSNs from Medicare Cards                                          22




               Page i                           GAO-12-831 Removal of SSNs from Medicare Cards
Figures
          Figure 1: Medicare Card                                                                    6
          Figure 2: Risk of Identity Theft with Medicare Card under CMS’s
                   Three Proposed Options                                                           16
          Figure 3: Burdens of CMS’s Proposed Options for Removal of SSNs
                   from Medicare Cards                                                              18




          Abbreviations

          CMS               Centers for Medicare & Medicaid Services
          DOD               Department of Defense
          EDIPI             Electronic Data Interchange Person Identifier
          HHS               Department of Health and Human Services
          HICN              health insurance claim number
          IT                information technology
          MBI               Medicare Beneficiary Identifier
          RRB               Railroad Retirement Board
          SSA               Social Security Administration
          SSN               Social Security number
          VA                Department of Veterans Affairs
          VIC               Veterans Identification Card



          This is a work of the U.S. government and is not subject to copyright protection in the
          United States. The published product may be reproduced and distributed in its entirety
          without further permission from GAO. However, because this work may contain
          copyrighted images or other material, permission from the copyright holder may be
          necessary if you wish to reproduce this material separately.




          Page ii                                  GAO-12-831 Removal of SSNs from Medicare Cards
United States Government Accountability Office
Washington, DC 20548




                                   August 1, 2012

                                   The Honorable Sam Johnson
                                   Chairman
                                   Subcommittee on Social Security
                                   Committee on Ways and Means
                                   House of Representatives

                                   The Honorable Lloyd Doggett
                                   Ranking Member
                                   Subcommittee on Human Resources
                                   Committee on Ways and Means
                                   House of Representatives

                                   More than 48 million Medicare cards display Social Security numbers
                                   (SSN). Thieves can steal the information from these cards to commit
                                   various acts of identity theft, such as opening bank or credit card
                                   accounts or receiving medical services in a beneficiary’s name. In 2010,
                                   7 percent of households in the United States, or about 8.6 million
                                   households, had at least one member age 12 or older who experienced
                                   identity theft, according to U.S. Department of Justice figures. The
                                   estimated financial cost of identity theft during that time was
                                   approximately $13.3 billion. 1 Additionally, theft of this information could
                                   result from a data breach—the unauthorized disclosure of a beneficiary’s
                                   personally identifiable information. 2 Between September 2009 and March
                                   2012, the Department of Health and Human Services’ (HHS) Office for
                                   Civil Rights identified over 400 reports of provider data breaches involving
                                   protected health information that each affected more than 500
                                   individuals. 3



                                   1
                                    Lynn Langston, Identity Theft Reported by Households, 2005-2010, NCJ 236245
                                   (Washington, D.C.: U.S. Department of Justice, Office of Justice Programs, Bureau of
                                   Justice Statistics, November 2011).
                                   2
                                    For the purposes of this report, we define a data breach as the unauthorized acquisition,
                                   access, use, or disclosure of individually identifiable information.
                                   3
                                    We use the term provider to refer to any organization, institution, or individual that
                                   provides health care services to Medicare beneficiaries. These include hospitals, nursing
                                   facilities, physicians, hospices, ambulatory surgical centers, outpatient clinics, and
                                   suppliers of durable medical equipment, among others.




                                   Page 1                                   GAO-12-831 Removal of SSNs from Medicare Cards
The SSN is displayed on Medicare cards, and it is the main component of
the health insurance claim number (HICN). The Social Security
Administration (SSA) and the Railroad Retirement Board (RRB) assign
the HICNs to eligible Medicare beneficiaries. HHS’s Centers for Medicare
& Medicaid Services (CMS) administers the Medicare program, 4 and
relies on the HICN for numerous Medicare purposes. For example, CMS
requires beneficiaries to provide the HICN to document eligibility for
Medicare services; requires providers to use the number to bill for
services; and uses the number and claims information to analyze
Medicare’s performance and conduct program integrity efforts. 5 Each
beneficiary is issued a Medicare card that prominently displays the HICN,
and CMS advises beneficiaries to carry this card with them at all times
and show this card to medical providers when receiving services. As we
have reported, however, the explicit display and use of the SSN poses a
threat of identity theft. 6

The importance of enhancing security protections for SSN display and
use has resulted in multiple actions by federal and state governments and
the private sector. For example, SSA has advised for years that
individuals not carry their Social Security card with them. In 2007, the
Office of Management and Budget issued a directive to all federal
agencies to develop a plan for reducing the unnecessary use of SSNs
and exploring alternatives to their use. 7 Many federal agencies, including
the Departments of Defense (DOD) and Veterans Affairs (VA), have
taken significant steps to remove SSNs from their health insurance and
identification cards. In the private sector, health insurers have also
removed SSNs from their insurance cards in an effort to comply with state
laws and protect beneficiaries from identity theft.




4
 Medicare is the federal health insurance program for individuals over the age of 65,
individuals under the age of 65 with certain disabilities, and individuals with end-stage
renal disease.
5
 CMS’s program integrity efforts for Medicare include the detection of improper billing
through analysis of claims.
6
 See GAO, Social Security Numbers: More Could Be Done to Protect SSNs.
GAO-06-586T (Washington, D.C.: Mar. 30, 2006).
7
 Office of Management and Budget Memorandum M-07-16. Safeguarding Against and
Responding to the Breach of Personally Identifiable Information (Washington, D.C.:
May 22, 2007).




Page 2                                    GAO-12-831 Removal of SSNs from Medicare Cards
In 2004, we reported that CMS determined it would be cost-prohibitive to
remove the SSN from the Medicare card. 8 In a 2006 report to Congress,
CMS highlighted an option for removing the SSN from the Medicare card
and estimated it would cost over $300 million to do so. 9 In 2010,
members of Congress asked CMS to update that report in light of the fact
that CMS had not taken actions to remove SSNs from Medicare cards.
CMS subsequently issued a report in November 2011. 10 You asked that
we review CMS’s 2011 report, including the options it presented for
removing the SSN from Medicare cards and the estimated costs. In
addition, you asked that we examine the lessons learned from DOD and
VA’s efforts to remove SSNs from their insurance cards. Consequently,
this report (1) describes the various options for removing the SSN from
Medicare cards; (2) examines the potential benefits and burdens
associated with the various options for removing SSNs from Medicare
cards; and (3) examines CMS’s cost estimates for removing SSNs from
Medicare cards.

To describe the options for removing SSNs from Medicare cards, we
reviewed CMS’s 2011 report to Congress titled Update on the
Assessment of the Removal of Social Security Numbers from Medicare
Cards, as well as supporting documentation provided by CMS. We
interviewed officials from CMS, SSA, and RRB. To obtain a broader
perspective on efforts to remove SSNs from health insurance and
identification cards, we interviewed officials from DOD, VA, and the
following relevant stakeholders: three private health insurers that
implemented efforts to remove SSNs from their cards; 11 a provider
association for physician group practices; a health insurance industry
association; and a membership organization for people age 50 and older,
a population that would be significantly affected by the removal of SSNs
from Medicare cards.



8
 GAO, Social Security Numbers: Governments Could Do More to Reduce Display in
Public Records and on Identity Cards, GAO-05-59 (Washington, D.C.: Nov. 9, 2004).
9
 Centers for Medicare & Medicaid Services, Report to Congress: Removal of Social
Security Number from the Medicare Health Insurance Card and Other Medicare
Correspondence (Baltimore, Md.: October 2006).
10
  Centers for Medicare & Medicaid Services, Update on the Assessment of the Removal
of Social Security Numbers from Medicare Cards (Baltimore, Md.: November 2011).
11
    Combined, these three health insurers cover more than 48 million individuals.




Page 3                                    GAO-12-831 Removal of SSNs from Medicare Cards
To examine the potential benefits and burdens of the options CMS
proposed for removing SSNs from Medicare cards, we interviewed
officials from CMS to obtain more information about the options presented
in its report. We also interviewed officials from DOD and VA to learn
about their efforts to remove SSNs from their cards and the factors they
considered when implementing such efforts. During our interviews with
private health insurers and other stakeholders, we obtained information
about the benefits and burdens faced by providers and beneficiaries
when removing SSNs from health insurance cards. We assessed the
options presented by CMS based on the following criteria: (1) maximized
protection against identity theft; and (2) minimized burdens on
beneficiaries, providers, and CMS. These criteria were developed based
on prior GAO work on identity theft and informed by information from
CMS’s 2011 report and interviews with CMS officials and others.

To examine CMS’s cost estimates for removing SSNs from Medicare
cards, we interviewed officials at CMS, SSA, and RRB to obtain details
about the development of the cost estimates, including the methods and
underlying assumptions used to derive them. We also interviewed officials
from DOD and VA to obtain information on the costs to those agencies
related to their initiatives to remove SSNs from DOD and VA identification
cards. When interviewing relevant stakeholders, we obtained information
about the costs associated with switching from an SSN-based to a non-
SSN based identifier on their health insurance cards, to the extent such
information was available. In addition, as part of our assessment of
CMS’s cost estimates, we used GAO’s Cost Estimating and Assessment
Guide, as appropriate. 12 This guide identifies best practices that should
be followed to ensure that a reliable cost estimate is comprehensive, well-
documented, accurate, and credible. Our assessment included examining
the extent to which CMS cost estimates were documented, and that the
assumptions used to develop these estimates were supported and
appeared to be reasonable.

We conducted this performance audit from January 2012 to July 2012 in
accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our



12
 GAO Cost Estimating and Assessment Guide: Best Practices for Developing and
Managing Capital Program Costs. GAO-09-3SP (Washington, D.C.: March 2009).




Page 4                               GAO-12-831 Removal of SSNs from Medicare Cards
                            findings and conclusions based on our audit objectives. We believe that
                            the evidence obtained provides a reasonable basis for our findings and
                            conclusions based on our audit objectives.



Background
Medicare, Medicare Cards,   Medicare, the federal health insurance program that serves the nation’s
and the HICN                elderly, certain disabled individuals and individuals with end-stage renal
                            disease, had total program expenditures of $565 billion in 2011, making it
                            one of the largest federal programs. The Medicare program is
                            administered by CMS and consists of four parts: A, B, C, and D. Medicare
                            parts A and B are also referred to as fee-for-service programs. Part A
                            covers hospital and other inpatient stays, hospice, and home health
                            service; and Part B covers hospital outpatient, physician, and other
                            services. The Medicare card is used as proof of eligibility for both of these
                            programs. Part C is Medicare Advantage, under which beneficiaries
                            receive benefits through private health plans. Part D is the Medicare
                            outpatient prescription drug benefit. CMS requires that cards issued by
                            Part C and Part D health plans do not display an SSN.

                            For most individuals, SSA determines eligibility for Medicare and assigns
                            the individual’s HICN. However, for the approximately 550,000 Railroad
                            Retirement beneficiaries and their dependents, the RRB determines
                            Medicare eligibility and assigns this number. CMS or RRB mails paper
                            cards to all beneficiaries, which display the individual’s full name, gender,
                            eligibility status (Part A and/or Part B), their effective date of eligibility,
                            and the SSN-based HICN, referred to on the card as the Medicare Claim
                            Number. (See fig. 1.)




                            Page 5                             GAO-12-831 Removal of SSNs from Medicare Cards
Figure 1: Medicare Card




The HICN is constructed using the 9-digit SSN of the primary wage
earner whose work history qualifies an individual for Medicare, followed
by a 1- or 2-character code, referred to as the beneficiary identification
code, that specifies the relationship of the card holder to the individual
who makes the beneficiary eligible for benefits. 13 In most cases, the SSN
on the card is the card holder’s own; however, approximately 14 percent
of Medicare beneficiaries have cards that contain the SSN of the family
member whose work history makes the beneficiary eligible for Medicare
benefits.

A unique identifier is an essential component for administering health
insurance. Such an identifier is used by providers to identify beneficiaries
and submit claims for payment. As Medicare’s primary unique identifier,


13
  For example, an A suffix indicates the card holder is a retired or disabled worker
(primary claimant). The B or B1 suffix indicates a wife or husband, respectively, of the
retired wage earner. The C suffix indicates a child of a retiree, or a disabled child or
student. The D suffix indicates a widow and an E suffix signifies a widowed mother.
Additional letters or numerical digits may also be used as part of the beneficiary
identification code to provide more-detailed relationship information.




Page 6                                   GAO-12-831 Removal of SSNs from Medicare Cards
the HICN is used by beneficiaries, providers, and CMS and its
contractors. State Medicaid programs, which are jointly funded federal-
state health care programs that cover certain low-income individuals, use
the HICN to coordinate payments for dual-eligible beneficiaries—
individuals who are enrolled in both Medicare and Medicaid. 14 (See
table 1 for examples of various interactions that require the HICN).

Table 1: Examples of Interactions Requiring the Health Insurance Claim Number
(HICN)

    Stakeholder                                 Interactions requiring HICN
    Beneficiaries                               •     Accessing care from Medicare providers
    (48.7 million)                              •     Logging into the Medicare website administered by
                                                      CMS for Medicare beneficiaries
                                                •     Calling 1-800-MEDICARE (the Medicare help line)
                                                      for assistance
                                                •     Submitting appeals for coverage
    Providers                                   •     Verifying Medicare eligibility at the time of service
    (1.4 million)                               •     Submitting claims to receive payment for services
                                                      provided
                                                •     Collecting data for evaluating quality of care
                                                •     Submitting appeals for coverage
    Centers for Medicare &                      •     Confirming eligibility
    Medicaid Services (CMS)                     •     Processing claims submitted by providers
    and contractors
                                                •     Paying providers for services rendered
                                                •     Conducting program integrity activities to prevent
                                                      or identify Medicare fraud, waste, and abuse
    State Medicaid programs                     •     Coordinating payments for services provided by
                                                                              a
                                                      Medicare and Medicaid
Source: GAO analysis of Centers for Medicare & Medicaid Services (CMS) information.
a
This effort is conducted for dual-eligible individuals who are enrolled in both the Medicare and
Medicaid programs.




14
  Medicare beneficiaries may become eligible for Medicaid if, for example, their income
and resources decline below certain thresholds. In addition, Medicaid beneficiaries may
become eligible for Medicare by, for example, turning 65 years old.




Page 7                                                   GAO-12-831 Removal of SSNs from Medicare Cards
                         Beneficiaries must use their HICN when interacting with CMS, such as
                         when they log into the Medicare website or call 1-800-MEDICARE for
                         assistance. Using their issued card, beneficiaries also provide this
                         information to providers at the time of service, and providers use this
                         information to confirm eligibility and submit claims to receive payment for
                         services. CMS and its contractors operate approximately 50 information
                         technology (IT) systems, 15 many of which are interdependent, that use
                         this information in some manner to process beneficiary services and
                         claims and conduct a number of other activities related to payment and
                         program-integrity efforts. These IT systems vary considerably in terms of
                         age and interoperability, making them difficult to change.



Options for Removing
SSNs from Medicare
Cards Include
Altering the Display
or Replacing the
Number with a
Different Identifier
CMS Proposed Three       In its November 2011 report, CMS proposed three options for removing
Options for Removing     SSNs from Medicare cards. One option would involve altering the display
SSNs from the Medicare   of the SSN through truncation, 16 and the other two options would involve
                         the development of a new identifier. 17 All three options would vary with
Cards
                         regard to the type of identifier displayed on the card and the actions
                         providers and beneficiaries would need to take in order to use the
                         identifier for needed services. CMS officials told us that they limited their
                         options to those retaining the basic format of the current paper card, and
                         did not consider other options that they believed were outside the scope




                         15
                          IT systems refer to systems and databases.
                         16
                          Truncation refers to the practice of masking certain digits in the SSN.
                         17
                           In all three options, CMS would continue to use the SSN in its internal systems and to
                         communicate with various partners including SSA and RRB.




                         Page 8                                  GAO-12-831 Removal of SSNs from Medicare Cards
of the congressional request. For example, CMS did not consider using
machine-readable technologies, such as bar codes or magnetic stripes. 18

•     Option 1: Truncating the SSN: Under this option, the first five digits
      of the SSN would be replaced with ‘X’s (e.g., XXX-XX-1234) for
      display on the card. However, the full SSN would continue to be used
      for all Medicare business processes. As a result, when interacting with
      CMS, beneficiaries would need to recall the full SSN or provide
      additional personally identifiable information in order for CMS to
      match the beneficiary with his or her records. 19 To interact with CMS,
      providers would also need to obtain the complete SSN using an
      existing resource. This would involve querying an existing database,
      calling a CMS help line, or asking the beneficiary for the complete
      SSN or other personally identifiable information. 20

•     Option 2: Developing a New Identifier for Beneficiary Use: Under
      this option, the SSN would be replaced by a new identifier not based
      on the SSN that would be displayed on the card, similar to private
      health insurance cards. CMS refers to this new identifier as the
      Medicare Beneficiary Identifier (MBI). This number would be used by
      beneficiaries when interacting with CMS. Providers, however, would
      be required to continue to use the SSN when interacting with CMS
      and conducting their business processes. To obtain this information,
      providers would be expected to electronically request it from CMS
      using the new identifier. CMS said it would need to create a new
      database for this purpose. 21




18
  A bar code is an optical machine-readable representation of data. Bar codes use printed
and variously patterned bars and spaces that can be scanned and read into computer
memory. A magnetic stripe, such as those found on credit cards, is placed on a card and
used to store information that can be read by swiping the card through a machine.
19
  Examples of such information include date of birth, address, spouse’s name, or other
personal or identifying information that is linked or linkable to a specific individual. This
additional information would be necessary because the last four digits of an SSN are not
sufficient on their own to uniquely identify an individual because more than one individual
may have the same last four digits.
20
  The database and help line are efforts maintained by existing CMS contractors.
Providers could also use the SSN that is stored in the beneficiary’s record.
21
    Providers could also call CMS or ask beneficiaries for their full SSN.




Page 9                                     GAO-12-831 Removal of SSNs from Medicare Cards
•   Option 3: Developing a New Identifier for Beneficiary and
    Provider Use: Under this option, the SSN would be replaced by a
    new identifier not based on the SSN, which would be displayed on the
    card. As in option 2, CMS referred to this number as the MBI. In
    contrast to option 2, however, this new number would be used by both
    beneficiaries and providers for all interactions with CMS. Under this
    option, the SSN would no longer be used by beneficiaries or providers
    when interacting with CMS, which could eliminate the need for
    providers to collect or keep the SSN on file. 22 CMS and its contractors
    would continue to use the SSN for internal data purposes, such as
    claims processing. Table 2 summarizes the characteristics of the
    CMS options.




22
  Providers frequently store a beneficiary’s health care identifier in electronic or paper
records in order to submit claims for payment. Providers may collect a beneficiary’s SSN
for other purposes.




Page 10                                  GAO-12-831 Removal of SSNs from Medicare Cards
Table 2: Display and Use of the Identifier in Various CMS Options for Removing the SSN from Medicare Cards

                                                                                                                                                New identifier
                                      Current                                                       New identifier                              (beneficiary and
Display and use of the identifier     Medicare card             Truncated SSN                       (beneficiary use only)                      provider use)
Identifier displayed on card          SSN                       Truncated SSN                       New identifier                              New identifier
Identifier used by beneficiary to     SSN                       SSN                                 New identifier                              New identifier
interact with CMS
How beneficiary obtains identifier    Refer to card             Recall first 5 digits of            Refer to card                               Refer to card
                                                                                    a
to interact with CMS                                            SSN or call CMS
Identifier used by provider to interact SSN                     SSN                                 SSN                                         New identifier
with CMS
How provider obtains the identifier   Refer to card             Use existing resources Electronically request SSN                               Refer to card
                                                                                  b
to interact with CMS                                            to obtain full SSN     using new identifier
                                              Source: GAO analysis of information provided by Centers for Medicare & Medicaid Services (CMS).
                                              a
                                               When calling CMS, beneficiaries would also need to provide additional personally identifiable
                                              information, which could include date of birth, spouse’s name, or address in order to obtain complete
                                              information.
                                              b
                                               Existing resources include an online database or a call-center operated by a CMS contractor.
                                              Providers would need to obtain additional personally identifiable information from the beneficiary and
                                              submit it to CMS in order to identify the beneficiary. Providers could also request the full Social
                                              Security number (SSN) from the beneficiary at the time of service.


                                              CMS, SSA, and RRB reported that all three options would generally
                                              require similar efforts, including coordinating with stakeholders;
                                              converting IT systems; conducting provider and beneficiary outreach and
                                              education; conducting training of business partners; and issuing new
                                              cards. However, the level and type of modifications required to IT
                                              systems vary under each option. These systems are responsible for
                                              various business functions that perform claims processing, eligibility
                                              verification, health plan enrollment, coordination of benefits, program
                                              integrity, and research efforts. According to CMS, between 40 and 48 of
                                              its IT systems would require modifications, depending on the option
                                              selected. The truncated SSN option would require modifications to 40
                                              systems; the option that uses a new identifier for beneficiary use would
                                              require modifications to 44 systems; and the option that uses a new
                                              identifier for beneficiary and provider use would require modifications to
                                              48 systems.

                                              In its 2011 report, CMS estimated that any of the 3 proposed options
                                              would likely take up to 4 years to implement. During the first 3 years,
                                              CMS would coordinate with stakeholders; complete necessary IT system
                                              conversions; conduct provider and beneficiary outreach and education;
                                              and conduct training of business partners. In the fourth year, CMS would
                                              issue new Medicare cards to all beneficiaries over a 12-month period.



                                              Page 11                                                   GAO-12-831 Removal of SSNs from Medicare Cards
                           CMS officials stated that the agency could not implement any of the
                           options without additional funding from Congress. In its report, CMS
                           noted that the actual time needed for implementation could vary due to
                           changing resources or program requirements. Similar to its 2006 report,
                           CMS has not taken action needed to implement any of the options for
                           removing the SSN it presented in its report.


DOD, VA, and Private       DOD has taken steps to remove the SSN from display on the
Health Insurers Have       approximately 9.6 million military identification cards that are used by
Taken Steps to Remove      active-duty and retired military personnel and their dependents to access
                           health care services. 23 DOD is replacing the SSNs previously displayed
SSNs from Cards’ Display
                           on these cards with two different unique identifiers not based on the
                           SSN. 24 In 2008, DOD began its SSN removal effort by removing
                           dependents’ SSNs from display on their military identification cards, but
                           retained the sponsor’s SSN and left SSNs embedded in the cards’ bar
                           codes. The dependents’ cards did not display any unique identifier. On
                           June 1, 2011, DOD discontinued issuing any military identification card
                           that displayed an SSN and began issuing cards that displayed two
                           different unique identifiers; however, SSNs continued to be embedded in
                           the cards’ bar codes. Starting December 1, 2012, DOD will discontinue
                           embedding the SSN in the cards’ bar codes. With the exception of cards
                           issued to retired military personnel, DOD anticipates that the SSNs will be
                           completely removed from all military identification cards by December
                           2016. 25 DOD officials reported that because retirees’ cards may still
                           contain the SSN as an identifier, and because some contractors providing



                           23
                             Military personnel and federal employees provide health care to DOD’s active-duty and
                           retired military personnel and their dependents in military treatment facilities under the
                           military health care program known as TRICARE. Active duty and retired military
                           personnel and their dependents present their military identification cards at the time of
                           service. DOD active duty and retired military personnel and their dependents also access
                           health care through private providers. When beneficiaries access care from private
                           providers, they must present both their military identification card and a separate health
                           care card issued by the DOD contractor administering their TRICARE plan at the time they
                           receive service.
                           24
                             The two identifiers are being added only to cards issued after June 1, 2011. One
                           identifier, the Electronic Data Interchange Person Identifier (EDIPI), is used DOD-wide to
                           identify a specific individual. The other identifier, the DOD Benefits Number is assigned to
                           each individual eligible for DOD health benefits and other entitlements.
                           25
                             Unlike military identification cards issued to active-duty military personnel and
                           dependents, cards issued to military retirees do not have an expiration date.




                           Page 12                                   GAO-12-831 Removal of SSNs from Medicare Cards
health care services may continue to use the SSN for eligibility purposes
and processing claims, DOD’s IT systems will continue to support multiple
identifiers, including the SSN, until such time as all SSNs have been
replaced with the two new unique identifiers. DOD cards issued to active-
duty military personnel also contain a smart chip, which is used for
accessing facilities and IT systems, and may be used to access health
care services in some facilities. 26 Cardholders’ SSNs are concealed in the
smart chip.

VA has also taken steps to remove the SSN from display on its
identification and health care cards. The Veterans Identification Card
(VIC) is issued by VA to enrollees and can be used by veterans to access
health care services from VA facilities and private providers. In 2011,
8.6 million veterans were eligible to receive health care services and,
according to VA officials, about 363,000 dependents of veterans were
eligible to receive care through VA’s dependent-care programs. 27 VA
began removing SSNs from display on the VIC in 2004, but the SSN
continues to be embedded in the cards’ magnetic stripes and bar codes.
Since that time, VA officials report that the department has issued
approximately 7.7 million VICs. VA officials also stated that, in the first
quarter of fiscal year 2013, VA will start issuing new VICs that will display
a new unique identifier for the veteran and embed the new identifier in the
card’s magnetic stripe and bar code, replacing the SSN. 28 VA also
removed SSNs from display on the cards issued to beneficiaries in VA
dependent-care programs without replacing it with a new identifier, and
beneficiaries in these programs now provide their SSN verbally at the
time of service. 29




26
  The smart chip is an integrated circuit chip that can be used to store large amounts of
information, including SSNs or other unique identifiers, and can exchange data with other
systems and process information. By securely exchanging information, a smart card can
authenticate the identity of the individual possessing the card in a more rigorous way than
is possible with traditional identification cards.
27
 Dependents of veterans may have received health care from: the Civilian Health and
Medical Program of the Department of Veterans Affairs; the Spina Bifida program; and the
Children of Women Vietnam Veterans program.
28
  This new identifier will be the EDIPI. DOD has assigned an EDIPI for 17 million
veterans.
29
 These cards do not have magnetic stripes or bar codes.




Page 13                                  GAO-12-831 Removal of SSNs from Medicare Cards
Representatives from a national organization representing private health
insurers told us that, to their knowledge, all private health insurers have
removed the SSN from display on insurance cards and replaced it with a
unique identifier not based on the SSN. Private insurers use these new
identifiers for all beneficiary and provider interactions, including
determining eligibility and processing claims. According to these officials,
private health insurers took those steps to comply with state laws and
protect beneficiaries from identity theft. Consistent with this,
representatives from the private health insurers we interviewed reported
removing SSNs from their cards’ display and issuing beneficiaries new
identifiers not based on the SSN, which are now used in all beneficiary
and provider interactions.

Officials we interviewed from DOD, VA, and private health insurers all
reported that the process to remove the SSN from cards and replace the
SSN with a different unique identifier is taking or took several years to
implement and required considerable planning. During their transition
periods, DOD, VA, and private health insurers reported that they made
modifications to IT systems; collaborated with providers and contractors;
and educated providers and beneficiaries about the change. One private
health insurer we interviewed reported that it allowed for a transition
period during which providers could verify eligibility or submit claims using
either the SSN or the new unique identifier. This health insurer noted that
this allowance, along with the education and outreach it provided to both
beneficiaries and providers, resulted in a successful transition. Another
health insurer reported that it is providing IT support for both the SSN and
the new unique identifier indefinitely in case providers mistakenly use the
SSN when submitting claims.




Page 14                           GAO-12-831 Removal of SSNs from Medicare Cards
Replacing SSN with a
New Identifier for
Beneficiary and
Provider Use Offers
Greatest Protection
Against Identity Theft
and Minimizes
Burdens
CMS’s Option to Replace   Replacing the SSN with a new identifier for use by beneficiaries and
the SSN with a New        providers offers beneficiaries the greatest protection against identity theft
Identifier for Use by     relative to the other options CMS presented in its report. (See fig. 2.)
                          Under this option, only the new identifier would be used by beneficiaries
Beneficiaries and         and providers. This option would lessen beneficiaries’ risk of identity theft
Providers Offers the      in the event that their card was lost or stolen, as the SSN would no longer
Greatest Protection       be printed on the card. Additionally, because providers would not need to
Against Identity Theft    collect a beneficiary’s SSN or maintain that information in their files,
                          beneficiaries’ vulnerability to identity theft would be reduced in the event
                          of a provider data breach.




                          Page 15                           GAO-12-831 Removal of SSNs from Medicare Cards
Figure 2: Risk of Identity Theft with Medicare Card under CMS’s Three Proposed
Options




The other two options CMS presented in its 2011 report provide less
protection against identity theft. For example, replacing the SSN with a
new number just for beneficiary use would offer some protection against
identity theft for beneficiaries because no portion of the SSN would be
visible on the Medicare card. This would reduce the likelihood of identity
theft with the SSN if a card is lost or stolen. However, providers would still
need to collect and store the SSN, leaving beneficiaries vulnerable to
identity theft in the event of a provider data breach. CMS’s truncated SSN
option would provide even less protection against identity theft. This
option would eliminate full visibility of the SSN on the Medicare card,
making it more difficult to use for identity theft. However, we have
previously reported that the lack of standards for truncation mean that
identity thieves can still construct a full SSN fairly easily using truncated
SSNs from various electronic and hard copy records. 30 In addition, under



30
  In past work, we have reported that it is possible to reconstruct truncated SSNs by
comparing different public records that had truncated SSNs in different ways. See GAO,
Social Security Numbers: Federal Actions Could Further Decrease Availability in Public
Records, though Other Vulnerabilities Remain, GAO-07-752 (Washington, D.C.: June 15,
2007).




Page 16                                GAO-12-831 Removal of SSNs from Medicare Cards
                            this option, providers would still store the SSN in their files, thereby
                            making beneficiaries vulnerable to identity theft in the event of a provider
                            data breach.


CMS’s Option to Replace     We found that CMS’s option to replace the SSN with a new identifier for
the SSN with a New          use by beneficiaries and providers presents fewer burdens for
Identifier for Use by       beneficiaries and providers relative to the other options presented in
                            CMS’s 2011 report. (See fig. 3.) Under this option, the new identifier
Beneficiaries and           would be printed on the card, and beneficiaries would use this identifier
Providers Would Minimize    when interacting with CMS, eliminating the need for beneficiaries to
Burdens for Beneficiaries   memorize their SSN or store it elsewhere as they might do under other
and Providers               options. This option may also present fewer burdens for providers, as
                            they would not have to query databases or make phone calls to obtain a
                            beneficiary’s information to submit claims. 31 Private health insurers we
                            interviewed all reported using a similar approach to remove SSNs from
                            their insurance cards. Representatives from these insurers reported that
                            while there was some initial confusion and issues with claims submission
                            during the transition period, proactive outreach efforts to educate
                            providers about this change, as well as having a grace period during
                            which the SSN or new identifier could be used by providers to submit
                            claims, minimized issues and resulted in a relatively smooth transition.




                            31
                              There may be some initial burdens for providers and beneficiaries under any of the three
                            options presented by CMS. For example, according to CMS officials, some providers may
                            be required to update their IT software and beneficiaries may be confused by any change
                            to their identifier.




                            Page 17                                 GAO-12-831 Removal of SSNs from Medicare Cards
Interactive graphic       Figure 3: Burdens of CMS’s Proposed Options for Removal of SSNs from Medicare Cards



                                       Directions:

                                       Roll over each cell for additional information about the burdens related to each option.


                                          New identifier
                                         (Beneficiary and                             New identifier                                     Truncated SSN
                                           provider use)                           (Beneficiary use only)


  Beneficiary                                                                                                                                          3


  Provider                                                                                            3                                                3


  CMS                                                 3                                               3                                                3

                                              Source: GAO analysis of information provided by the Centers for Medicare & Medicaid Services (CMS) and interviews with
                                              relevant stakeholders.




     Print instructions    To print text version of this graphic, go to appendix I


                                   Page 1                                                               GAO-12-831 Removal of SSNs from Medicare Cards
The other two options CMS presented in its 2011 report would create
additional burdens for beneficiaries and providers. Beneficiaries may
experience difficulties under the truncated SSN option, as they may need
to recall their SSN, which could be their own SSN or that of a family
member. CMS officials stated that the age of Medicare beneficiaries and
the fact that their current identification number may be based on another
family member’s SSN could make it difficult for beneficiaries to remember
the number. In addition, about 31 percent of Medicare beneficiaries
residing in the community have a known cognitive or mental impairment,
making recalling their number by memory potentially difficult. 32 Under
both of these remaining options, providers would need to perform
additional tasks, such as querying a CMS database or calling CMS, to
obtain the full SSN to verify eligibility and submit claims. 33

Regardless of option, the burdens experienced by CMS would likely be
similar because the agency would need to conduct many of the same
activities and would incur many of the same costs. For example, it would
need to reissue Medicare cards to current beneficiaries; conduct outreach
and education to beneficiaries and providers; and conduct training for
business partners. CMS would also likely see increased call volume to its
1-800-Medicare line with questions about the changes. In addition, there
would likely be costs associated with changes to state Medicaid IT
systems. However, according to CMS officials, the option that calls for
replacing the SSN with a new identifier to be used by beneficiaries and
providers would have additional burdens because of the more extensive
changes required to CMS’s IT systems compared to the other options.
This option, however, would also potentially provide an additional benefit
to CMS, as the agency would be able to completely “turn off” the
identification number and replace it with a new one in the event that a
beneficiary’s number is compromised, something that is not possible with
the SSN. 34




32
 The Kaiser Family Foundation, “Medicare Chartbook, Fourth Edition,” November 2010.
33
  Providers may also request the SSN from beneficiaries or rely on the SSN documented
in a patient’s records.
34
  CMS currently monitors nearly 275,000 compromised HICNs, which are HICNs that
have been subject to actual or possible unauthorized disclosure or access as the result of
physical or electronic theft. As long as CMS uses the HICN for transactions, the agency
must continue to monitor compromised HICNs.




Page 19                                 GAO-12-831 Removal of SSNs from Medicare Cards
Other Options Not            CMS did not consider in its 2011 report how machine readable
Explored by CMS for          technologies—such as bar codes, magnetic stripes, or smart chips—
Removing SSNs Would          could assist in the effort to remove SSNs from Medicare cards. Machine-
                             readable technologies have been implemented to varying degrees by
Present Additional           DOD and VA. According to DOD and VA officials, DOD is using a smart
Burdens for Beneficiaries,   chip and barcode to store the cardholder’s personally identifiable
Providers, and CMS           information, and VA is issuing cards in which such information and other
                             identifiers are stored in magnetic stripes and bar codes. Machine-
                             readable technologies may provide additional benefits, such as increased
                             efficiency for providers and beneficiaries. Furthermore, machine readable
                             technologies provide some additional protection against identity theft, but
                             officials we spoke with stated that the widespread availability of devices to
                             read magnetic stripes and bar codes have made these technologies less
                             secure. Because of this, both DOD and VA have plans to remove SSNs
                             that are stored in these technologies on their cards.

                             If CMS were to use machine-readable technologies, they could present
                             significant challenges to providers. For example, providers could
                             experience difficulties due to the lack of standardization across these
                             technologies. Representatives from one private health insurer we
                             interviewed stated that while the use of cards with magnetic stripes
                             worked well within a small region where they have large market-
                             penetration, implementing such an effort in regions where providers
                             contract with multiple insurers would be more difficult due to this lack of
                             standardization. In addition, use of machine-readable cards would likely
                             require providers to purchase additional equipment and could be
                             problematic for providers that lack the necessary infrastructure, such as
                             high-speed internet connections, to make machine-readable technologies
                             feasible. According to CMS officials, implementing machine-readable
                             technologies may also require cards that cost more than the paper
                             Medicare card currently in use.

                             Removing the SSN from the Medicare card and not replacing it with a
                             new identifier, an option also not considered in CMS’s report to Congress,
                             could reduce beneficiaries’ vulnerability to identity theft, but would create
                             burdens for beneficiaries, providers, and CMS. Complete removal of the
                             SSN from the Medicare card would protect beneficiaries from identity theft
                             in the event that a card is lost or stolen. However, like the truncation
                             option, beneficiaries may have difficulty recalling their SSN at the time of
                             service or when interacting with CMS. This could also be difficult because
                             the SSN needed to show eligibility may not be the beneficiary’s own. In
                             addition, providers would likely need to change their administrative
                             processes to obtain the needed information either by querying a


                             Page 20                           GAO-12-831 Removal of SSNs from Medicare Cards
                         database, calling CMS, or obtaining it directly from the beneficiary.
                         Finally, because providers would still need to collect and store the SSN
                         for eligibility verification and claims submission, beneficiaries would
                         remain vulnerable to identity theft in the event of a provider data breach. 35
                         The VA used this approach to remove SSNs from the approximately
                         363,000 dependent care program cards, and officials stated that it
                         requires providers to obtain the SSN at the time of service. However,
                         Medicare covers over 48 million beneficiaries who receive services from
                         1.4 million providers, making such a change more burdensome. In
                         addition, CMS would still encounter similar burdens as in the options
                         presented in its 2011 report to Congress, including the need to educate
                         beneficiaries and providers, and issue new cards, though the extent of the
                         necessary changes to CMS IT systems under such an option is unknown.



CMS Reported
Significant Costs
Associated with
Removing SSNs from
Medicare Cards, but
These Estimates May
Not Be Reliable
CMS Reported that        In its 2011 report to Congress, CMS, in conjunction with SSA and RRB,
Removing SSNs from       developed cost estimates for the three options to alter the display of the
Medicare Cards would     SSN on Medicare cards or replace the SSN with a different unique
                         identifier. CMS projected that altering or removing the SSN would cost
Cost Over $800 Million   between $803 million and $845 million. CMS’s costs represent the
                         majority of these costs (approximately 85 percent); while SSA and RRB’s




                         35
                           According to a membership organization for people aged 50 and older, completely
                         removing the SSN from the Medicare card and not replacing it with another identifier
                         would create concerns related to verification of eligibility and could potentially lead to
                         increased incidences of fraud.




                         Page 21                                    GAO-12-831 Removal of SSNs from Medicare Cards
                                            costs represent approximately 12 percent and 0.2 percent, respectively.
                                            (See table 3.) 36

Table 3: Agency Cost Estimates for CMS Options for Removing SSNs from Medicare Cards

                                                                              2. New identifier                    3. New identifier
Option                                    1. Truncated SSN               (beneficiary use only)      (beneficiary and provider use)
CMS cost estimates
    Modifications to existing state
    Medicaid IT systems and related
                   a
    costs (federal)                              $261,000,000                     $261,000,000                         $261,000,000
    Modifications to CMS IT systems               231,790,000                       222,055,000                         263,725,000
    Reissuance of Medicare cards                   69,320,000                        69,320,000                           69,320,000
    Beneficiary outreach and education
    needs                                          58,200,000                        58,200,000                           58,200,000
    CMS 1-800-Medicare
    communication plan                             48,200,000                        48,200,000                           48,200,000
    Provider outreach and education
    needs                                          18,700,000                        18,700,000                           18,700,000
    Training CMS business partners
    and beneficiaries                                 166,800                           166,800                              166,800
                      b
    Total CMS costs                              $687,376,800                     $677,641,800                         $719,311,800
SSA cost estimates
    Responding to beneficiary inquires
    and requests for new cards                     62,000,000                        62,000,000                           62,000,000
    Processing undeliverable cards                 28,000,000                        28,000,000                           28,000,000
    Online query access for SSA field
    offices to obtain new identifier                3,000,000                         3,000,000                            3,000,000
    Outreach, training, revisions to
    current forms, and additional
    application time                                2,000,000                         2,000,000                            2,000,000
    Total SSA costs                               $95,000,000                       $95,000,000                         $95,000,000
RRB cost estimates
    RRB IT system conversions                         225,204                           444,459                              444,459
    Issuing new Medicare cards                        388,905                           388,905                              388,905
    Responding to beneficiary inquiries               278,912                           278,912                              278,912




                                            36
                                              The remaining approximately 3.5 percent of the costs are state costs related to Medicaid
                                            IT system modifications. However, in its report CMS included these costs under CMS’s
                                            total.




                                            Page 22                                 GAO-12-831 Removal of SSNs from Medicare Cards
                                                                                         2. New identifier                                3. New identifier
Option                                 1. Truncated SSN                             (beneficiary use only)                  (beneficiary and provider use)
    User costs related to system and
    procedure changes                               145,952                                               145,952                                              145,952
    Beneficiary education and
    publications)                                     52,500                                                52,500                                               52,500
                      c
    Total RRB costs                             $1,091,473                                           $1,310,728                                            $1,310,728
State costs
    Modifications to existing state
    Medicaid IT systems and related
                 a
    costs (state)                               29,000,000                                           29,000,000                                            29,000,000
    Total state costs                          $29,000,000                                         $29,000,000                                           $29,000,000
                          d
Total estimated costs                         $812,468,273                                       $802,952,528                                          $844,622,528
                                         Source: GAO analysis of data provided by the Centers for Medicare & Medicaid Services (CMS), the Social Security Administration
                                         (SSA), and the Railroad Retirement Board (RRB).
                                         a
                                          CMS estimates that total modifications to existing state Medicaid systems would cost $290 million, of
                                         which CMS would be responsible for a federal share of $261 million. The states would be responsible
                                         for the remaining $29 million. Related costs include, for example, business process changes, training,
                                         and updates to system documentation.
                                         b
                                          Totals presented in CMS’s report were $716,377,000; $706,642,000; and $748,311,000; however,
                                         CMS officials confirmed that state Medicaid costs should have been reported separately from CMS’s
                                         costs and that rounding errors were made in some of the totals presented in its report. GAO numbers
                                         reflect corrected calculations.
                                         c
                                          Totals presented in CMS’s report were $1,092,000; $1,311,000; and $1,311,000; however, CMS
                                         officials confirmed that rounding errors were made in some totals presented in its report. GAO
                                         numbers reflect corrected calculations.
                                         d
                                          Totals presented in CMS’s report were $812,469,000; $802,952,000; and $844,622,000; however,
                                         CMS officials confirmed that rounding errors were made in some totals presented in its report. GAO
                                         numbers reflect corrected calculations.


                                         Approximately two-thirds of the total estimated costs (between
                                         $512 million and $554 million depending on the option) are associated
                                         with modifications to existing state Medicaid IT systems and CMS’s IT
                                         system conversions. 37 While modifications to existing state Medicaid IT
                                         systems and related costs are projected to cost the same across all three
                                         options, the estimated costs for CMS’s IT system conversions vary. This
                                         variation is due to the differences in the number of systems affected and
                                         the costs for modifying affected systems for the different options. CMS
                                         would incur costs related to modifying 40 IT systems under the truncated



                                         37
                                           Modifications to state Medicaid IT systems would be needed in order to process
                                         information on individuals eligible for both Medicare and Medicaid. CMS would incur
                                         $261 million as the federal share of the estimated total of $290 million. The remaining
                                         $29 million would be the responsibility of the States.




                                         Page 23                                                    GAO-12-831 Removal of SSNs from Medicare Cards
SSN option, 44 systems under the new identifier for beneficiary use
option, and 48 systems under the new identifier for beneficiary and
provider use option. In addition, the cost associated with changes to
specific systems varied depending on the option. CMS’s estimates for all
non-IT related cost areas are constant across the options. Other
significant cost areas for CMS include reissuing the Medicare card,
conducting outreach and education to beneficiaries about the change to
the identifier, and responding to beneficiary inquires related to the new
card.

Both SSA and RRB would also incur costs under each of the options
described in CMS’s 2011 report. 38 SSA estimated that implementing any
of the three options presented in the 2011 report would cost the agency
$95 million. SSA’s primary costs included $62 million for responding to
inquiries and requests for new Medicare cards from beneficiaries and
$28 million for processing new cards mailed by CMS that are returned as
undeliverable. SSA officials told us that even though CMS would be
responsible for distributing new Medicare cards, SSA anticipated that
about 13 percent of the beneficiary population would contact SSA with
questions. RRB’s costs totaled between $1.1 million and $1.3 million.
Between 21 and 34 percent of RRB’s total costs were related to IT
system updates and changes, depending on the option. The rest of
RRB’s costs were related to business functions, such as printing and
mailing new cards; user costs related to system and procedure changes;
and education and outreach.

The cost estimates included in CMS’s 2011 report were as much as
2.5 times higher than those estimated in its 2006 report to Congress. 39
CMS attributed these increases to the inclusion of costs not included in
the 2006 report, such as those associated with changes to state Medicaid


38
  Both SSA and RRB perform Medicare related activities and would need to make
changes to their business processes and IT systems as a result of any of the options to
remove SSNs from Medicare cards. SSA determines Medicare eligibility for persons who
receive or are about to receive Social Security benefits, enrolls those who are eligible into
Medicare, and assigns them a HICN. Though CMS prints and distributes the Medicare
card, beneficiaries often contact SSA when they need a replacement card. RRB is
responsible for determining Medicare eligibility for qualified railroad retirement
beneficiaries, enrolling them into Medicare, assigning HICNs to these individuals, and
issuing Medicare cards to them.
39
  In 2006, CMS estimated that removing the SSN from the Medicare card and replacing it
with a new non-SSN based identifier would cost $338 million.




Page 24                                   GAO-12-831 Removal of SSNs from Medicare Cards
                          systems and changes to its IT systems related to Part D, as well as a
                          more thorough accounting of costs associated with many of the other cost
                          areas, including SSA costs. In addition, CMS said in its 2006 report that
                          phasing in a new identifier for beneficiaries over a 5- to 10-year period
                          would reduce costs. However, in its 2011 report, CMS stated that such an
                          option would be cost prohibitive because it would require running two
                          parallel IT systems for an extended period of time. 40


The Methods and           There are several key concerns regarding the methods and assumptions
Assumptions CMS Used to   CMS used to develop its cost estimates that raise questions about the
Derive Cost Estimates     reliability of its overall cost estimates. First, CMS did not use any cost
                          estimating guidance when developing its estimates. GAO’s Cost
Raise Questions about     Estimating and Assessment Guide identifies a number of best practices
Their Reliability         designed to ensure a cost estimate is reliable. 41 However, CMS officials
                          acknowledged that the agency did not rely on any specific cost-estimating
                          guidance, such as GAO’s cost-estimating guidance, during the
                          development of the cost estimates presented in the agency’s report to
                          Congress. The agency also did not conduct a complete life-cycle cost
                          estimate on relevant costs, 42 such as those associated with IT system
                          conversions. 43 CMS officials told us they did not conduct a full life-cycle
                          cost estimate for each option because this was a hypothetical analysis,




                          40
                            DOD officials told us that in its effort to remove SSNs from cards, DOD is issuing cards
                          without SSNs as old cards expire and, for retirees, allowing them to keep their current
                          card with the SSN printed on the front indefinitely unless they request a new card.
                          According to DOD officials, the agency does not expect to incur additional costs
                          associated with this phased approach, which is similar to the phased approach CMS
                          described in its 2006 report.
                          41
                            GAO-09-3SP.
                          42
                            A life-cycle cost estimate provides an exhaustive and structured accounting of all
                          resources and associated cost elements required to develop, produce, deploy, and
                          sustain a particular program. This entails identifying all cost elements that pertain to the
                          program from initial concept all the way through operations, support, and disposal. Life-
                          cycle costing enhances decision making, especially in early planning and concept
                          formulation of acquisition.
                          43
                            CMS officials told us that if the agency proceeded with one of the options described in
                          the report, they would conduct a life-cycle cost estimate.




                          Page 25                                   GAO-12-831 Removal of SSNs from Medicare Cards
and doing so would have been too resource intensive for the purpose of
addressing policy options. 44

Second, the procedures used to develop estimates for the two largest
cost categories—changes to existing state Medicaid IT systems and
CMS’s IT system conversions—are questionable and not well
documented. For each of CMS’s options, the agency estimated Medicaid
IT changes would cost $290 million. 45 Given the size of this cost category,
we have concerns about the age of the data, the number of states used to
generalize these estimates, as well as the completeness of the
information CMS collected. For example, CMS’s estimates for costs
associated with its proposed changes were based on data collected in
2008, at which time the agency had not developed all of the options
presented in its 2011 report. 46 In addition, while CMS asked for cost data
from all states in 2008, it received data from only five states—Minnesota,
Montana, Oklahoma, Rhode Island, and Texas—and we were unable to
determine whether these states are representative of the IT system
changes required by all states. CMS extrapolated national cost estimates
based on the size of these states, determined by the number of Medicare
eligible beneficiaries in them. However, the cost of IT modifications to
Medicaid systems would likely depend more on the specific IT systems
and their configurations in use by the state than on the number of
Medicare beneficiaries in the state. CMS was unable to provide
documentation about the data it requested from states related to its cost
projections, or documentation of the responses it received from states on
the specific modifications to Medicaid IT systems that would be required.
CMS officials also acknowledged that each state is different and their IT
systems would require different modifications.




44
  HHS also has specific guidance for conducting IT alternative analyses—HHS-IRM-2003-
0002 Policy for Conducting Information Technology Alternative Analysis. CMS officials
also told us that although they performed such an analysis, they were unaware of this
guidance and followed no specific HHS guidance on alternative analysis or cost
estimating.
45
  It addition to Medicaid IT system modification costs, this cost category includes related
costs, such as business process changes, training, and updates to system documentation.
46
   CMS officials told us that the new identifier for beneficiary use, and new identifier for
beneficiary and provider use options had already been developed at the time CMS
requested data from the states, but the agency did not include the truncation option when
it requested data from the states.




Page 26                                  GAO-12-831 Removal of SSNs from Medicare Cards
For the CMS IT-system conversion costs, officials told us that CMS
derived its IT-system conversion cost estimates by asking its IT system
owners for costs associated with changes to the systems affected under
each of the three options. 47 However, CMS provided us with limited
documentation related to the information it supplied to its system owners
when collecting cost data to develop its estimates, and no supporting
documentation for the data it received from system owners. The
documentation CMS provided asked system owners to provide the basis
for their estimates (including, for example, costs related to labor and
hardware, and software changes and additions), and laid out general
assumptions for system owners to consider. However, because CMS
asked for estimates for broad cost categories, the data it received were
general in nature and not a detailed accounting of specific projected
costs. CMS officials also told us that system requirements changed over
the course of their work; however, they provided no documentation
related to how these changes were communicated to system owners. In
addition, CMS officials told us that they generally did not attempt to verify
estimates submitted by system owners. CMS could not explain how or
why a number of the systems the agency believed would require
modifications would be affected under its three options, or the variance in
the costs to modify these systems across the options.

Moreover, CMS’s cost estimates for the IT-related costs in its 2011 report
were approximately three times higher than the estimate in the agency’s
2006 report. 48 That report stated that the majority of changes necessary
to replace the existing number with a non-SSN-based identifier would
affect only two systems; 49 however, the agency estimated in its 2011
report that up to 48 systems would require modification, depending on the
option selected. 50 Furthermore, CMS’s 2006 report stated that the



47
 System owners refer to CMS employees or contractors who manage CMS IT systems.
48
  In its 2006 report to Congress, CMS estimated that removal of the SSN from Medicare
cards would cost approximately $338 million, of which $80.2 million was attributable to
start up costs for IT system modifications.
49
  The 2006 report stated that “less extensive, but still significant change to other systems”
would be required; however, 85 percent of the system conversion costs were associated
with only two systems.
50
  CMS’s 2011 report cited 51 systems that would be affected; however, information
provided by CMS to GAO shows that between 40 and 48 IT systems would require
modifications depending on the option implemented.




Page 27                                   GAO-12-831 Removal of SSNs from Medicare Cards
2 primary IT systems affected—the Medicare Beneficiary Database and
the Enrollment Database—account for $70 million, or 85 percent, of the
IT-related costs. However, in the 2011 report, these 2 systems accounted
for 5 percent or less of the IT-related costs, depending on the option
implemented. CMS officials we interviewed were unable to explain the
differences in the number of systems affected, or the costs of required
modifications to IT systems between the 2006 and 2011 reports.

Third, there are inconsistencies in some assumptions used by CMS and
SSA in the development of the estimates. For example, CMS and SSA
used different assumptions regarding the number of Medicare
beneficiaries that would require new Medicare cards. According to CMS
officials, the agency based its cost estimates on the number of Medicare
beneficiaries at the time the report was prepared (47 million), whereas
SSA officials told us the agency based its estimates on the expected
number of beneficiaries in 2015 (55 million), the year they estimated the
new card would likely be issued. In addition, nearly 30 percent of SSA’s
costs were related to processing newly-issued Medicare cards that are
returned as undeliverable. However, SSA officials told us that they were
not aware that CMS’s cost estimates included plans to conduct an
address-verification mailing at a cost of over $45 million prior to issuing
new cards. Such a mailing could reduce the number of cards returned as
undeliverable, and thus SSA’s costs associated with processing such
cards. 51

Finally, CMS did not take into account other factors when developing its
cost estimates, including related IT modernization efforts or potential
savings from removing the SSN from Medicare cards. In developing its
estimates, CMS did not consider ways to integrate IT requirements for
removing the SSN from Medicare cards with those necessitated by other
IT modernization plans to realize possible efficiencies. DOD and a private
health insurer we interviewed reported that when removing SSNs from
their cards, they updated their systems to accommodate this change in
conjunction with other unrelated system upgrades. CMS officials told us
that because many of the agency’s other IT modernization plans are
unfunded, the agency does not know when or if these efforts will be
undertaken. As a result, the agency is unable to coordinate the SSN


51
  SSA officials said that although they were unaware of this planned address verification
mailing, they believe their estimate of the percent of cards returned as undeliverable is still
appropriate.




Page 28                                   GAO-12-831 Removal of SSNs from Medicare Cards
              removal effort or to estimate savings from combining such efforts. In its
              report, CMS also acknowledged that if the agency switched to a new
              identifier used by both beneficiaries and providers, there would likely be
              some savings due to improved program integrity and reduced need to
              monitor SSNs that may be stolen and used fraudulently. However, in
              developing its estimates, CMS did not include any potential savings the
              agency might accrue as a result of removing the SSN from Medicare
              cards. 52


              Nearly six years have passed since CMS first issued a report to Congress
Conclusions   that explored options to remove the SSN from the Medicare card, and five
              years have elapsed since the Office of Management and Budget directed
              federal agencies to reduce the unnecessary use of the SSN. While CMS
              has identified various options for removing the SSN from Medicare cards,
              CMS has not committed to a plan to remove them. The agency lags
              behind other federal agencies and the private sector in reducing the use
              of the SSN. DOD, VA, and private health insurers have taken significant
              steps to eliminate the SSN from display on identification and health
              insurance cards, and reduce its role in operations.

              Of the options presented by CMS, the option that calls for developing a
              new identifier for use by beneficiaries and providers offers the best
              protection against identity theft and presents fewer burdens for
              beneficiaries and providers than the other two. Consistent with the
              approach taken by private health insurers, this option would eliminate the
              use and display of the SSN for Medicare processes conducted by
              beneficiaries and providers. While CMS reported that this option is
              somewhat more costly than the other options, the methods and
              assumptions CMS used to develop its estimates do not provide enough
              certainty that those estimates are credible. Moreover, because CMS did
              not have well-documented cost estimates, the reliability of its estimates
              cannot be assessed. Use of standard cost-estimating procedures, such
              as GAO’s estimating guidance, would help ensure that CMS cost
              estimates are comprehensive, well documented, accurate and credible.
              Moving forward, CMS could also explore whether the use of magnetic
              stripes, bar codes, or smart chips could offer other benefits such as


              52
                In its 2011 report, CMS noted that the ability to “turn off” a beneficiary’s identifier under
              one of its proposed options could improve the agency’s ability to combat Medicare fraud,
              waste, and abuse.




              Page 29                                    GAO-12-831 Removal of SSNs from Medicare Cards
                      increased efficiencies. Absent a reliable cost estimate, however,
                      Congress and CMS cannot know the costs associated with this option
                      and how to prioritize it relative to other CMS initiatives. Lack of action on
                      this key initiative leaves Medicare beneficiaries exposed to the possibility
                      of identity theft.

                      In order for CMS to implement an option for removing SSNs from
Recommendations for   Medicare cards, we recommend that the Administrator of CMS
Executive Action
                      •   select an approach for removing the SSN from the Medicare card that
                          best protects beneficiaries from identity theft and minimizes burdens
                          for providers, beneficiaries, and CMS, and

                      •   develop an accurate, well-documented cost estimate for such an
                          option using standard cost-estimating procedures.


                      We provided a draft of this report to CMS, DOD, RRB, SSA, and VA for
Agency Comments       review and comment. CMS and RRB provided written comments which
and Our Evaluation    are reproduced in appendixes II and III. DOD, SSA, and VA provided
                      comments by e-mail.

                      CMS concurred with our first recommendation to select an approach for
                      removing the SSN from Medicare cards that best protects beneficiaries
                      from identity theft and minimizes burdens for providers, beneficiaries, and
                      CMS. The agency noted that such an approach could protect
                      beneficiaries from identity theft resulting from loss or theft of the card and
                      would allow CMS a useful tool in combating Medicare fraud and medical
                      identity theft. CMS also concurred with our second recommendation that
                      CMS develop an accurate, well-documented cost estimate using standard
                      cost-estimating procedures for an option that best protects beneficiaries
                      from identity theft and minimizes burdens for providers, beneficiaries, and
                      CMS. CMS noted that a more rigorous and detailed analysis of a selected
                      option would be necessary in order for Congress to appropriate funding
                      sufficient for implementation, and that it will utilize our suggestions to
                      strengthen its estimating methodology for such an estimate.

                      DOD had no comments and did not comment on the report’s
                      recommendations. RRB stated that the report accurately reflected its
                      input and had no additional comment. SSA provided only one technical
                      comment, which we incorporated as appropriate, but did not comment on
                      the report’s recommendations. VA concurred with our findings, but
                      provided no additional comments.


                      Page 30                            GAO-12-831 Removal of SSNs from Medicare Cards
We are sending copies to the Secretaries of HHS, DOD and VA, the
Administrator of CMS, the Commissioner of SSA, the Chairman of RRB,
interested congressional committees, and others. In addition, the report
will be available at no charge on the GAO website at http://www.gao.gov.

If you or your staffs have questions about this report, you may contact us
at: Kathleen King, (202) 512-7114 or kingk@gao.gov or Daniel Bertoni,
(202) 512-7215 or bertonid@gao.gov. Contact points for our Offices of
Congressional Relations and Public Affairs may be found on the last page
of this report. GAO staff who made key contributions to this report are
listed in appendix IV.




Kathleen King
Director, Health Care




Daniel Bertoni
Director, Education, Workforce, and Income Security Issues




Page 31                          GAO-12-831 Removal of SSNs from Medicare Cards
Appendix I: Burdens of CMS’s Proposed
              Appendix I: Burdens of CMS’s Proposed
              Options for Removal of SSN from Medicare
              Card (Accessible Text)


Options for Removal of SSN from Medicare
Card (Accessible Text)

                                            New identifier                                                                 Truncated
                                           (beneficiary and                          New identifier                      Social Security
                                             provider use)                       (beneficiary use only)                  number (SSN)
                                                       a                                          b                                  c
                  Beneficiary                                                                                                       √
                                                       d                                           e                                    f
                  Provider                                                                       √                                  √
                                                        g                                          h                                    i
                  CMS                                 √                                          √                                  √
              Source: GAO analysis of information provided by the Centers for Medicare & Medicaid Services and interviews with relevant
              stakeholders.
              a
               While any change to the beneficiary identifier could cause initial confusion for beneficiaries, this
              option creates no additional burden for the beneficiary because the number on the card would be
              used to receive services and interact with CMS.
              b
               While any change for the beneficiary identifier could cause initial confusion for beneficiaries, this
              option creates no additional burdens to the beneficiary because the number on the card would be
              used to receive services and interact with CMS.
              c
              Could create additional burdens for beneficiaries because they could be required to remember their
              SSN in order to receive services and interact with CMS.
              d
               While any change to the beneficiary identifier could cause initial confusion among providers, this
              option would not create additional burdens for the provider, as the provider would be able to obtain
              the number from the card provided by the beneficiary.
              e
               Could create an additional burden for providers because it would require the provider to obtain the
              beneficiary’s SSN either from the beneficiary, by querying a CMS database, or by calling CMS in
              order to verify eligibility.
              f
              Could create an additional burden for providers because it would require the provider to obtain the
              beneficiary’s SSN either from the beneficiary, by querying a CMS database, or by calling CMS in
              order to verify eligibility.
              g
               According to CMS, this option would require the most significant modifications to its IT systems. All
              other burdens for CMS would be similar across the three options.
              h
               According to CMS, this option would require the least significant modifications to its IT systems. All
              other burdens for CMS would be similar across the three options.
              i
              According to CMS, this option would require more significant modifications to its IT systems than the
              new identifier- beneficiary use only option, and less significant modifications than the new identifier—
              beneficiary and provider use option. All other burdens for CMS would be similar across the three
              options.




              Page 32                                                    GAO-12-831 Removal of SSNs from Medicare Cards
Appendix II: Comments from the Centers for
              Appendix II: Comments from the Centers for
              Medicare & Medicaid Services



Medicare & Medicaid Services




              Page 33                                 GAO-12-831 Removal of SSNs from Medicare Cards
Appendix II: Comments from the Centers for
Medicare & Medicaid Services




Page 34                                 GAO-12-831 Removal of SSNs from Medicare Cards
Appendix II: Comments from the Centers for
Medicare & Medicaid Services




Page 35                                 GAO-12-831 Removal of SSNs from Medicare Cards
Appendix III: Comments from the Railroad
              Appendix III: Comments from the Railroad
              Retirement Board



Retirement Board




              Page 36                                    GAO-12-831 Removal of SSNs from Medicare Cards
Appendix IV: GAO Contacts and Staff
                  Appendix IV: GAO Contacts and Staff
                  Acknowledgments



Acknowledgments

                  Kathleen King, (202) 512-7114 or kingk@gao.gov or Daniel Bertoni,
GAO Contacts      (202) 512-7215 or bertonid@gao.gov.


                  In addition to the contacts named above, the following individuals made
Staff             key contributions to this report: Lori Rectanus, Assistant Director; Thomas
Acknowledgments   Walke, Assistant Director; David Barish; James Bennett; Carrie Davidson;
                  Sarah Harvey; Drew Long; and Andrea E. Richardson.




(290992)
                  Page 37                               GAO-12-831 Removal of SSNs from Medicare Cards
GAO’s Mission         The Government Accountability Office, the audit, evaluation, and
                      investigative arm of Congress, exists to support Congress in meeting its
                      constitutional responsibilities and to help improve the performance and
                      accountability of the federal government for the American people. GAO
                      examines the use of public funds; evaluates federal programs and
                      policies; and provides analyses, recommendations, and other assistance
                      to help Congress make informed oversight, policy, and funding decisions.
                      GAO’s commitment to good government is reflected in its core values of
                      accountability, integrity, and reliability.

                      The fastest and easiest way to obtain copies of GAO documents at no
Obtaining Copies of   cost is through GAO’s website (www.gao.gov). Each weekday afternoon,
GAO Reports and       GAO posts on its website newly released reports, testimony, and
                      correspondence. To have GAO e-mail you a list of newly posted products,
Testimony             go to www.gao.gov and select “E-mail Updates.”

Order by Phone        The price of each GAO publication reflects GAO’s actual cost of
                      production and distribution and depends on the number of pages in the
                      publication and whether the publication is printed in color or black and
                      white. Pricing and ordering information is posted on GAO’s website,
                      http://www.gao.gov/ordering.htm.
                      Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
                      TDD (202) 512-2537.
                      Orders may be paid for using American Express, Discover Card,
                      MasterCard, Visa, check, or money order. Call for additional information.
                      Connect with GAO on Facebook, Flickr, Twitter, and YouTube.
Connect with GAO      Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts.
                      Visit GAO on the web at www.gao.gov.
                      Contact:
To Report Fraud,
Waste, and Abuse in   Website: www.gao.gov/fraudnet/fraudnet.htm
                      E-mail: fraudnet@gao.gov
Federal Programs      Automated answering system: (800) 424-5454 or (202) 512-7470

                      Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-
Congressional         4400, U.S. Government Accountability Office, 441 G Street NW, Room
Relations             7125, Washington, DC 20548

                      Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
Public Affairs        U.S. Government Accountability Office, 441 G Street NW, Room 7149
                      Washington, DC 20548




                        Please Print on Recycled Paper.