United States Government Accountability Office
GAO Report to Congressional Requesters
August 2012
MEDICARE
CMS Needs an
Approach and a
Reliable Cost Estimate
for Removing Social
Security Numbers
from Medicare Cards
To access this report
electronically, scan this
QR Code.
Don't have a QR code
reader? Several are
available for free online.
GAO-12-831
August 2012
MEDICARE
CMS Needs an Approach and a Reliable Cost
Estimate for Removing Social Security Numbers
from Medicare Cards
Highlights of GAO-12-831, a report to
congressional requesters
Why GAO Did This Study What GAO Found
More than 48 million Medicare cards The Centers for Medicare & Medicaid Services’ (CMS) 2011 report to Congress
display the SSN, which increases proposed three options for removing Social Security numbers (SSN) from
Medicare beneficiaries’ vulnerability to Medicare cards. One option would truncate the SSN displayed on the card, but
identity theft. GAO was asked to beneficiaries and providers would continue to rely on the SSN. The other two
review the options and associated options would replace the SSN with a new identifier that would be displayed on
costs for removing SSNs from the the card and either be used only by beneficiaries, or by both beneficiaries and
Medicare card. This report those who provide Medicare services. CMS, however, has not selected or
(1) describes the various options for committed to implementing any of these options. The Departments of Defense
removing the SSN from Medicare
(DOD) and Veterans Affairs (VA), and private insurers have already removed or
cards; (2) examines the potential
taken steps to remove SSNs from display on their identification or health
benefits and burdens associated with
different options; and (3) examines
insurance cards.
CMS’s cost estimates for removing CMS’s option to replace the SSN with a new identifier for use by both
SSNs from Medicare cards. beneficiaries and providers offers the greatest protection against identity theft.
To do this work, GAO reviewed CMS’s Beneficiaries’ vulnerability to identity theft would be reduced because the card
report, cost estimates, and relevant would no longer display the SSN and providers would not need the SSN to
supporting documentation. GAO also provide services or submit claims (negating the need for providers to store the
interviewed officials from CMS and SSN). This option would also pose fewer burdens than the other two options
other agencies that perform Medicare because beneficiaries would not have to remember an SSN to receive services
related activities (the Social Security or to interact with CMS. Providers also would not need to conduct additional
Administration and Railroad activities, such as querying a CMS database, to obtain the SSN. The burdens for
Retirement Board), as well as officials CMS would generally be similar across all the options, but CMS reported that this
from DOD and VA, which have option would require more information technology (IT) system modifications.
undertaken SSN removal efforts. GAO
also interviewed private health Risk of Identity Theft with Medicare Card under CMS’s Three Proposed Options
insurance companies and relevant
stakeholder groups.
What GAO Recommends
GAO recommends that CMS (1) select
an approach for removing SSNs from
Medicare cards that best protects
beneficiaries from identity theft and
minimizes burdens for providers,
beneficiaries, and CMS and
(2) develop an accurate, well-
documented cost estimate for such an
option. CMS concurred with our
recommendations. VA, DOD, and RRB CMS reported that each of the three options would cost over $800 million to
had no substantive comments. SSA implement, and that the option to replace the SSN with a new identifier for use by
had a technical comment.
both beneficiaries and providers would be somewhat more expensive, largely
because of the IT modifications. However, the methodology and assumptions
CMS used to develop its estimates raise questions about their reliability. For
example, CMS did not use appropriate guidance, such as GAO’s cost-estimating
guidance, when preparing the estimates to ensure their reliability. Additionally,
View GAO-12-831. For more information, CMS could provide only limited documentation related to how it developed the
contact Kathleen King at (202) 512-7114 or estimates for the two largest cost areas, both of which involve modifications to IT
kingk@gao.gov, or Daniel Bertoni at (202) systems.
512-7215 or bertonid@gao.gov.
United States Government Accountability Office
Contents
Letter 1
Background 5
Options for Removing SSNs from Medicare Cards Include Altering
the Display or Replacing the Number with a Different Identifier 8
Replacing SSN with a New Identifier for Beneficiary and Provider
Use Offers Greatest Protection Against Identity Theft and
Minimizes Burdens 15
CMS Reported Significant Costs Associated with Removing SSNs
from Medicare Cards, but These Estimates May Not Be Reliable 21
Conclusions 29
Recommendations for Executive Action 30
Agency Comments and Our Evaluation 30
Appendix I Burdens of CMS’s Proposed Options for Removal of SSN
from Medicare Card (Accessible Text) 32
Appendix II Comments from the Centers for Medicare & Medicaid Services 33
Appendix III Comments from the Railroad Retirement Board 36
Appendix IV GAO Contacts and Staff Acknowledgments 37
Tables
Table 1: Examples of Interactions Requiring the Health Insurance
Claim Number (HICN) 7
Table 2: Display and Use of the Identifier in Various CMS Options
for Removing the SSN from Medicare Cards 11
Table 3: Agency Cost Estimates for CMS Options for Removing
SSNs from Medicare Cards 22
Page i GAO-12-831 Removal of SSNs from Medicare Cards
Figures
Figure 1: Medicare Card 6
Figure 2: Risk of Identity Theft with Medicare Card under CMS’s
Three Proposed Options 16
Figure 3: Burdens of CMS’s Proposed Options for Removal of SSNs
from Medicare Cards 18
Abbreviations
CMS Centers for Medicare & Medicaid Services
DOD Department of Defense
EDIPI Electronic Data Interchange Person Identifier
HHS Department of Health and Human Services
HICN health insurance claim number
IT information technology
MBI Medicare Beneficiary Identifier
RRB Railroad Retirement Board
SSA Social Security Administration
SSN Social Security number
VA Department of Veterans Affairs
VIC Veterans Identification Card
This is a work of the U.S. government and is not subject to copyright protection in the
United States. The published product may be reproduced and distributed in its entirety
without further permission from GAO. However, because this work may contain
copyrighted images or other material, permission from the copyright holder may be
necessary if you wish to reproduce this material separately.
Page ii GAO-12-831 Removal of SSNs from Medicare Cards
United States Government Accountability Office
Washington, DC 20548
August 1, 2012
The Honorable Sam Johnson
Chairman
Subcommittee on Social Security
Committee on Ways and Means
House of Representatives
The Honorable Lloyd Doggett
Ranking Member
Subcommittee on Human Resources
Committee on Ways and Means
House of Representatives
More than 48 million Medicare cards display Social Security numbers
(SSN). Thieves can steal the information from these cards to commit
various acts of identity theft, such as opening bank or credit card
accounts or receiving medical services in a beneficiary’s name. In 2010,
7 percent of households in the United States, or about 8.6 million
households, had at least one member age 12 or older who experienced
identity theft, according to U.S. Department of Justice figures. The
estimated financial cost of identity theft during that time was
approximately $13.3 billion. 1 Additionally, theft of this information could
result from a data breach—the unauthorized disclosure of a beneficiary’s
personally identifiable information. 2 Between September 2009 and March
2012, the Department of Health and Human Services’ (HHS) Office for
Civil Rights identified over 400 reports of provider data breaches involving
protected health information that each affected more than 500
individuals. 3
1
Lynn Langston, Identity Theft Reported by Households, 2005-2010, NCJ 236245
(Washington, D.C.: U.S. Department of Justice, Office of Justice Programs, Bureau of
Justice Statistics, November 2011).
2
For the purposes of this report, we define a data breach as the unauthorized acquisition,
access, use, or disclosure of individually identifiable information.
3
We use the term provider to refer to any organization, institution, or individual that
provides health care services to Medicare beneficiaries. These include hospitals, nursing
facilities, physicians, hospices, ambulatory surgical centers, outpatient clinics, and
suppliers of durable medical equipment, among others.
Page 1 GAO-12-831 Removal of SSNs from Medicare Cards
The SSN is displayed on Medicare cards, and it is the main component of
the health insurance claim number (HICN). The Social Security
Administration (SSA) and the Railroad Retirement Board (RRB) assign
the HICNs to eligible Medicare beneficiaries. HHS’s Centers for Medicare
& Medicaid Services (CMS) administers the Medicare program, 4 and
relies on the HICN for numerous Medicare purposes. For example, CMS
requires beneficiaries to provide the HICN to document eligibility for
Medicare services; requires providers to use the number to bill for
services; and uses the number and claims information to analyze
Medicare’s performance and conduct program integrity efforts. 5 Each
beneficiary is issued a Medicare card that prominently displays the HICN,
and CMS advises beneficiaries to carry this card with them at all times
and show this card to medical providers when receiving services. As we
have reported, however, the explicit display and use of the SSN poses a
threat of identity theft. 6
The importance of enhancing security protections for SSN display and
use has resulted in multiple actions by federal and state governments and
the private sector. For example, SSA has advised for years that
individuals not carry their Social Security card with them. In 2007, the
Office of Management and Budget issued a directive to all federal
agencies to develop a plan for reducing the unnecessary use of SSNs
and exploring alternatives to their use. 7 Many federal agencies, including
the Departments of Defense (DOD) and Veterans Affairs (VA), have
taken significant steps to remove SSNs from their health insurance and
identification cards. In the private sector, health insurers have also
removed SSNs from their insurance cards in an effort to comply with state
laws and protect beneficiaries from identity theft.
4
Medicare is the federal health insurance program for individuals over the age of 65,
individuals under the age of 65 with certain disabilities, and individuals with end-stage
renal disease.
5
CMS’s program integrity efforts for Medicare include the detection of improper billing
through analysis of claims.
6
See GAO, Social Security Numbers: More Could Be Done to Protect SSNs.
GAO-06-586T (Washington, D.C.: Mar. 30, 2006).
7
Office of Management and Budget Memorandum M-07-16. Safeguarding Against and
Responding to the Breach of Personally Identifiable Information (Washington, D.C.:
May 22, 2007).
Page 2 GAO-12-831 Removal of SSNs from Medicare Cards
In 2004, we reported that CMS determined it would be cost-prohibitive to
remove the SSN from the Medicare card. 8 In a 2006 report to Congress,
CMS highlighted an option for removing the SSN from the Medicare card
and estimated it would cost over $300 million to do so. 9 In 2010,
members of Congress asked CMS to update that report in light of the fact
that CMS had not taken actions to remove SSNs from Medicare cards.
CMS subsequently issued a report in November 2011. 10 You asked that
we review CMS’s 2011 report, including the options it presented for
removing the SSN from Medicare cards and the estimated costs. In
addition, you asked that we examine the lessons learned from DOD and
VA’s efforts to remove SSNs from their insurance cards. Consequently,
this report (1) describes the various options for removing the SSN from
Medicare cards; (2) examines the potential benefits and burdens
associated with the various options for removing SSNs from Medicare
cards; and (3) examines CMS’s cost estimates for removing SSNs from
Medicare cards.
To describe the options for removing SSNs from Medicare cards, we
reviewed CMS’s 2011 report to Congress titled Update on the
Assessment of the Removal of Social Security Numbers from Medicare
Cards, as well as supporting documentation provided by CMS. We
interviewed officials from CMS, SSA, and RRB. To obtain a broader
perspective on efforts to remove SSNs from health insurance and
identification cards, we interviewed officials from DOD, VA, and the
following relevant stakeholders: three private health insurers that
implemented efforts to remove SSNs from their cards; 11 a provider
association for physician group practices; a health insurance industry
association; and a membership organization for people age 50 and older,
a population that would be significantly affected by the removal of SSNs
from Medicare cards.
8
GAO, Social Security Numbers: Governments Could Do More to Reduce Display in
Public Records and on Identity Cards, GAO-05-59 (Washington, D.C.: Nov. 9, 2004).
9
Centers for Medicare & Medicaid Services, Report to Congress: Removal of Social
Security Number from the Medicare Health Insurance Card and Other Medicare
Correspondence (Baltimore, Md.: October 2006).
10
Centers for Medicare & Medicaid Services, Update on the Assessment of the Removal
of Social Security Numbers from Medicare Cards (Baltimore, Md.: November 2011).
11
Combined, these three health insurers cover more than 48 million individuals.
Page 3 GAO-12-831 Removal of SSNs from Medicare Cards
To examine the potential benefits and burdens of the options CMS
proposed for removing SSNs from Medicare cards, we interviewed
officials from CMS to obtain more information about the options presented
in its report. We also interviewed officials from DOD and VA to learn
about their efforts to remove SSNs from their cards and the factors they
considered when implementing such efforts. During our interviews with
private health insurers and other stakeholders, we obtained information
about the benefits and burdens faced by providers and beneficiaries
when removing SSNs from health insurance cards. We assessed the
options presented by CMS based on the following criteria: (1) maximized
protection against identity theft; and (2) minimized burdens on
beneficiaries, providers, and CMS. These criteria were developed based
on prior GAO work on identity theft and informed by information from
CMS’s 2011 report and interviews with CMS officials and others.
To examine CMS’s cost estimates for removing SSNs from Medicare
cards, we interviewed officials at CMS, SSA, and RRB to obtain details
about the development of the cost estimates, including the methods and
underlying assumptions used to derive them. We also interviewed officials
from DOD and VA to obtain information on the costs to those agencies
related to their initiatives to remove SSNs from DOD and VA identification
cards. When interviewing relevant stakeholders, we obtained information
about the costs associated with switching from an SSN-based to a non-
SSN based identifier on their health insurance cards, to the extent such
information was available. In addition, as part of our assessment of
CMS’s cost estimates, we used GAO’s Cost Estimating and Assessment
Guide, as appropriate. 12 This guide identifies best practices that should
be followed to ensure that a reliable cost estimate is comprehensive, well-
documented, accurate, and credible. Our assessment included examining
the extent to which CMS cost estimates were documented, and that the
assumptions used to develop these estimates were supported and
appeared to be reasonable.
We conducted this performance audit from January 2012 to July 2012 in
accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
12
GAO Cost Estimating and Assessment Guide: Best Practices for Developing and
Managing Capital Program Costs. GAO-09-3SP (Washington, D.C.: March 2009).
Page 4 GAO-12-831 Removal of SSNs from Medicare Cards
findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.
Background
Medicare, Medicare Cards, Medicare, the federal health insurance program that serves the nation’s
and the HICN elderly, certain disabled individuals and individuals with end-stage renal
disease, had total program expenditures of $565 billion in 2011, making it
one of the largest federal programs. The Medicare program is
administered by CMS and consists of four parts: A, B, C, and D. Medicare
parts A and B are also referred to as fee-for-service programs. Part A
covers hospital and other inpatient stays, hospice, and home health
service; and Part B covers hospital outpatient, physician, and other
services. The Medicare card is used as proof of eligibility for both of these
programs. Part C is Medicare Advantage, under which beneficiaries
receive benefits through private health plans. Part D is the Medicare
outpatient prescription drug benefit. CMS requires that cards issued by
Part C and Part D health plans do not display an SSN.
For most individuals, SSA determines eligibility for Medicare and assigns
the individual’s HICN. However, for the approximately 550,000 Railroad
Retirement beneficiaries and their dependents, the RRB determines
Medicare eligibility and assigns this number. CMS or RRB mails paper
cards to all beneficiaries, which display the individual’s full name, gender,
eligibility status (Part A and/or Part B), their effective date of eligibility,
and the SSN-based HICN, referred to on the card as the Medicare Claim
Number. (See fig. 1.)
Page 5 GAO-12-831 Removal of SSNs from Medicare Cards
Figure 1: Medicare Card
The HICN is constructed using the 9-digit SSN of the primary wage
earner whose work history qualifies an individual for Medicare, followed
by a 1- or 2-character code, referred to as the beneficiary identification
code, that specifies the relationship of the card holder to the individual
who makes the beneficiary eligible for benefits. 13 In most cases, the SSN
on the card is the card holder’s own; however, approximately 14 percent
of Medicare beneficiaries have cards that contain the SSN of the family
member whose work history makes the beneficiary eligible for Medicare
benefits.
A unique identifier is an essential component for administering health
insurance. Such an identifier is used by providers to identify beneficiaries
and submit claims for payment. As Medicare’s primary unique identifier,
13
For example, an A suffix indicates the card holder is a retired or disabled worker
(primary claimant). The B or B1 suffix indicates a wife or husband, respectively, of the
retired wage earner. The C suffix indicates a child of a retiree, or a disabled child or
student. The D suffix indicates a widow and an E suffix signifies a widowed mother.
Additional letters or numerical digits may also be used as part of the beneficiary
identification code to provide more-detailed relationship information.
Page 6 GAO-12-831 Removal of SSNs from Medicare Cards
the HICN is used by beneficiaries, providers, and CMS and its
contractors. State Medicaid programs, which are jointly funded federal-
state health care programs that cover certain low-income individuals, use
the HICN to coordinate payments for dual-eligible beneficiaries—
individuals who are enrolled in both Medicare and Medicaid. 14 (See
table 1 for examples of various interactions that require the HICN).
Table 1: Examples of Interactions Requiring the Health Insurance Claim Number
(HICN)
Stakeholder Interactions requiring HICN
Beneficiaries • Accessing care from Medicare providers
(48.7 million) • Logging into the Medicare website administered by
CMS for Medicare beneficiaries
• Calling 1-800-MEDICARE (the Medicare help line)
for assistance
• Submitting appeals for coverage
Providers • Verifying Medicare eligibility at the time of service
(1.4 million) • Submitting claims to receive payment for services
provided
• Collecting data for evaluating quality of care
• Submitting appeals for coverage
Centers for Medicare & • Confirming eligibility
Medicaid Services (CMS) • Processing claims submitted by providers
and contractors
• Paying providers for services rendered
• Conducting program integrity activities to prevent
or identify Medicare fraud, waste, and abuse
State Medicaid programs • Coordinating payments for services provided by
a
Medicare and Medicaid
Source: GAO analysis of Centers for Medicare & Medicaid Services (CMS) information.
a
This effort is conducted for dual-eligible individuals who are enrolled in both the Medicare and
Medicaid programs.
14
Medicare beneficiaries may become eligible for Medicaid if, for example, their income
and resources decline below certain thresholds. In addition, Medicaid beneficiaries may
become eligible for Medicare by, for example, turning 65 years old.
Page 7 GAO-12-831 Removal of SSNs from Medicare Cards
Beneficiaries must use their HICN when interacting with CMS, such as
when they log into the Medicare website or call 1-800-MEDICARE for
assistance. Using their issued card, beneficiaries also provide this
information to providers at the time of service, and providers use this
information to confirm eligibility and submit claims to receive payment for
services. CMS and its contractors operate approximately 50 information
technology (IT) systems, 15 many of which are interdependent, that use
this information in some manner to process beneficiary services and
claims and conduct a number of other activities related to payment and
program-integrity efforts. These IT systems vary considerably in terms of
age and interoperability, making them difficult to change.
Options for Removing
SSNs from Medicare
Cards Include
Altering the Display
or Replacing the
Number with a
Different Identifier
CMS Proposed Three In its November 2011 report, CMS proposed three options for removing
Options for Removing SSNs from Medicare cards. One option would involve altering the display
SSNs from the Medicare of the SSN through truncation, 16 and the other two options would involve
the development of a new identifier. 17 All three options would vary with
Cards
regard to the type of identifier displayed on the card and the actions
providers and beneficiaries would need to take in order to use the
identifier for needed services. CMS officials told us that they limited their
options to those retaining the basic format of the current paper card, and
did not consider other options that they believed were outside the scope
15
IT systems refer to systems and databases.
16
Truncation refers to the practice of masking certain digits in the SSN.
17
In all three options, CMS would continue to use the SSN in its internal systems and to
communicate with various partners including SSA and RRB.
Page 8 GAO-12-831 Removal of SSNs from Medicare Cards
of the congressional request. For example, CMS did not consider using
machine-readable technologies, such as bar codes or magnetic stripes. 18
• Option 1: Truncating the SSN: Under this option, the first five digits
of the SSN would be replaced with ‘X’s (e.g., XXX-XX-1234) for
display on the card. However, the full SSN would continue to be used
for all Medicare business processes. As a result, when interacting with
CMS, beneficiaries would need to recall the full SSN or provide
additional personally identifiable information in order for CMS to
match the beneficiary with his or her records. 19 To interact with CMS,
providers would also need to obtain the complete SSN using an
existing resource. This would involve querying an existing database,
calling a CMS help line, or asking the beneficiary for the complete
SSN or other personally identifiable information. 20
• Option 2: Developing a New Identifier for Beneficiary Use: Under
this option, the SSN would be replaced by a new identifier not based
on the SSN that would be displayed on the card, similar to private
health insurance cards. CMS refers to this new identifier as the
Medicare Beneficiary Identifier (MBI). This number would be used by
beneficiaries when interacting with CMS. Providers, however, would
be required to continue to use the SSN when interacting with CMS
and conducting their business processes. To obtain this information,
providers would be expected to electronically request it from CMS
using the new identifier. CMS said it would need to create a new
database for this purpose. 21
18
A bar code is an optical machine-readable representation of data. Bar codes use printed
and variously patterned bars and spaces that can be scanned and read into computer
memory. A magnetic stripe, such as those found on credit cards, is placed on a card and
used to store information that can be read by swiping the card through a machine.
19
Examples of such information include date of birth, address, spouse’s name, or other
personal or identifying information that is linked or linkable to a specific individual. This
additional information would be necessary because the last four digits of an SSN are not
sufficient on their own to uniquely identify an individual because more than one individual
may have the same last four digits.
20
The database and help line are efforts maintained by existing CMS contractors.
Providers could also use the SSN that is stored in the beneficiary’s record.
21
Providers could also call CMS or ask beneficiaries for their full SSN.
Page 9 GAO-12-831 Removal of SSNs from Medicare Cards
• Option 3: Developing a New Identifier for Beneficiary and
Provider Use: Under this option, the SSN would be replaced by a
new identifier not based on the SSN, which would be displayed on the
card. As in option 2, CMS referred to this number as the MBI. In
contrast to option 2, however, this new number would be used by both
beneficiaries and providers for all interactions with CMS. Under this
option, the SSN would no longer be used by beneficiaries or providers
when interacting with CMS, which could eliminate the need for
providers to collect or keep the SSN on file. 22 CMS and its contractors
would continue to use the SSN for internal data purposes, such as
claims processing. Table 2 summarizes the characteristics of the
CMS options.
22
Providers frequently store a beneficiary’s health care identifier in electronic or paper
records in order to submit claims for payment. Providers may collect a beneficiary’s SSN
for other purposes.
Page 10 GAO-12-831 Removal of SSNs from Medicare Cards
Table 2: Display and Use of the Identifier in Various CMS Options for Removing the SSN from Medicare Cards
New identifier
Current New identifier (beneficiary and
Display and use of the identifier Medicare card Truncated SSN (beneficiary use only) provider use)
Identifier displayed on card SSN Truncated SSN New identifier New identifier
Identifier used by beneficiary to SSN SSN New identifier New identifier
interact with CMS
How beneficiary obtains identifier Refer to card Recall first 5 digits of Refer to card Refer to card
a
to interact with CMS SSN or call CMS
Identifier used by provider to interact SSN SSN SSN New identifier
with CMS
How provider obtains the identifier Refer to card Use existing resources Electronically request SSN Refer to card
b
to interact with CMS to obtain full SSN using new identifier
Source: GAO analysis of information provided by Centers for Medicare & Medicaid Services (CMS).
a
When calling CMS, beneficiaries would also need to provide additional personally identifiable
information, which could include date of birth, spouse’s name, or address in order to obtain complete
information.
b
Existing resources include an online database or a call-center operated by a CMS contractor.
Providers would need to obtain additional personally identifiable information from the beneficiary and
submit it to CMS in order to identify the beneficiary. Providers could also request the full Social
Security number (SSN) from the beneficiary at the time of service.
CMS, SSA, and RRB reported that all three options would generally
require similar efforts, including coordinating with stakeholders;
converting IT systems; conducting provider and beneficiary outreach and
education; conducting training of business partners; and issuing new
cards. However, the level and type of modifications required to IT
systems vary under each option. These systems are responsible for
various business functions that perform claims processing, eligibility
verification, health plan enrollment, coordination of benefits, program
integrity, and research efforts. According to CMS, between 40 and 48 of
its IT systems would require modifications, depending on the option
selected. The truncated SSN option would require modifications to 40
systems; the option that uses a new identifier for beneficiary use would
require modifications to 44 systems; and the option that uses a new
identifier for beneficiary and provider use would require modifications to
48 systems.
In its 2011 report, CMS estimated that any of the 3 proposed options
would likely take up to 4 years to implement. During the first 3 years,
CMS would coordinate with stakeholders; complete necessary IT system
conversions; conduct provider and beneficiary outreach and education;
and conduct training of business partners. In the fourth year, CMS would
issue new Medicare cards to all beneficiaries over a 12-month period.
Page 11 GAO-12-831 Removal of SSNs from Medicare Cards
CMS officials stated that the agency could not implement any of the
options without additional funding from Congress. In its report, CMS
noted that the actual time needed for implementation could vary due to
changing resources or program requirements. Similar to its 2006 report,
CMS has not taken action needed to implement any of the options for
removing the SSN it presented in its report.
DOD, VA, and Private DOD has taken steps to remove the SSN from display on the
Health Insurers Have approximately 9.6 million military identification cards that are used by
Taken Steps to Remove active-duty and retired military personnel and their dependents to access
health care services. 23 DOD is replacing the SSNs previously displayed
SSNs from Cards’ Display
on these cards with two different unique identifiers not based on the
SSN. 24 In 2008, DOD began its SSN removal effort by removing
dependents’ SSNs from display on their military identification cards, but
retained the sponsor’s SSN and left SSNs embedded in the cards’ bar
codes. The dependents’ cards did not display any unique identifier. On
June 1, 2011, DOD discontinued issuing any military identification card
that displayed an SSN and began issuing cards that displayed two
different unique identifiers; however, SSNs continued to be embedded in
the cards’ bar codes. Starting December 1, 2012, DOD will discontinue
embedding the SSN in the cards’ bar codes. With the exception of cards
issued to retired military personnel, DOD anticipates that the SSNs will be
completely removed from all military identification cards by December
2016. 25 DOD officials reported that because retirees’ cards may still
contain the SSN as an identifier, and because some contractors providing
23
Military personnel and federal employees provide health care to DOD’s active-duty and
retired military personnel and their dependents in military treatment facilities under the
military health care program known as TRICARE. Active duty and retired military
personnel and their dependents present their military identification cards at the time of
service. DOD active duty and retired military personnel and their dependents also access
health care through private providers. When beneficiaries access care from private
providers, they must present both their military identification card and a separate health
care card issued by the DOD contractor administering their TRICARE plan at the time they
receive service.
24
The two identifiers are being added only to cards issued after June 1, 2011. One
identifier, the Electronic Data Interchange Person Identifier (EDIPI), is used DOD-wide to
identify a specific individual. The other identifier, the DOD Benefits Number is assigned to
each individual eligible for DOD health benefits and other entitlements.
25
Unlike military identification cards issued to active-duty military personnel and
dependents, cards issued to military retirees do not have an expiration date.
Page 12 GAO-12-831 Removal of SSNs from Medicare Cards
health care services may continue to use the SSN for eligibility purposes
and processing claims, DOD’s IT systems will continue to support multiple
identifiers, including the SSN, until such time as all SSNs have been
replaced with the two new unique identifiers. DOD cards issued to active-
duty military personnel also contain a smart chip, which is used for
accessing facilities and IT systems, and may be used to access health
care services in some facilities. 26 Cardholders’ SSNs are concealed in the
smart chip.
VA has also taken steps to remove the SSN from display on its
identification and health care cards. The Veterans Identification Card
(VIC) is issued by VA to enrollees and can be used by veterans to access
health care services from VA facilities and private providers. In 2011,
8.6 million veterans were eligible to receive health care services and,
according to VA officials, about 363,000 dependents of veterans were
eligible to receive care through VA’s dependent-care programs. 27 VA
began removing SSNs from display on the VIC in 2004, but the SSN
continues to be embedded in the cards’ magnetic stripes and bar codes.
Since that time, VA officials report that the department has issued
approximately 7.7 million VICs. VA officials also stated that, in the first
quarter of fiscal year 2013, VA will start issuing new VICs that will display
a new unique identifier for the veteran and embed the new identifier in the
card’s magnetic stripe and bar code, replacing the SSN. 28 VA also
removed SSNs from display on the cards issued to beneficiaries in VA
dependent-care programs without replacing it with a new identifier, and
beneficiaries in these programs now provide their SSN verbally at the
time of service. 29
26
The smart chip is an integrated circuit chip that can be used to store large amounts of
information, including SSNs or other unique identifiers, and can exchange data with other
systems and process information. By securely exchanging information, a smart card can
authenticate the identity of the individual possessing the card in a more rigorous way than
is possible with traditional identification cards.
27
Dependents of veterans may have received health care from: the Civilian Health and
Medical Program of the Department of Veterans Affairs; the Spina Bifida program; and the
Children of Women Vietnam Veterans program.
28
This new identifier will be the EDIPI. DOD has assigned an EDIPI for 17 million
veterans.
29
These cards do not have magnetic stripes or bar codes.
Page 13 GAO-12-831 Removal of SSNs from Medicare Cards
Representatives from a national organization representing private health
insurers told us that, to their knowledge, all private health insurers have
removed the SSN from display on insurance cards and replaced it with a
unique identifier not based on the SSN. Private insurers use these new
identifiers for all beneficiary and provider interactions, including
determining eligibility and processing claims. According to these officials,
private health insurers took those steps to comply with state laws and
protect beneficiaries from identity theft. Consistent with this,
representatives from the private health insurers we interviewed reported
removing SSNs from their cards’ display and issuing beneficiaries new
identifiers not based on the SSN, which are now used in all beneficiary
and provider interactions.
Officials we interviewed from DOD, VA, and private health insurers all
reported that the process to remove the SSN from cards and replace the
SSN with a different unique identifier is taking or took several years to
implement and required considerable planning. During their transition
periods, DOD, VA, and private health insurers reported that they made
modifications to IT systems; collaborated with providers and contractors;
and educated providers and beneficiaries about the change. One private
health insurer we interviewed reported that it allowed for a transition
period during which providers could verify eligibility or submit claims using
either the SSN or the new unique identifier. This health insurer noted that
this allowance, along with the education and outreach it provided to both
beneficiaries and providers, resulted in a successful transition. Another
health insurer reported that it is providing IT support for both the SSN and
the new unique identifier indefinitely in case providers mistakenly use the
SSN when submitting claims.
Page 14 GAO-12-831 Removal of SSNs from Medicare Cards
Replacing SSN with a
New Identifier for
Beneficiary and
Provider Use Offers
Greatest Protection
Against Identity Theft
and Minimizes
Burdens
CMS’s Option to Replace Replacing the SSN with a new identifier for use by beneficiaries and
the SSN with a New providers offers beneficiaries the greatest protection against identity theft
Identifier for Use by relative to the other options CMS presented in its report. (See fig. 2.)
Under this option, only the new identifier would be used by beneficiaries
Beneficiaries and and providers. This option would lessen beneficiaries’ risk of identity theft
Providers Offers the in the event that their card was lost or stolen, as the SSN would no longer
Greatest Protection be printed on the card. Additionally, because providers would not need to
Against Identity Theft collect a beneficiary’s SSN or maintain that information in their files,
beneficiaries’ vulnerability to identity theft would be reduced in the event
of a provider data breach.
Page 15 GAO-12-831 Removal of SSNs from Medicare Cards
Figure 2: Risk of Identity Theft with Medicare Card under CMS’s Three Proposed
Options
The other two options CMS presented in its 2011 report provide less
protection against identity theft. For example, replacing the SSN with a
new number just for beneficiary use would offer some protection against
identity theft for beneficiaries because no portion of the SSN would be
visible on the Medicare card. This would reduce the likelihood of identity
theft with the SSN if a card is lost or stolen. However, providers would still
need to collect and store the SSN, leaving beneficiaries vulnerable to
identity theft in the event of a provider data breach. CMS’s truncated SSN
option would provide even less protection against identity theft. This
option would eliminate full visibility of the SSN on the Medicare card,
making it more difficult to use for identity theft. However, we have
previously reported that the lack of standards for truncation mean that
identity thieves can still construct a full SSN fairly easily using truncated
SSNs from various electronic and hard copy records. 30 In addition, under
30
In past work, we have reported that it is possible to reconstruct truncated SSNs by
comparing different public records that had truncated SSNs in different ways. See GAO,
Social Security Numbers: Federal Actions Could Further Decrease Availability in Public
Records, though Other Vulnerabilities Remain, GAO-07-752 (Washington, D.C.: June 15,
2007).
Page 16 GAO-12-831 Removal of SSNs from Medicare Cards
this option, providers would still store the SSN in their files, thereby
making beneficiaries vulnerable to identity theft in the event of a provider
data breach.
CMS’s Option to Replace We found that CMS’s option to replace the SSN with a new identifier for
the SSN with a New use by beneficiaries and providers presents fewer burdens for
Identifier for Use by beneficiaries and providers relative to the other options presented in
CMS’s 2011 report. (See fig. 3.) Under this option, the new identifier
Beneficiaries and would be printed on the card, and beneficiaries would use this identifier
Providers Would Minimize when interacting with CMS, eliminating the need for beneficiaries to
Burdens for Beneficiaries memorize their SSN or store it elsewhere as they might do under other
and Providers options. This option may also present fewer burdens for providers, as
they would not have to query databases or make phone calls to obtain a
beneficiary’s information to submit claims. 31 Private health insurers we
interviewed all reported using a similar approach to remove SSNs from
their insurance cards. Representatives from these insurers reported that
while there was some initial confusion and issues with claims submission
during the transition period, proactive outreach efforts to educate
providers about this change, as well as having a grace period during
which the SSN or new identifier could be used by providers to submit
claims, minimized issues and resulted in a relatively smooth transition.
31
There may be some initial burdens for providers and beneficiaries under any of the three
options presented by CMS. For example, according to CMS officials, some providers may
be required to update their IT software and beneficiaries may be confused by any change
to their identifier.
Page 17 GAO-12-831 Removal of SSNs from Medicare Cards
Interactive graphic Figure 3: Burdens of CMS’s Proposed Options for Removal of SSNs from Medicare Cards
Directions:
Roll over each cell for additional information about the burdens related to each option.
New identifier
(Beneficiary and New identifier Truncated SSN
provider use) (Beneficiary use only)
Beneficiary 3
Provider 3 3
CMS 3 3 3
Source: GAO analysis of information provided by the Centers for Medicare & Medicaid Services (CMS) and interviews with
relevant stakeholders.
Print instructions To print text version of this graphic, go to appendix I
Page 1 GAO-12-831 Removal of SSNs from Medicare Cards
The other two options CMS presented in its 2011 report would create
additional burdens for beneficiaries and providers. Beneficiaries may
experience difficulties under the truncated SSN option, as they may need
to recall their SSN, which could be their own SSN or that of a family
member. CMS officials stated that the age of Medicare beneficiaries and
the fact that their current identification number may be based on another
family member’s SSN could make it difficult for beneficiaries to remember
the number. In addition, about 31 percent of Medicare beneficiaries
residing in the community have a known cognitive or mental impairment,
making recalling their number by memory potentially difficult. 32 Under
both of these remaining options, providers would need to perform
additional tasks, such as querying a CMS database or calling CMS, to
obtain the full SSN to verify eligibility and submit claims. 33
Regardless of option, the burdens experienced by CMS would likely be
similar because the agency would need to conduct many of the same
activities and would incur many of the same costs. For example, it would
need to reissue Medicare cards to current beneficiaries; conduct outreach
and education to beneficiaries and providers; and conduct training for
business partners. CMS would also likely see increased call volume to its
1-800-Medicare line with questions about the changes. In addition, there
would likely be costs associated with changes to state Medicaid IT
systems. However, according to CMS officials, the option that calls for
replacing the SSN with a new identifier to be used by beneficiaries and
providers would have additional burdens because of the more extensive
changes required to CMS’s IT systems compared to the other options.
This option, however, would also potentially provide an additional benefit
to CMS, as the agency would be able to completely “turn off” the
identification number and replace it with a new one in the event that a
beneficiary’s number is compromised, something that is not possible with
the SSN. 34
32
The Kaiser Family Foundation, “Medicare Chartbook, Fourth Edition,” November 2010.
33
Providers may also request the SSN from beneficiaries or rely on the SSN documented
in a patient’s records.
34
CMS currently monitors nearly 275,000 compromised HICNs, which are HICNs that
have been subject to actual or possible unauthorized disclosure or access as the result of
physical or electronic theft. As long as CMS uses the HICN for transactions, the agency
must continue to monitor compromised HICNs.
Page 19 GAO-12-831 Removal of SSNs from Medicare Cards
Other Options Not CMS did not consider in its 2011 report how machine readable
Explored by CMS for technologies—such as bar codes, magnetic stripes, or smart chips—
Removing SSNs Would could assist in the effort to remove SSNs from Medicare cards. Machine-
readable technologies have been implemented to varying degrees by
Present Additional DOD and VA. According to DOD and VA officials, DOD is using a smart
Burdens for Beneficiaries, chip and barcode to store the cardholder’s personally identifiable
Providers, and CMS information, and VA is issuing cards in which such information and other
identifiers are stored in magnetic stripes and bar codes. Machine-
readable technologies may provide additional benefits, such as increased
efficiency for providers and beneficiaries. Furthermore, machine readable
technologies provide some additional protection against identity theft, but
officials we spoke with stated that the widespread availability of devices to
read magnetic stripes and bar codes have made these technologies less
secure. Because of this, both DOD and VA have plans to remove SSNs
that are stored in these technologies on their cards.
If CMS were to use machine-readable technologies, they could present
significant challenges to providers. For example, providers could
experience difficulties due to the lack of standardization across these
technologies. Representatives from one private health insurer we
interviewed stated that while the use of cards with magnetic stripes
worked well within a small region where they have large market-
penetration, implementing such an effort in regions where providers
contract with multiple insurers would be more difficult due to this lack of
standardization. In addition, use of machine-readable cards would likely
require providers to purchase additional equipment and could be
problematic for providers that lack the necessary infrastructure, such as
high-speed internet connections, to make machine-readable technologies
feasible. According to CMS officials, implementing machine-readable
technologies may also require cards that cost more than the paper
Medicare card currently in use.
Removing the SSN from the Medicare card and not replacing it with a
new identifier, an option also not considered in CMS’s report to Congress,
could reduce beneficiaries’ vulnerability to identity theft, but would create
burdens for beneficiaries, providers, and CMS. Complete removal of the
SSN from the Medicare card would protect beneficiaries from identity theft
in the event that a card is lost or stolen. However, like the truncation
option, beneficiaries may have difficulty recalling their SSN at the time of
service or when interacting with CMS. This could also be difficult because
the SSN needed to show eligibility may not be the beneficiary’s own. In
addition, providers would likely need to change their administrative
processes to obtain the needed information either by querying a
Page 20 GAO-12-831 Removal of SSNs from Medicare Cards
database, calling CMS, or obtaining it directly from the beneficiary.
Finally, because providers would still need to collect and store the SSN
for eligibility verification and claims submission, beneficiaries would
remain vulnerable to identity theft in the event of a provider data breach. 35
The VA used this approach to remove SSNs from the approximately
363,000 dependent care program cards, and officials stated that it
requires providers to obtain the SSN at the time of service. However,
Medicare covers over 48 million beneficiaries who receive services from
1.4 million providers, making such a change more burdensome. In
addition, CMS would still encounter similar burdens as in the options
presented in its 2011 report to Congress, including the need to educate
beneficiaries and providers, and issue new cards, though the extent of the
necessary changes to CMS IT systems under such an option is unknown.
CMS Reported
Significant Costs
Associated with
Removing SSNs from
Medicare Cards, but
These Estimates May
Not Be Reliable
CMS Reported that In its 2011 report to Congress, CMS, in conjunction with SSA and RRB,
Removing SSNs from developed cost estimates for the three options to alter the display of the
Medicare Cards would SSN on Medicare cards or replace the SSN with a different unique
identifier. CMS projected that altering or removing the SSN would cost
Cost Over $800 Million between $803 million and $845 million. CMS’s costs represent the
majority of these costs (approximately 85 percent); while SSA and RRB’s
35
According to a membership organization for people aged 50 and older, completely
removing the SSN from the Medicare card and not replacing it with another identifier
would create concerns related to verification of eligibility and could potentially lead to
increased incidences of fraud.
Page 21 GAO-12-831 Removal of SSNs from Medicare Cards
costs represent approximately 12 percent and 0.2 percent, respectively.
(See table 3.) 36
Table 3: Agency Cost Estimates for CMS Options for Removing SSNs from Medicare Cards
2. New identifier 3. New identifier
Option 1. Truncated SSN (beneficiary use only) (beneficiary and provider use)
CMS cost estimates
Modifications to existing state
Medicaid IT systems and related
a
costs (federal) $261,000,000 $261,000,000 $261,000,000
Modifications to CMS IT systems 231,790,000 222,055,000 263,725,000
Reissuance of Medicare cards 69,320,000 69,320,000 69,320,000
Beneficiary outreach and education
needs 58,200,000 58,200,000 58,200,000
CMS 1-800-Medicare
communication plan 48,200,000 48,200,000 48,200,000
Provider outreach and education
needs 18,700,000 18,700,000 18,700,000
Training CMS business partners
and beneficiaries 166,800 166,800 166,800
b
Total CMS costs $687,376,800 $677,641,800 $719,311,800
SSA cost estimates
Responding to beneficiary inquires
and requests for new cards 62,000,000 62,000,000 62,000,000
Processing undeliverable cards 28,000,000 28,000,000 28,000,000
Online query access for SSA field
offices to obtain new identifier 3,000,000 3,000,000 3,000,000
Outreach, training, revisions to
current forms, and additional
application time 2,000,000 2,000,000 2,000,000
Total SSA costs $95,000,000 $95,000,000 $95,000,000
RRB cost estimates
RRB IT system conversions 225,204 444,459 444,459
Issuing new Medicare cards 388,905 388,905 388,905
Responding to beneficiary inquiries 278,912 278,912 278,912
36
The remaining approximately 3.5 percent of the costs are state costs related to Medicaid
IT system modifications. However, in its report CMS included these costs under CMS’s
total.
Page 22 GAO-12-831 Removal of SSNs from Medicare Cards
2. New identifier 3. New identifier
Option 1. Truncated SSN (beneficiary use only) (beneficiary and provider use)
User costs related to system and
procedure changes 145,952 145,952 145,952
Beneficiary education and
publications) 52,500 52,500 52,500
c
Total RRB costs $1,091,473 $1,310,728 $1,310,728
State costs
Modifications to existing state
Medicaid IT systems and related
a
costs (state) 29,000,000 29,000,000 29,000,000
Total state costs $29,000,000 $29,000,000 $29,000,000
d
Total estimated costs $812,468,273 $802,952,528 $844,622,528
Source: GAO analysis of data provided by the Centers for Medicare & Medicaid Services (CMS), the Social Security Administration
(SSA), and the Railroad Retirement Board (RRB).
a
CMS estimates that total modifications to existing state Medicaid systems would cost $290 million, of
which CMS would be responsible for a federal share of $261 million. The states would be responsible
for the remaining $29 million. Related costs include, for example, business process changes, training,
and updates to system documentation.
b
Totals presented in CMS’s report were $716,377,000; $706,642,000; and $748,311,000; however,
CMS officials confirmed that state Medicaid costs should have been reported separately from CMS’s
costs and that rounding errors were made in some of the totals presented in its report. GAO numbers
reflect corrected calculations.
c
Totals presented in CMS’s report were $1,092,000; $1,311,000; and $1,311,000; however, CMS
officials confirmed that rounding errors were made in some totals presented in its report. GAO
numbers reflect corrected calculations.
d
Totals presented in CMS’s report were $812,469,000; $802,952,000; and $844,622,000; however,
CMS officials confirmed that rounding errors were made in some totals presented in its report. GAO
numbers reflect corrected calculations.
Approximately two-thirds of the total estimated costs (between
$512 million and $554 million depending on the option) are associated
with modifications to existing state Medicaid IT systems and CMS’s IT
system conversions. 37 While modifications to existing state Medicaid IT
systems and related costs are projected to cost the same across all three
options, the estimated costs for CMS’s IT system conversions vary. This
variation is due to the differences in the number of systems affected and
the costs for modifying affected systems for the different options. CMS
would incur costs related to modifying 40 IT systems under the truncated
37
Modifications to state Medicaid IT systems would be needed in order to process
information on individuals eligible for both Medicare and Medicaid. CMS would incur
$261 million as the federal share of the estimated total of $290 million. The remaining
$29 million would be the responsibility of the States.
Page 23 GAO-12-831 Removal of SSNs from Medicare Cards
SSN option, 44 systems under the new identifier for beneficiary use
option, and 48 systems under the new identifier for beneficiary and
provider use option. In addition, the cost associated with changes to
specific systems varied depending on the option. CMS’s estimates for all
non-IT related cost areas are constant across the options. Other
significant cost areas for CMS include reissuing the Medicare card,
conducting outreach and education to beneficiaries about the change to
the identifier, and responding to beneficiary inquires related to the new
card.
Both SSA and RRB would also incur costs under each of the options
described in CMS’s 2011 report. 38 SSA estimated that implementing any
of the three options presented in the 2011 report would cost the agency
$95 million. SSA’s primary costs included $62 million for responding to
inquiries and requests for new Medicare cards from beneficiaries and
$28 million for processing new cards mailed by CMS that are returned as
undeliverable. SSA officials told us that even though CMS would be
responsible for distributing new Medicare cards, SSA anticipated that
about 13 percent of the beneficiary population would contact SSA with
questions. RRB’s costs totaled between $1.1 million and $1.3 million.
Between 21 and 34 percent of RRB’s total costs were related to IT
system updates and changes, depending on the option. The rest of
RRB’s costs were related to business functions, such as printing and
mailing new cards; user costs related to system and procedure changes;
and education and outreach.
The cost estimates included in CMS’s 2011 report were as much as
2.5 times higher than those estimated in its 2006 report to Congress. 39
CMS attributed these increases to the inclusion of costs not included in
the 2006 report, such as those associated with changes to state Medicaid
38
Both SSA and RRB perform Medicare related activities and would need to make
changes to their business processes and IT systems as a result of any of the options to
remove SSNs from Medicare cards. SSA determines Medicare eligibility for persons who
receive or are about to receive Social Security benefits, enrolls those who are eligible into
Medicare, and assigns them a HICN. Though CMS prints and distributes the Medicare
card, beneficiaries often contact SSA when they need a replacement card. RRB is
responsible for determining Medicare eligibility for qualified railroad retirement
beneficiaries, enrolling them into Medicare, assigning HICNs to these individuals, and
issuing Medicare cards to them.
39
In 2006, CMS estimated that removing the SSN from the Medicare card and replacing it
with a new non-SSN based identifier would cost $338 million.
Page 24 GAO-12-831 Removal of SSNs from Medicare Cards
systems and changes to its IT systems related to Part D, as well as a
more thorough accounting of costs associated with many of the other cost
areas, including SSA costs. In addition, CMS said in its 2006 report that
phasing in a new identifier for beneficiaries over a 5- to 10-year period
would reduce costs. However, in its 2011 report, CMS stated that such an
option would be cost prohibitive because it would require running two
parallel IT systems for an extended period of time. 40
The Methods and There are several key concerns regarding the methods and assumptions
Assumptions CMS Used to CMS used to develop its cost estimates that raise questions about the
Derive Cost Estimates reliability of its overall cost estimates. First, CMS did not use any cost
estimating guidance when developing its estimates. GAO’s Cost
Raise Questions about Estimating and Assessment Guide identifies a number of best practices
Their Reliability designed to ensure a cost estimate is reliable. 41 However, CMS officials
acknowledged that the agency did not rely on any specific cost-estimating
guidance, such as GAO’s cost-estimating guidance, during the
development of the cost estimates presented in the agency’s report to
Congress. The agency also did not conduct a complete life-cycle cost
estimate on relevant costs, 42 such as those associated with IT system
conversions. 43 CMS officials told us they did not conduct a full life-cycle
cost estimate for each option because this was a hypothetical analysis,
40
DOD officials told us that in its effort to remove SSNs from cards, DOD is issuing cards
without SSNs as old cards expire and, for retirees, allowing them to keep their current
card with the SSN printed on the front indefinitely unless they request a new card.
According to DOD officials, the agency does not expect to incur additional costs
associated with this phased approach, which is similar to the phased approach CMS
described in its 2006 report.
41
GAO-09-3SP.
42
A life-cycle cost estimate provides an exhaustive and structured accounting of all
resources and associated cost elements required to develop, produce, deploy, and
sustain a particular program. This entails identifying all cost elements that pertain to the
program from initial concept all the way through operations, support, and disposal. Life-
cycle costing enhances decision making, especially in early planning and concept
formulation of acquisition.
43
CMS officials told us that if the agency proceeded with one of the options described in
the report, they would conduct a life-cycle cost estimate.
Page 25 GAO-12-831 Removal of SSNs from Medicare Cards
and doing so would have been too resource intensive for the purpose of
addressing policy options. 44
Second, the procedures used to develop estimates for the two largest
cost categories—changes to existing state Medicaid IT systems and
CMS’s IT system conversions—are questionable and not well
documented. For each of CMS’s options, the agency estimated Medicaid
IT changes would cost $290 million. 45 Given the size of this cost category,
we have concerns about the age of the data, the number of states used to
generalize these estimates, as well as the completeness of the
information CMS collected. For example, CMS’s estimates for costs
associated with its proposed changes were based on data collected in
2008, at which time the agency had not developed all of the options
presented in its 2011 report. 46 In addition, while CMS asked for cost data
from all states in 2008, it received data from only five states—Minnesota,
Montana, Oklahoma, Rhode Island, and Texas—and we were unable to
determine whether these states are representative of the IT system
changes required by all states. CMS extrapolated national cost estimates
based on the size of these states, determined by the number of Medicare
eligible beneficiaries in them. However, the cost of IT modifications to
Medicaid systems would likely depend more on the specific IT systems
and their configurations in use by the state than on the number of
Medicare beneficiaries in the state. CMS was unable to provide
documentation about the data it requested from states related to its cost
projections, or documentation of the responses it received from states on
the specific modifications to Medicaid IT systems that would be required.
CMS officials also acknowledged that each state is different and their IT
systems would require different modifications.
44
HHS also has specific guidance for conducting IT alternative analyses—HHS-IRM-2003-
0002 Policy for Conducting Information Technology Alternative Analysis. CMS officials
also told us that although they performed such an analysis, they were unaware of this
guidance and followed no specific HHS guidance on alternative analysis or cost
estimating.
45
It addition to Medicaid IT system modification costs, this cost category includes related
costs, such as business process changes, training, and updates to system documentation.
46
CMS officials told us that the new identifier for beneficiary use, and new identifier for
beneficiary and provider use options had already been developed at the time CMS
requested data from the states, but the agency did not include the truncation option when
it requested data from the states.
Page 26 GAO-12-831 Removal of SSNs from Medicare Cards
For the CMS IT-system conversion costs, officials told us that CMS
derived its IT-system conversion cost estimates by asking its IT system
owners for costs associated with changes to the systems affected under
each of the three options. 47 However, CMS provided us with limited
documentation related to the information it supplied to its system owners
when collecting cost data to develop its estimates, and no supporting
documentation for the data it received from system owners. The
documentation CMS provided asked system owners to provide the basis
for their estimates (including, for example, costs related to labor and
hardware, and software changes and additions), and laid out general
assumptions for system owners to consider. However, because CMS
asked for estimates for broad cost categories, the data it received were
general in nature and not a detailed accounting of specific projected
costs. CMS officials also told us that system requirements changed over
the course of their work; however, they provided no documentation
related to how these changes were communicated to system owners. In
addition, CMS officials told us that they generally did not attempt to verify
estimates submitted by system owners. CMS could not explain how or
why a number of the systems the agency believed would require
modifications would be affected under its three options, or the variance in
the costs to modify these systems across the options.
Moreover, CMS’s cost estimates for the IT-related costs in its 2011 report
were approximately three times higher than the estimate in the agency’s
2006 report. 48 That report stated that the majority of changes necessary
to replace the existing number with a non-SSN-based identifier would
affect only two systems; 49 however, the agency estimated in its 2011
report that up to 48 systems would require modification, depending on the
option selected. 50 Furthermore, CMS’s 2006 report stated that the
47
System owners refer to CMS employees or contractors who manage CMS IT systems.
48
In its 2006 report to Congress, CMS estimated that removal of the SSN from Medicare
cards would cost approximately $338 million, of which $80.2 million was attributable to
start up costs for IT system modifications.
49
The 2006 report stated that “less extensive, but still significant change to other systems”
would be required; however, 85 percent of the system conversion costs were associated
with only two systems.
50
CMS’s 2011 report cited 51 systems that would be affected; however, information
provided by CMS to GAO shows that between 40 and 48 IT systems would require
modifications depending on the option implemented.
Page 27 GAO-12-831 Removal of SSNs from Medicare Cards
2 primary IT systems affected—the Medicare Beneficiary Database and
the Enrollment Database—account for $70 million, or 85 percent, of the
IT-related costs. However, in the 2011 report, these 2 systems accounted
for 5 percent or less of the IT-related costs, depending on the option
implemented. CMS officials we interviewed were unable to explain the
differences in the number of systems affected, or the costs of required
modifications to IT systems between the 2006 and 2011 reports.
Third, there are inconsistencies in some assumptions used by CMS and
SSA in the development of the estimates. For example, CMS and SSA
used different assumptions regarding the number of Medicare
beneficiaries that would require new Medicare cards. According to CMS
officials, the agency based its cost estimates on the number of Medicare
beneficiaries at the time the report was prepared (47 million), whereas
SSA officials told us the agency based its estimates on the expected
number of beneficiaries in 2015 (55 million), the year they estimated the
new card would likely be issued. In addition, nearly 30 percent of SSA’s
costs were related to processing newly-issued Medicare cards that are
returned as undeliverable. However, SSA officials told us that they were
not aware that CMS’s cost estimates included plans to conduct an
address-verification mailing at a cost of over $45 million prior to issuing
new cards. Such a mailing could reduce the number of cards returned as
undeliverable, and thus SSA’s costs associated with processing such
cards. 51
Finally, CMS did not take into account other factors when developing its
cost estimates, including related IT modernization efforts or potential
savings from removing the SSN from Medicare cards. In developing its
estimates, CMS did not consider ways to integrate IT requirements for
removing the SSN from Medicare cards with those necessitated by other
IT modernization plans to realize possible efficiencies. DOD and a private
health insurer we interviewed reported that when removing SSNs from
their cards, they updated their systems to accommodate this change in
conjunction with other unrelated system upgrades. CMS officials told us
that because many of the agency’s other IT modernization plans are
unfunded, the agency does not know when or if these efforts will be
undertaken. As a result, the agency is unable to coordinate the SSN
51
SSA officials said that although they were unaware of this planned address verification
mailing, they believe their estimate of the percent of cards returned as undeliverable is still
appropriate.
Page 28 GAO-12-831 Removal of SSNs from Medicare Cards
removal effort or to estimate savings from combining such efforts. In its
report, CMS also acknowledged that if the agency switched to a new
identifier used by both beneficiaries and providers, there would likely be
some savings due to improved program integrity and reduced need to
monitor SSNs that may be stolen and used fraudulently. However, in
developing its estimates, CMS did not include any potential savings the
agency might accrue as a result of removing the SSN from Medicare
cards. 52
Nearly six years have passed since CMS first issued a report to Congress
Conclusions that explored options to remove the SSN from the Medicare card, and five
years have elapsed since the Office of Management and Budget directed
federal agencies to reduce the unnecessary use of the SSN. While CMS
has identified various options for removing the SSN from Medicare cards,
CMS has not committed to a plan to remove them. The agency lags
behind other federal agencies and the private sector in reducing the use
of the SSN. DOD, VA, and private health insurers have taken significant
steps to eliminate the SSN from display on identification and health
insurance cards, and reduce its role in operations.
Of the options presented by CMS, the option that calls for developing a
new identifier for use by beneficiaries and providers offers the best
protection against identity theft and presents fewer burdens for
beneficiaries and providers than the other two. Consistent with the
approach taken by private health insurers, this option would eliminate the
use and display of the SSN for Medicare processes conducted by
beneficiaries and providers. While CMS reported that this option is
somewhat more costly than the other options, the methods and
assumptions CMS used to develop its estimates do not provide enough
certainty that those estimates are credible. Moreover, because CMS did
not have well-documented cost estimates, the reliability of its estimates
cannot be assessed. Use of standard cost-estimating procedures, such
as GAO’s estimating guidance, would help ensure that CMS cost
estimates are comprehensive, well documented, accurate and credible.
Moving forward, CMS could also explore whether the use of magnetic
stripes, bar codes, or smart chips could offer other benefits such as
52
In its 2011 report, CMS noted that the ability to “turn off” a beneficiary’s identifier under
one of its proposed options could improve the agency’s ability to combat Medicare fraud,
waste, and abuse.
Page 29 GAO-12-831 Removal of SSNs from Medicare Cards
increased efficiencies. Absent a reliable cost estimate, however,
Congress and CMS cannot know the costs associated with this option
and how to prioritize it relative to other CMS initiatives. Lack of action on
this key initiative leaves Medicare beneficiaries exposed to the possibility
of identity theft.
In order for CMS to implement an option for removing SSNs from
Recommendations for Medicare cards, we recommend that the Administrator of CMS
Executive Action
• select an approach for removing the SSN from the Medicare card that
best protects beneficiaries from identity theft and minimizes burdens
for providers, beneficiaries, and CMS, and
• develop an accurate, well-documented cost estimate for such an
option using standard cost-estimating procedures.
We provided a draft of this report to CMS, DOD, RRB, SSA, and VA for
Agency Comments review and comment. CMS and RRB provided written comments which
and Our Evaluation are reproduced in appendixes II and III. DOD, SSA, and VA provided
comments by e-mail.
CMS concurred with our first recommendation to select an approach for
removing the SSN from Medicare cards that best protects beneficiaries
from identity theft and minimizes burdens for providers, beneficiaries, and
CMS. The agency noted that such an approach could protect
beneficiaries from identity theft resulting from loss or theft of the card and
would allow CMS a useful tool in combating Medicare fraud and medical
identity theft. CMS also concurred with our second recommendation that
CMS develop an accurate, well-documented cost estimate using standard
cost-estimating procedures for an option that best protects beneficiaries
from identity theft and minimizes burdens for providers, beneficiaries, and
CMS. CMS noted that a more rigorous and detailed analysis of a selected
option would be necessary in order for Congress to appropriate funding
sufficient for implementation, and that it will utilize our suggestions to
strengthen its estimating methodology for such an estimate.
DOD had no comments and did not comment on the report’s
recommendations. RRB stated that the report accurately reflected its
input and had no additional comment. SSA provided only one technical
comment, which we incorporated as appropriate, but did not comment on
the report’s recommendations. VA concurred with our findings, but
provided no additional comments.
Page 30 GAO-12-831 Removal of SSNs from Medicare Cards
We are sending copies to the Secretaries of HHS, DOD and VA, the
Administrator of CMS, the Commissioner of SSA, the Chairman of RRB,
interested congressional committees, and others. In addition, the report
will be available at no charge on the GAO website at http://www.gao.gov.
If you or your staffs have questions about this report, you may contact us
at: Kathleen King, (202) 512-7114 or kingk@gao.gov or Daniel Bertoni,
(202) 512-7215 or bertonid@gao.gov. Contact points for our Offices of
Congressional Relations and Public Affairs may be found on the last page
of this report. GAO staff who made key contributions to this report are
listed in appendix IV.
Kathleen King
Director, Health Care
Daniel Bertoni
Director, Education, Workforce, and Income Security Issues
Page 31 GAO-12-831 Removal of SSNs from Medicare Cards
Appendix I: Burdens of CMS’s Proposed
Appendix I: Burdens of CMS’s Proposed
Options for Removal of SSN from Medicare
Card (Accessible Text)
Options for Removal of SSN from Medicare
Card (Accessible Text)
New identifier Truncated
(beneficiary and New identifier Social Security
provider use) (beneficiary use only) number (SSN)
a b c
Beneficiary √
d e f
Provider √ √
g h i
CMS √ √ √
Source: GAO analysis of information provided by the Centers for Medicare & Medicaid Services and interviews with relevant
stakeholders.
a
While any change to the beneficiary identifier could cause initial confusion for beneficiaries, this
option creates no additional burden for the beneficiary because the number on the card would be
used to receive services and interact with CMS.
b
While any change for the beneficiary identifier could cause initial confusion for beneficiaries, this
option creates no additional burdens to the beneficiary because the number on the card would be
used to receive services and interact with CMS.
c
Could create additional burdens for beneficiaries because they could be required to remember their
SSN in order to receive services and interact with CMS.
d
While any change to the beneficiary identifier could cause initial confusion among providers, this
option would not create additional burdens for the provider, as the provider would be able to obtain
the number from the card provided by the beneficiary.
e
Could create an additional burden for providers because it would require the provider to obtain the
beneficiary’s SSN either from the beneficiary, by querying a CMS database, or by calling CMS in
order to verify eligibility.
f
Could create an additional burden for providers because it would require the provider to obtain the
beneficiary’s SSN either from the beneficiary, by querying a CMS database, or by calling CMS in
order to verify eligibility.
g
According to CMS, this option would require the most significant modifications to its IT systems. All
other burdens for CMS would be similar across the three options.
h
According to CMS, this option would require the least significant modifications to its IT systems. All
other burdens for CMS would be similar across the three options.
i
According to CMS, this option would require more significant modifications to its IT systems than the
new identifier- beneficiary use only option, and less significant modifications than the new identifier—
beneficiary and provider use option. All other burdens for CMS would be similar across the three
options.
Page 32 GAO-12-831 Removal of SSNs from Medicare Cards
Appendix II: Comments from the Centers for
Appendix II: Comments from the Centers for
Medicare & Medicaid Services
Medicare & Medicaid Services
Page 33 GAO-12-831 Removal of SSNs from Medicare Cards
Appendix II: Comments from the Centers for
Medicare & Medicaid Services
Page 34 GAO-12-831 Removal of SSNs from Medicare Cards
Appendix II: Comments from the Centers for
Medicare & Medicaid Services
Page 35 GAO-12-831 Removal of SSNs from Medicare Cards
Appendix III: Comments from the Railroad
Appendix III: Comments from the Railroad
Retirement Board
Retirement Board
Page 36 GAO-12-831 Removal of SSNs from Medicare Cards
Appendix IV: GAO Contacts and Staff
Appendix IV: GAO Contacts and Staff
Acknowledgments
Acknowledgments
Kathleen King, (202) 512-7114 or kingk@gao.gov or Daniel Bertoni,
GAO Contacts (202) 512-7215 or bertonid@gao.gov.
In addition to the contacts named above, the following individuals made
Staff key contributions to this report: Lori Rectanus, Assistant Director; Thomas
Acknowledgments Walke, Assistant Director; David Barish; James Bennett; Carrie Davidson;
Sarah Harvey; Drew Long; and Andrea E. Richardson.
(290992)
Page 37 GAO-12-831 Removal of SSNs from Medicare Cards
GAO’s Mission The Government Accountability Office, the audit, evaluation, and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding decisions.
GAO’s commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
The fastest and easiest way to obtain copies of GAO documents at no
Obtaining Copies of cost is through GAO’s website (www.gao.gov). Each weekday afternoon,
GAO Reports and GAO posts on its website newly released reports, testimony, and
correspondence. To have GAO e-mail you a list of newly posted products,
Testimony go to www.gao.gov and select “E-mail Updates.”
Order by Phone The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s website,
http://www.gao.gov/ordering.htm.
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional information.
Connect with GAO on Facebook, Flickr, Twitter, and YouTube.
Connect with GAO Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts.
Visit GAO on the web at www.gao.gov.
Contact:
To Report Fraud,
Waste, and Abuse in Website: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Federal Programs Automated answering system: (800) 424-5454 or (202) 512-7470
Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-
Congressional 4400, U.S. Government Accountability Office, 441 G Street NW, Room
Relations 7125, Washington, DC 20548
Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
Public Affairs U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, DC 20548
Please Print on Recycled Paper.
Medicare: CMS Needs an Approach and a Reliable Cost Estimate for Removing Social Security Numbers from Medicare Cards
Published by the Government Accountability Office on 2012-08-01.
Below is a raw (and likely hideous) rendition of the original report. (PDF)