United States Government Accountability Office GAO Testimony Before the Subcommittees on Social Security and Health, Committee on Ways and Means, House of Representatives MEDICARE For Release on Delivery Expected at 9:30 a.m. EDT Wednesday, August 1, 2012 Action Needed to Remove Social Security Numbers from Medicare Cards Statement of Kathleen M. King Director, Health Care Daniel Bertoni Director, Education, Workforce, and Income Security Issues To access this report electronically, scan this QR Code. Don't have a QR code reader? Several are available for free online. GAO-12-949T Chairman Johnson, Chairman Herger, and Members of the Subcommittees: We are pleased to be here today to discuss our review of the options presented by the Department of Health and Human Services (HHS) and its agency, the Centers for Medicare & Medicaid Services (CMS), for removing Social Security numbers (SSN) from Medicare 1 cards and the agency’s cost estimates for these options. 2 More than 48 million Medicare cards display an SSN as part of the health insurance claim number (HICN). The HICN plays an essential role in the administration of the Medicare program and is used by CMS to interact with beneficiaries and providers, and by other agencies that play a role in determining an individual’s eligibility for Medicare. 3 However, thieves can steal the information from Medicare cards to commit various acts of identity theft, such as opening fraudulent bank or credit card accounts or receiving medical services in a beneficiary’s name. In 2010, 7 percent of households in the United States, or about 8.6 million households, had at least one member age 12 or older who experienced identity theft, according to U.S. Department of Justice figures. The estimated financial cost of identity theft during that year was approximately $13.3 billion. 4 Theft of this information can also result from a data breach—the unauthorized disclosure of a beneficiary’s personally identifiable information. 5 Between September 2009 and March 2012, the HHS Office for Civil Rights identified over 400 reports of provider data breaches 1 Medicare is the federal health insurance program for individuals over the age of 65, individuals under the age of 65 with certain disabilities, and individuals with end-stage renal disease. 2 Centers for Medicare & Medicaid Services, Update on the Assessment of the Removal of Social Security Numbers from Medicare Cards (Baltimore, Md.: November 2011). 3 For most individuals, the Social Security Administration (SSA) is responsible for determining eligibility for Medicare and assigning the HICN. However, for the approximately 550,000 Railroad Retirement beneficiaries and their dependents, the Railroad Retirement Board (RRB) is responsible for determining eligibility and assigning the HICN. 4 Lynn Langston, Identity Theft Reported by Households, 2005-2010, NCJ 236245 (Washington, D.C.: U.S. Department of Justice, Office of Justice Programs, Bureau of Justice Statistics, November 2011). 5 For the purposes of this statement, we define a data breach as the unauthorized acquisition, access, use, or disclosure of individually identifiable information. Page 1 GAO-12-949T Removal of SSNs from Medicare Cards involving protected health information that each affected more than 500 individuals. 6 The importance of enhancing security protections for the display and use of SSNs has resulted in multiple actions by federal and state governments and the private sector. For example, the Social Security Administration (SSA) has advised for years that individuals not carry their Social Security card with them. In 2007, the Office of Management and Budget issued a directive to all federal agencies to develop a plan for reducing the unnecessary use of SSNs and exploring alternatives to their use. 7 Many federal agencies, including the Departments of Defense (DOD) and Veterans Affairs (VA), have taken significant steps to remove SSNs from their health insurance and identification cards. In the private sector, health insurers have also removed SSNs from their insurance cards in an effort to comply with state laws and protect beneficiaries from identity theft. In 2004, we reported that CMS determined it would be cost- prohibitive to remove the SSN from the Medicare card. 8 Subsequently, CMS issued a report to Congress in 2006 describing an option for removing the SSN and estimated it would cost over $300 million to do so. 9 Our remarks are based on our report released today, 10 which describes the various options for removing the SSN from the Medicare card and examines the potential benefits, burdens, and CMS’s cost estimates associated with the various options. To conduct this work, we reviewed 6 We use the term provider to refer to any organization, institution, or individual that provides health care services to Medicare beneficiaries. These include hospitals, nursing facilities, physicians, hospices, ambulatory surgical centers, outpatient clinics, and suppliers of durable medical equipment, among others. 7 Office of Management and Budget Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (Washington, D.C.: May 22, 2007). 8 GAO, Social Security Numbers: Governments Could Do More to Reduce Display in Public Records and on Identity Cards, GAO-05-59 (Washington, D.C.: Nov. 9, 2004). 9 Centers for Medicare & Medicaid Services, Report to Congress: Removal of Social Security Number from the Medicare Health Insurance Card and Other Medicare Correspondence (Baltimore, Md.: October 2006). 10 GAO, Medicare: CMS Needs an Approach and a Reliable Cost Estimate for Removing Social Security Numbers from Medicare Cards, GAO-12-831 (Washington, D.C.: Aug. 2, 2012). Page 2 GAO-12-949T Removal of SSNs from Medicare Cards CMS’s 2011 report to Congress, 11 as well as supporting documentation provided by CMS. We also interviewed officials from CMS, SSA, and the Railroad Retirement Board (RRB), as well as officials at DOD, VA, and representatives of private health insurers and other stakeholders. More information on our scope and methodology is provided in the full report. Our work was performed in accordance with generally accepted government auditing standards from January 2012 to July 2012 for both the full report and for this statement. In its November 2011 report, CMS presented three options for removing SSNs from Medicare cards. One option would truncate the SSN so that only the last four digits would appear on the card. However, the full SSN would continue to be used by both beneficiaries and providers for all Medicare business transactions. The other two options would replace the display of the SSN on the Medicare card with a newly developed identifier that CMS calls the Medicare Beneficiary Identifier (MBI). In one of these options, this new identifier would be used by the beneficiary in their interactions with CMS; however, the provider would continue to use the SSN to interact with CMS. In the other, both the beneficiary and provider would use the new identifier printed on the Medicare card and the SSN would be entirely excluded from the transaction. CMS, SSA, and RRB reported that all three options would generally require similar efforts, including coordinating with stakeholders; converting information- technology (IT) systems; conducting provider and beneficiary outreach and education; conducting training of business partners; and issuing new cards. While the level and type of modifications required to IT systems would vary under each option, the one involving use of a new identifier by both beneficiaries and providers would require somewhat more-extensive IT modifications. However, CMS has not committed to implementing any of the three options presented in its report. Nor did CMS consider other options in its 2011 report, such as how machine-readable technologies, including bar codes, magnetic stripes, or smart chips, could assist in the effort to remove SSNs from Medicare cards. CMS officials told us that they limited their options to those retaining the basic format of the current paper card, and did not consider options that they believed were outside the scope of the congressional request. 11 Centers for Medicare & Medicaid Services, Update on the Assessment of the Removal of Social Security Numbers from Medicare Cards (Baltimore, Md.: November 2011). Page 3 GAO-12-949T Removal of SSNs from Medicare Cards Of the three options presented in CMS’s 2011 report, we found that replacing the SSN with a new identifier for use by beneficiaries and providers offers beneficiaries the greatest protection against identity theft. Under this option, beneficiaries’ risk of identity theft would be reduced in the event that their card was lost or stolen because the SSN would no longer be printed on the card. In addition, because providers would not need the SSN to interact with CMS, they would not be required to collect or maintain this information, reducing the beneficiaries’ vulnerability in the event of a provider data breach. In addition, this option presents fewer burdens for beneficiaries and providers relative to the others. Under this option, the new identifier would be printed on the card, and beneficiaries would use this identifier when interacting with CMS, eliminating the need for them to memorize their SSN or store it elsewhere as they might do under the other options. This option may also present fewer burdens for providers because they would not have to query a CMS database or call CMS to obtain a beneficiary’s information to submit claims as they would with the other two options. 12 Regardless of the option, the burdens experienced by CMS would likely be similar because CMS would still need to conduct many of the same activities and incur many of the same costs. For example, it would need to reissue Medicare cards to current beneficiaries; conduct outreach and education to beneficiaries and providers; and conduct training for business partners. In addition, similar modifications to state Medicaid IT systems would be required under each option in order to process information on individuals eligible for both Medicare and Medicaid. 13 However, according to CMS officials, the option that calls for replacing the SSN with a new identifier to be used by beneficiaries and providers would have additional burdens because of the more extensive changes required to CMS’s IT systems compared to the other options. In its report, CMS, in conjunction with SSA and RRB, estimated that altering or removing the SSN would cost between $803 million and $845 million, depending on the option selected. Approximately two-thirds of the total estimated costs (between $512 million and $554 million) are 12 There may be some initial burdens for providers and beneficiaries under any of the three options presented by CMS. For example, according to CMS officials, some providers may be required to update their IT software and beneficiaries may be confused by any change to their identifier. 13 State Medicaid programs are jointly-funded federal-state health care programs that cover certain low-income individuals. Page 4 GAO-12-949T Removal of SSNs from Medicare Cards associated with modifications to existing state Medicaid IT systems and CMS’s IT-system conversions. 14 While modifications to existing state Medicaid IT systems and related costs are projected to cost the same across all three options, the estimated costs for CMS’s IT-system conversions vary because of differences in the number of systems affected, and the costs for modifying affected systems for the different options. Both SSA and RRB would also incur costs under each of the options. 15 SSA estimated that implementing any of them would cost the agency $95 million, and RRB estimated costs totaling between $1.1 million and $1.3 million, depending on the option. However, we have four key concerns regarding the methods and assumptions CMS used to develop its cost estimates that raise questions about their reliability. First, CMS did not use any cost-estimating guidance when developing its estimates. CMS officials acknowledged that the agency did not rely on any such guidance, for example GAO’s, 16 in developing its report. 17 Second, the procedures used to develop estimates for the two largest cost categories—changes to existing state Medicaid IT systems and CMS’s IT-system conversions—are questionable and not well documented. 18 For example, CMS’s estimates for certain costs were based on data collected in 2008, at which time the agency had not developed all of the options presented in the 2011 14 CMS would incur $261 million as the federal share of the estimated total of $290 million. The remaining $29 million would be the responsibility of the states. 15 Both SSA and RRB perform Medicare-related activities and would need to make changes to their business processes and IT systems as a result of any of the options to remove SSNs from Medicare cards. SSA determines Medicare eligibility for persons who receive or are about to receive Social Security benefits, enrolls those who are eligible into Medicare, and assigns them a HICN. Though CMS prints and distributes the Medicare card, beneficiaries often contact SSA when they need a replacement card. RRB is responsible for determining Medicare eligibility for qualified railroad retirement beneficiaries, enrolling them into Medicare, assigning HICNs to these individuals, and issuing Medicare cards to them. 16 GAO, Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Capital Program Cost, GAO-09-3SP (Washington, D.C.: March 2009). 17 CMS developed its estimates in conjunction with SSA and RRB by examining cost categories that included potential modifications to IT systems, reissuance of Medicare cards, and beneficiary outreach and education. 18 In addition to Medicaid IT-system modification costs, this cost category includes related costs, such as business-process changes, training, and updates to system documentation. Page 5 GAO-12-949T Removal of SSNs from Medicare Cards report. 19 In addition, while CMS asked for cost data from all states, it received data from only five states—Minnesota, Montana, Oklahoma, Rhode Island, and Texas—and we were unable to determine whether these states are representative of the IT-system changes required by all states. For CMS’s own IT systems, cost estimates for required modifications were approximately three times higher than those in the agency’s 2006 report. 20 CMS could not explain how or why a number of these systems would be affected under the three options. Officials also could not explain the variance in the costs to modify these systems across the options and could provide only limited documentation on the development of CMS’s estimates. Third, we identified inconsistencies in some assumptions used by CMS and SSA in the development of the estimates. For example, CMS and SSA used different assumptions regarding the number of Medicare beneficiaries that would require new Medicare cards. Fourth, CMS did not take into account other factors when developing its cost estimates. For example, CMS did not consider possible efficiencies that could be realized by combining IT modifications required to remove SSNs with related IT modernization efforts. The agency also did not attempt to calculate potential savings due to the reduced need to monitor compromised SSNs if they were removed from Medicare cards. In conclusion, nearly six years have passed since CMS first issued a report to Congress that explored options for removing the SSN from the Medicare card, and five years have elapsed since the Office of Management and Budget directed federal agencies to reduce the unnecessary use of the SSN. While CMS has identified various options for removing the SSN from Medicare cards, the agency has not committed to a plan for such removal. Lack of action on this key initiative leaves Medicare beneficiaries exposed to the possibility of identity theft. Therefore, we recommended that CMS select an approach for removing the SSN from the Medicare card that best protects beneficiaries from identity theft and minimizes burdens for providers, beneficiaries, and 19 CMS officials told us that the new identifier for beneficiary use and new identifier for beneficiary and provider use options had already been developed at the time CMS requested data from the states, but the agency did not include the truncation option when it requested data from the states. 20 In its 2006 report to Congress, CMS estimated that removal of the SSN from Medicare cards would cost approximately $338 million, of which $80.2 million was attributable to start-up costs for IT-system modifications. Page 6 GAO-12-949T Removal of SSNs from Medicare Cards CMS; we also believe CMS should develop an accurate, well- documented cost estimate for such an option using standard cost- estimating procedures. In responding to a draft of the report on which this testimony is based, CMS concurred with our first recommendation to select an approach that best protects beneficiaries from identity theft while minimizing burdens for beneficiaries and providers. CMS also concurred with our second recommendation, stating that it would conduct a new estimate and utilize GAO’s suggestions to strengthen its estimating methodology. SSA, RRB, and DOD, had no substantive comments and did not comment on the report’s recommendations. VA concurred with our findings. Chairman Johnson, Chairman Herger, and Members of the Subcommittees, this completes our prepared statement. We would be pleased to respond to any questions you may have at this time. If you or your staff have any questions about this testimony, please contact me at (202) 512-7114 or email@example.com, or Daniel Bertoni at (202) 512-7215 or firstname.lastname@example.org. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this statement. GAO staff who made key contributions to this testimony are listed in appendix I. Page 7 GAO-12-949T Removal of SSNs from Medicare Cards Appendix I: GAO Contacts and Staff Appendix I: GAO Contacts and Staff Acknowledgments Acknowledgments Kathleen King, (202) 512-7114 or email@example.com, or Daniel Bertoni, GAO Contacts (202) 512-7215 or firstname.lastname@example.org. In addition to the contacts named above, the following individuals made Staff key contributions to this statement: Lori Rectanus, Assistant Director; Acknowledgments Thomas Walke, Assistant Director; David Barish; Carrie Davidson; Drew Long, and Andrea E. Richardson. (291060) Page 8 GAO-12-949T Removal of SSNs from Medicare Cards This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. GAO’s Mission The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. The fastest and easiest way to obtain copies of GAO documents at no Obtaining Copies of cost is through GAO’s website (www.gao.gov). Each weekday afternoon, GAO Reports and GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, Testimony go to www.gao.gov and select “E-mail Updates.” Order by Phone The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, http://www.gao.gov/ordering.htm. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO on Facebook, Flickr, Twitter, and YouTube. Connect with GAO Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts. Visit GAO on the web at www.gao.gov. Contact: To Report Fraud, Waste, and Abuse in Website: www.gao.gov/fraudnet/fraudnet.htm E-mail: email@example.com Federal Programs Automated answering system: (800) 424-5454 or (202) 512-7470 Katherine Siggerud, Managing Director, firstname.lastname@example.org, (202) 512- Congressional 4400, U.S. Government Accountability Office, 441 G Street NW, Room Relations 7125, Washington, DC 20548 Chuck Young, Managing Director, email@example.com, (202) 512-4800 Public Affairs U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548 Please Print on Recycled Paper.
Medicare: Action Needed to Remove Social Security Numbers from Medicare Cards
Published by the Government Accountability Office on 2012-08-01.
Below is a raw (and likely hideous) rendition of the original report. (PDF)