Medicare: Action Needed to Remove Social Security Numbers from Medicare Cards

Published by the Government Accountability Office on 2012-08-01.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                             United States Government Accountability Office

GAO                          Testimony
                             Before the Subcommittees on Social
                             Security and Health, Committee on Ways
                             and Means, House of Representatives

For Release on Delivery
Expected at 9:30 a.m. EDT
Wednesday, August 1, 2012

                             Action Needed to Remove
                             Social Security Numbers
                             from Medicare Cards
                             Statement of Kathleen M. King
                             Director, Health Care
                             Daniel Bertoni
                             Director, Education, Workforce, and Income Security

To access this report
electronically, scan this
QR Code.
Don't have a QR code
reader? Several are
available for free online.

Chairman Johnson, Chairman Herger, and Members of the

We are pleased to be here today to discuss our review of the options
presented by the Department of Health and Human Services (HHS) and
its agency, the Centers for Medicare & Medicaid Services (CMS), for
removing Social Security numbers (SSN) from Medicare 1 cards and the
agency’s cost estimates for these options. 2

More than 48 million Medicare cards display an SSN as part of the health
insurance claim number (HICN). The HICN plays an essential role in the
administration of the Medicare program and is used by CMS to interact
with beneficiaries and providers, and by other agencies that play a role in
determining an individual’s eligibility for Medicare. 3 However, thieves can
steal the information from Medicare cards to commit various acts of
identity theft, such as opening fraudulent bank or credit card accounts or
receiving medical services in a beneficiary’s name. In 2010, 7 percent of
households in the United States, or about 8.6 million households, had at
least one member age 12 or older who experienced identity theft,
according to U.S. Department of Justice figures. The estimated financial
cost of identity theft during that year was approximately $13.3 billion. 4
Theft of this information can also result from a data breach—the
unauthorized disclosure of a beneficiary’s personally identifiable
information. 5 Between September 2009 and March 2012, the HHS Office
for Civil Rights identified over 400 reports of provider data breaches

 Medicare is the federal health insurance program for individuals over the age of 65,
individuals under the age of 65 with certain disabilities, and individuals with end-stage
renal disease.
 Centers for Medicare & Medicaid Services, Update on the Assessment of the Removal of
Social Security Numbers from Medicare Cards (Baltimore, Md.: November 2011).
 For most individuals, the Social Security Administration (SSA) is responsible for
determining eligibility for Medicare and assigning the HICN. However, for the
approximately 550,000 Railroad Retirement beneficiaries and their dependents, the
Railroad Retirement Board (RRB) is responsible for determining eligibility and assigning
the HICN.
 Lynn Langston, Identity Theft Reported by Households, 2005-2010, NCJ 236245
(Washington, D.C.: U.S. Department of Justice, Office of Justice Programs, Bureau of
Justice Statistics, November 2011).
 For the purposes of this statement, we define a data breach as the unauthorized
acquisition, access, use, or disclosure of individually identifiable information.

Page 1                                  GAO-12-949T Removal of SSNs from Medicare Cards
involving protected health information that each affected more than 500
individuals. 6

The importance of enhancing security protections for the display and use
of SSNs has resulted in multiple actions by federal and state
governments and the private sector. For example, the Social Security
Administration (SSA) has advised for years that individuals not carry their
Social Security card with them. In 2007, the Office of Management and
Budget issued a directive to all federal agencies to develop a plan for
reducing the unnecessary use of SSNs and exploring alternatives to their
use. 7 Many federal agencies, including the Departments of Defense
(DOD) and Veterans Affairs (VA), have taken significant steps to remove
SSNs from their health insurance and identification cards. In the private
sector, health insurers have also removed SSNs from their insurance
cards in an effort to comply with state laws and protect beneficiaries from
identity theft. In 2004, we reported that CMS determined it would be cost-
prohibitive to remove the SSN from the Medicare card. 8 Subsequently,
CMS issued a report to Congress in 2006 describing an option for
removing the SSN and estimated it would cost over $300 million to do
so. 9

Our remarks are based on our report released today, 10 which describes
the various options for removing the SSN from the Medicare card and
examines the potential benefits, burdens, and CMS’s cost estimates
associated with the various options. To conduct this work, we reviewed

 We use the term provider to refer to any organization, institution, or individual that
provides health care services to Medicare beneficiaries. These include hospitals, nursing
facilities, physicians, hospices, ambulatory surgical centers, outpatient clinics, and
suppliers of durable medical equipment, among others.
 Office of Management and Budget Memorandum M-07-16, Safeguarding Against and
Responding to the Breach of Personally Identifiable Information (Washington, D.C.:
May 22, 2007).
 GAO, Social Security Numbers: Governments Could Do More to Reduce Display in
Public Records and on Identity Cards, GAO-05-59 (Washington, D.C.: Nov. 9, 2004).
 Centers for Medicare & Medicaid Services, Report to Congress: Removal of Social
Security Number from the Medicare Health Insurance Card and Other Medicare
Correspondence (Baltimore, Md.: October 2006).
  GAO, Medicare: CMS Needs an Approach and a Reliable Cost Estimate for Removing
Social Security Numbers from Medicare Cards, GAO-12-831 (Washington, D.C.: Aug. 2,

Page 2                                 GAO-12-949T Removal of SSNs from Medicare Cards
CMS’s 2011 report to Congress, 11 as well as supporting documentation
provided by CMS. We also interviewed officials from CMS, SSA, and the
Railroad Retirement Board (RRB), as well as officials at DOD, VA, and
representatives of private health insurers and other stakeholders. More
information on our scope and methodology is provided in the full report.
Our work was performed in accordance with generally accepted
government auditing standards from January 2012 to July 2012 for both
the full report and for this statement.

In its November 2011 report, CMS presented three options for removing
SSNs from Medicare cards. One option would truncate the SSN so that
only the last four digits would appear on the card. However, the full SSN
would continue to be used by both beneficiaries and providers for all
Medicare business transactions. The other two options would replace the
display of the SSN on the Medicare card with a newly developed identifier
that CMS calls the Medicare Beneficiary Identifier (MBI). In one of these
options, this new identifier would be used by the beneficiary in their
interactions with CMS; however, the provider would continue to use the
SSN to interact with CMS. In the other, both the beneficiary and provider
would use the new identifier printed on the Medicare card and the SSN
would be entirely excluded from the transaction. CMS, SSA, and RRB
reported that all three options would generally require similar efforts,
including coordinating with stakeholders; converting information-
technology (IT) systems; conducting provider and beneficiary outreach
and education; conducting training of business partners; and issuing new
cards. While the level and type of modifications required to IT systems
would vary under each option, the one involving use of a new identifier by
both beneficiaries and providers would require somewhat more-extensive
IT modifications. However, CMS has not committed to implementing any
of the three options presented in its report. Nor did CMS consider other
options in its 2011 report, such as how machine-readable technologies,
including bar codes, magnetic stripes, or smart chips, could assist in the
effort to remove SSNs from Medicare cards. CMS officials told us that
they limited their options to those retaining the basic format of the current
paper card, and did not consider options that they believed were outside
the scope of the congressional request.

  Centers for Medicare & Medicaid Services, Update on the Assessment of the Removal
of Social Security Numbers from Medicare Cards (Baltimore, Md.: November 2011).

Page 3                              GAO-12-949T Removal of SSNs from Medicare Cards
Of the three options presented in CMS’s 2011 report, we found that
replacing the SSN with a new identifier for use by beneficiaries and
providers offers beneficiaries the greatest protection against identity theft.
Under this option, beneficiaries’ risk of identity theft would be reduced in
the event that their card was lost or stolen because the SSN would no
longer be printed on the card. In addition, because providers would not
need the SSN to interact with CMS, they would not be required to collect
or maintain this information, reducing the beneficiaries’ vulnerability in the
event of a provider data breach. In addition, this option presents fewer
burdens for beneficiaries and providers relative to the others. Under this
option, the new identifier would be printed on the card, and beneficiaries
would use this identifier when interacting with CMS, eliminating the need
for them to memorize their SSN or store it elsewhere as they might do
under the other options. This option may also present fewer burdens for
providers because they would not have to query a CMS database or call
CMS to obtain a beneficiary’s information to submit claims as they would
with the other two options. 12 Regardless of the option, the burdens
experienced by CMS would likely be similar because CMS would still
need to conduct many of the same activities and incur many of the same
costs. For example, it would need to reissue Medicare cards to current
beneficiaries; conduct outreach and education to beneficiaries and
providers; and conduct training for business partners. In addition, similar
modifications to state Medicaid IT systems would be required under each
option in order to process information on individuals eligible for both
Medicare and Medicaid. 13 However, according to CMS officials, the option
that calls for replacing the SSN with a new identifier to be used by
beneficiaries and providers would have additional burdens because of the
more extensive changes required to CMS’s IT systems compared to the
other options.

In its report, CMS, in conjunction with SSA and RRB, estimated that
altering or removing the SSN would cost between $803 million and
$845 million, depending on the option selected. Approximately two-thirds
of the total estimated costs (between $512 million and $554 million) are

  There may be some initial burdens for providers and beneficiaries under any of the three
options presented by CMS. For example, according to CMS officials, some providers may
be required to update their IT software and beneficiaries may be confused by any change
to their identifier.
  State Medicaid programs are jointly-funded federal-state health care programs that
cover certain low-income individuals.

Page 4                                 GAO-12-949T Removal of SSNs from Medicare Cards
associated with modifications to existing state Medicaid IT systems and
CMS’s IT-system conversions. 14 While modifications to existing state
Medicaid IT systems and related costs are projected to cost the same
across all three options, the estimated costs for CMS’s IT-system
conversions vary because of differences in the number of systems
affected, and the costs for modifying affected systems for the different
options. Both SSA and RRB would also incur costs under each of the
options. 15 SSA estimated that implementing any of them would cost the
agency $95 million, and RRB estimated costs totaling between
$1.1 million and $1.3 million, depending on the option.

However, we have four key concerns regarding the methods and
assumptions CMS used to develop its cost estimates that raise questions
about their reliability. First, CMS did not use any cost-estimating guidance
when developing its estimates. CMS officials acknowledged that the
agency did not rely on any such guidance, for example GAO’s, 16 in
developing its report. 17 Second, the procedures used to develop
estimates for the two largest cost categories—changes to existing state
Medicaid IT systems and CMS’s IT-system conversions—are
questionable and not well documented. 18 For example, CMS’s estimates
for certain costs were based on data collected in 2008, at which time the
agency had not developed all of the options presented in the 2011

 CMS would incur $261 million as the federal share of the estimated total of $290 million.
The remaining $29 million would be the responsibility of the states.
  Both SSA and RRB perform Medicare-related activities and would need to make
changes to their business processes and IT systems as a result of any of the options to
remove SSNs from Medicare cards. SSA determines Medicare eligibility for persons who
receive or are about to receive Social Security benefits, enrolls those who are eligible into
Medicare, and assigns them a HICN. Though CMS prints and distributes the Medicare
card, beneficiaries often contact SSA when they need a replacement card. RRB is
responsible for determining Medicare eligibility for qualified railroad retirement
beneficiaries, enrolling them into Medicare, assigning HICNs to these individuals, and
issuing Medicare cards to them.
 GAO, Cost Estimating and Assessment Guide: Best Practices for Developing and
Managing Capital Program Cost, GAO-09-3SP (Washington, D.C.: March 2009).
  CMS developed its estimates in conjunction with SSA and RRB by examining cost
categories that included potential modifications to IT systems, reissuance of Medicare
cards, and beneficiary outreach and education.
  In addition to Medicaid IT-system modification costs, this cost category includes related
costs, such as business-process changes, training, and updates to system

Page 5                                  GAO-12-949T Removal of SSNs from Medicare Cards
report. 19 In addition, while CMS asked for cost data from all states, it
received data from only five states—Minnesota, Montana, Oklahoma,
Rhode Island, and Texas—and we were unable to determine whether
these states are representative of the IT-system changes required by all
states. For CMS’s own IT systems, cost estimates for required
modifications were approximately three times higher than those in the
agency’s 2006 report. 20 CMS could not explain how or why a number of
these systems would be affected under the three options. Officials also
could not explain the variance in the costs to modify these systems
across the options and could provide only limited documentation on the
development of CMS’s estimates. Third, we identified inconsistencies in
some assumptions used by CMS and SSA in the development of the
estimates. For example, CMS and SSA used different assumptions
regarding the number of Medicare beneficiaries that would require new
Medicare cards. Fourth, CMS did not take into account other factors when
developing its cost estimates. For example, CMS did not consider
possible efficiencies that could be realized by combining IT modifications
required to remove SSNs with related IT modernization efforts. The
agency also did not attempt to calculate potential savings due to the
reduced need to monitor compromised SSNs if they were removed from
Medicare cards.

In conclusion, nearly six years have passed since CMS first issued a
report to Congress that explored options for removing the SSN from the
Medicare card, and five years have elapsed since the Office of
Management and Budget directed federal agencies to reduce the
unnecessary use of the SSN. While CMS has identified various options
for removing the SSN from Medicare cards, the agency has not
committed to a plan for such removal. Lack of action on this key initiative
leaves Medicare beneficiaries exposed to the possibility of identity theft.
Therefore, we recommended that CMS select an approach for removing
the SSN from the Medicare card that best protects beneficiaries from
identity theft and minimizes burdens for providers, beneficiaries, and

   CMS officials told us that the new identifier for beneficiary use and new identifier for
beneficiary and provider use options had already been developed at the time CMS
requested data from the states, but the agency did not include the truncation option when
it requested data from the states.
  In its 2006 report to Congress, CMS estimated that removal of the SSN from Medicare
cards would cost approximately $338 million, of which $80.2 million was attributable to
start-up costs for IT-system modifications.

Page 6                                  GAO-12-949T Removal of SSNs from Medicare Cards
CMS; we also believe CMS should develop an accurate, well-
documented cost estimate for such an option using standard cost-
estimating procedures.

In responding to a draft of the report on which this testimony is based,
CMS concurred with our first recommendation to select an approach that
best protects beneficiaries from identity theft while minimizing burdens for
beneficiaries and providers. CMS also concurred with our second
recommendation, stating that it would conduct a new estimate and utilize
GAO’s suggestions to strengthen its estimating methodology. SSA, RRB,
and DOD, had no substantive comments and did not comment on the
report’s recommendations. VA concurred with our findings.

Chairman Johnson, Chairman Herger, and Members of the
Subcommittees, this completes our prepared statement. We would be
pleased to respond to any questions you may have at this time.

If you or your staff have any questions about this testimony, please
contact me at (202) 512-7114 or kingk@gao.gov, or Daniel Bertoni at
(202) 512-7215 or bertonid@gao.gov. Contact points for our Offices of
Congressional Relations and Public Affairs may be found on the last page
of this statement. GAO staff who made key contributions to this testimony
are listed in appendix I.

Page 7                           GAO-12-949T Removal of SSNs from Medicare Cards
Appendix I: GAO Contacts and Staff
                  Appendix I: GAO Contacts and Staff


                  Kathleen King, (202) 512-7114 or kingk@gao.gov, or Daniel Bertoni,
GAO Contacts      (202) 512-7215 or bertonid@gao.gov.

                  In addition to the contacts named above, the following individuals made
Staff             key contributions to this statement: Lori Rectanus, Assistant Director;
Acknowledgments   Thomas Walke, Assistant Director; David Barish; Carrie Davidson;
                  Drew Long, and Andrea E. Richardson.

                  Page 8                               GAO-12-949T Removal of SSNs from Medicare Cards
This is a work of the U.S. government and is not subject to copyright protection in the
United States. The published product may be reproduced and distributed in its entirety
without further permission from GAO. However, because this work may contain
copyrighted images or other material, permission from the copyright holder may be
necessary if you wish to reproduce this material separately.
GAO’s Mission         The Government Accountability Office, the audit, evaluation, and
                      investigative arm of Congress, exists to support Congress in meeting its
                      constitutional responsibilities and to help improve the performance and
                      accountability of the federal government for the American people. GAO
                      examines the use of public funds; evaluates federal programs and
                      policies; and provides analyses, recommendations, and other assistance
                      to help Congress make informed oversight, policy, and funding decisions.
                      GAO’s commitment to good government is reflected in its core values of
                      accountability, integrity, and reliability.

                      The fastest and easiest way to obtain copies of GAO documents at no
Obtaining Copies of   cost is through GAO’s website (www.gao.gov). Each weekday afternoon,
GAO Reports and       GAO posts on its website newly released reports, testimony, and
                      correspondence. To have GAO e-mail you a list of newly posted products,
Testimony             go to www.gao.gov and select “E-mail Updates.”

Order by Phone        The price of each GAO publication reflects GAO’s actual cost of
                      production and distribution and depends on the number of pages in the
                      publication and whether the publication is printed in color or black and
                      white. Pricing and ordering information is posted on GAO’s website,
                      Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
                      TDD (202) 512-2537.
                      Orders may be paid for using American Express, Discover Card,
                      MasterCard, Visa, check, or money order. Call for additional information.
                      Connect with GAO on Facebook, Flickr, Twitter, and YouTube.
Connect with GAO      Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts.
                      Visit GAO on the web at www.gao.gov.
To Report Fraud,
Waste, and Abuse in   Website: www.gao.gov/fraudnet/fraudnet.htm
                      E-mail: fraudnet@gao.gov
Federal Programs      Automated answering system: (800) 424-5454 or (202) 512-7470

                      Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-
Congressional         4400, U.S. Government Accountability Office, 441 G Street NW, Room
Relations             7125, Washington, DC 20548

                      Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
Public Affairs        U.S. Government Accountability Office, 441 G Street NW, Room 7149
                      Washington, DC 20548

                        Please Print on Recycled Paper.