What GAO Found

In its November 2011 report, CMS presented three options for removing SSNs from Medicare cards. One option would truncate the SSN so that only the last four digits would appear on the card. However, the full SSN would continue to be used by both beneficiaries and providers for all Medicare business transactions. The other two options would replace the display of the SSN on the Medicare card with a newly developed identifier that CMS calls the Medicare Beneficiary Identifier (MBI). In one of these options, this new identifier would be used by the beneficiary in their interactions with CMS; however, the provider would continue to use the SSN to interact with CMS. In the other, both the beneficiary and provider would use the new identifier printed on the Medicare card and the SSN would be entirely excluded from the transaction. CMS, SSA, and RRB reported that all three options would generally require similar efforts, including coordinating with stakeholders; converting information-technology (IT) systems; conducting provider and beneficiary outreach and education; conducting training of business partners; and issuing new cards. While the level and type of modifications required to IT systems would vary under each option, the one involving use of a new identifier by both beneficiaries and providers would require somewhat more-extensive IT modifications. However, CMS has not committed to implementing any of the three options presented in its report. Nor did CMS consider other options in its 2011 report, such as how machine-readable technologies, including bar codes, magnetic stripes, or smart chips, could assist in the effort to remove SSNs from Medicare cards. CMS officials told us that they limited their options to those retaining the basic format of the current paper card, and did not consider options that they believed were outside the scope of the congressional request.

Of the three options presented in CMSs 2011 report, we found that replacing the SSN with a new identifier for use by beneficiaries and providers offers beneficiaries the greatest protection against identity theft. Under this option, beneficiaries risk of identity theft would be reduced in the event that their card was lost or stolen because the SSN would no longer be printed on the card. In addition, because providers would not need the SSN to interact with CMS, they would not be required to collect or maintain this information, reducing the beneficiaries vulnerability in the event of a provider data breach. In addition, this option presents fewer burdens for beneficiaries and providers relative to the others. Under this option, the new identifier would be printed on the card, and beneficiaries would use this identifier when interacting with CMS, eliminating the need for them to memorize their SSN or store it elsewhere as they might do under the other options. This option may also present fewer burdens for providers because they would not have to query a CMS database or call CMS to obtain a beneficiarys information to submit claims as they would with the other two options.

Why GAO Did This Study

This testimony discusses our review of the options presented by the Department of Health and Human Services (HHS) and its agency, the Centers for Medicare & Medicaid Services (CMS), for removing Social Security numbers (SSN) from Medicare cards and the agencys cost estimates for these options.

More than 48 million Medicare cards display an SSN as part of the health insurance claim number (HICN). The HICN plays an essential role in the administration of the Medicare program and is used by CMS to interact with beneficiaries and providers, and by other agencies that play a role in determining an individuals eligibility for Medicare. However, thieves can steal the information from Medicare cards to commit various acts of identity theft, such as opening fraudulent bank or credit card accounts or receiving medical services in a beneficiarys name. In 2010, 7 percent of households in the United States, or about 8.6 million households, had at least one member age 12 or older who experienced identity theft, according to U.S. Department of Justice figures. The estimated financial cost of identity theft during that year was approximately $13.3 billion. Theft of this information can also result from a data breachthe unauthorized disclosure of a beneficiarys personally identifiable information. Between September 2009 and March 2012, the HHS Office for Civil Rights identified over 400 reports of provider data breaches involving protected health information that each affected more than 500 individuals.

The importance of enhancing security protections for the display and use of SSNs has resulted in multiple actions by federal and state governments and the private sector. For example, the Social Security Administration (SSA) has advised for years that individuals not carry their Social Security card with them. In 2007, the Office of Management and Budget issued a directive to all federal agencies to develop a plan for reducing the unnecessary use of SSNs and exploring alternatives to their use. Many federal agencies, including the Departments of Defense (DOD) and Veterans Affairs (VA), have taken significant steps to remove SSNs from their health insurance and identification cards. In the private sector, health insurers have also removed SSNs from their insurance cards in an effort to comply with state laws and protect beneficiaries from identity theft. In 2004, we reported that CMS determined it would be cost-prohibitive to remove the SSN from the Medicare card. Subsequently, CMS issued a report to Congress in 2006 describing an option for removing the SSN and estimated it would cost over $300 million to do so.

Our remarks are based on our report released today, which describes the various options for removing the SSN from the Medicare card and examines the potential benefits, burdens, and CMSs cost estimates associated with the various options.

For more information, contact Kathleen M. King at (202) 512-7114 or kingk@gao.gov, or Daniel Bertoni at (202) 512-7215 or bertonid@gao.gov.