SSNs to Disappear from Medicare CardsObama Signs Bill Providing Funding for Anti-Fraud Move
President Obama has signed a bill that provides $320 million in funding to remove Social Security numbers from Medicare beneficiary ID cards within the next four years in an effort to fight identity theft and fraud.
See Also: Threat Intelligence - Hype or Hope?
The law calling for removal of Social Security numbers from Medicare beneficiary cards comes after several years of recommendations for such a move by government watchdog agencies, including the Government Accountability Office. GAO has repeatedly issued reports in recent years recommending eliminating Social Security numbers from Medicare cards to help protect individuals from falling victim to ID theft and fraud, ranging from healthcare-related fraud to thieves opening credit card accounts using those IDs.
In a 2013 report, the GAO noted that it had made multiple recommendations to HHS' Centers for Medicare and Medicaid Services to remove the numbers from beneficiaries' Medicare cards to help prevent identity theft. "HHS agreed with these recommendations, but reported that CMS could not proceed with the changes for a variety of reasons, including funding limitations, and therefore has not taken action," the report noted (see GAO: Medicare ID Cards Are a Fraud Risk)
The 95-page Medicare Access and CHIP Reauthorization Act of 2015 (H.R. 2), a broad measure that repeals the controversial Medicare sustainable growth rate for paying physicians that was signed by Obama on April 16, includes a provision prohibiting the inclusion of Social Security numbers on Medicare cards.
The bill instructs the secretary of Health and Human Services, in consultation with the commissioner of Social Security, to "establish cost-effective procedures to ensure that Social Security numbers, or derivatives, are not displayed, coded or embedded in Medicare cards issued to individuals entitled to [Medicare] benefits."
Privacy and security experts say the bill is a big step in the right direction to fight fraud.
"The removal of Social Security numbers from Medicare cards is long overdue and much needed," says privacy attorney Adam Greene, partner at law firm Davis Wright Tremaine. "It is an important step in getting Social Security numbers out of the healthcare industry. The use of Social Security numbers by Medicare currently causes too high a risk of identity theft because too many people in health care need access to Social Security numbers to do their jobs, leading to too many opportunities to misuse the information."
Making the Change
The provision, which falls under a section, "Protecting the Integrity of Medicare," calls for the change in the cards to be made no later than four years after the bill was enacted. It also recommends that HHS consider implementing the change through a process, similar to one used for Railroad Retirement Board beneficiaries, "under which a Medicare beneficiary identifier which is not a Social Security account number - or derivative thereof - is used external to HHS and is convertible over to a Social Security account number - or derivative - for use internal to HHS and the Social Security Administration."
The funding for the project, spread out from fiscal 2015 through 2018, comes from other federal sources, including the Federal Hospital Insurance Trust Fund and the Federal Supplementary Medical Insurance Trust Fund.
Security expert Mac McMillan, CEO of consulting firm CynergisTek, says time will tell whether the $320 million allocated for the project will be sufficient to cover the cost.
"Hopefully, those that put the request together considered their costs, but it would not be the first time a government program was either underfunded because it wasn't truly understood what it would cost or the money allocated initially was a compromise to get the program off the ground," he says.
"The important thing is it is a 'funded' program. With approximately 50 million people covered by Medicare, that number may or may not be enough, but it's a start. Obviously things that will affect this are costs of operating the program, the technology used with the new cards and the cards themselves, issuing the new cards and mailing costs associated with getting them in the hands of the people who need them, etc."
The bill's provision to remove Social Security numbers from Medicare cards originated in a separate bipartisan Medicare ID theft prevention bill introduced by Rep. Lloyd Doggett, D-Texas and Rep. Sam Johnson, R-Texas, that was approved by the House on March 26.
In a statement to Information Security Media Group, Doggett said, "Legislation to protect seniors from identity theft, for which I originally obtained House approval in 2008, has finally been signed into law. Millions of Americans carry in their wallet or purse something that makes them more vulnerable to identity theft - their Medicare card. No longer will carrying a Medicare card needlessly put seniors' life savings and credit at risk. With identity thieves becoming increasingly sophisticated, a little prevention can save a lot of heartache."
In addition to the removal of Social Security numbers from Medicare cards, the bill signed by Obama also contains a provision instructing HHS to improve incentives of an existing Medicare fraud whistleblower program under HIPAA.
The new law says the secretary of HHS "shall develop a plan to revise the incentive program under HIPAA to encourage greater participation by individuals to report fraud and abuse in the Medicare program." The plan must include recommendations for ways to enhance rewards for individuals reporting fraud under the incentive program, including rewards based on information that leads to an administrative action. It also calls for extending the incentive program to the Medicaid program.
The provision also calls for HHS to develop a public awareness and education campaign to encourage participation in the revised incentive program for reporting fraud.
"Fraud is a huge issue in healthcare, and, in particular, in Medicare, that hurts the program, hurts the industry, hurts individuals and hurts the American taxpayer. So if this provision incents more reporting that results in less fraud, then it's a good thing," McMillan notes. "Healthcare in America amounts to almost $2.7 trillion dollars, and it has been estimated that fraud costs could be as high as one tenth of that, or $270 billion. It's a big problem that needs all the help it can get."
McMillan says healthcare organizations should encourage patients to review their bills with their caregiver and not just blindly pay them. "We need people to report things that are suspicious," he says.