GAO Weighs Benefits of Smart CardsReport Outlines Medicare Options to Paper Cards
Now that Congress has finally allotted funding to remove Social Security numbers from paper Medicare beneficiary cards in an effort to fight fraud, a government watchdog agency has laid out pros and cons for Medicare to adopt electronically readable cards, such as smart cards, instead.
A 55-page report issued to Congress by the Government Accountability Office outlines three key purposes for Medicare to use electronically readable cards as part of its anti-fraud efforts. Those include cards with magnetic stripes or barcodes, and smart cards containing microprocessor chips.
The three potential uses of the cards that GAO examined include:
- Authenticating Medicare beneficiary and healthcare provider presence at the point of care;
- Electronically exchanging beneficiary medical information;
- Electronically conveying beneficiary identity and insurance information to providers.
Earlier this month, President Obama signed a bill that provides $320 million in funding to remove Social Security numbers from Medicare beneficiary ID cards within the next four years in an effort to fight identity theft and fraud. GAO had been recommending for several years that Medicare remove Social Security numbers from beneficiary ID cards (see SSNs To Disappear From Medicare Cards).
The new GAO report notes that its analysis of smart cards focused on cards with microprocessor chips that are capable of processing data because some federal agencies currently use them for authentication. "There are 'memory-only' smart cards with memory chips that can store data, but do not contain microprocessor chips to process data," GAO notes. "Cards with magnetic stripes, such as credit cards, store information on the stripe, which can be read by swiping the card through a card reader. Cards with bar codes contain an electronically readable representation of data - printed and variously patterned bars and spaces - that can be scanned and read," GAO explains.
"Based on our analysis of the capability of the three types of cards, we found that while all of the cards could be used for authentication, storing and exchanging medical information, and conveying beneficiary information, the ability of smart cards to process data enables them to provide higher levels of authentication and better secure information than cards with magnetic stripes and bar codes," the GAO says.
The agency says it didn't consider examining non-card-based technologies, such as cell phone or other forms of identity tokens, because those were outside the scope of this particular review.
Security expert Mac McMillan, CEO of consulting firm CynergisTek, says the technologies could, if implemented and used properly, help to identify patients more accurately and avoid fraud. "Smart cards with an embedded chip that acts a processor offer the most benefits and make counterfeiting more difficult," he says. "Combining the card with a pin increases the level of assurance by making it harder for lost or stolen cards to be used easily."
Medicare covered approximately 54 million beneficiaries in fiscal year 2014 at an estimated cost of $603 billion, the report notes. "Although there is no reliable measure of the extent of fraud in the Medicare program, for over two decades we have documented ways in which fraud contributes to Medicare's fiscal problems."
As of May 2014, the Department of Health and Human Services was aware of 284,000 Medicare beneficiary numbers that had been compromised and potentially used to submit fraudulent claims, GAO notes. Among other main types of Medicare fraud cited by GAO are: billing for services not rendered; fraudulent or abusive billing practices and kickbacks.
The Centers for Medicare and Medicaid Services currently relies on healthcare providers to authenticate the identities of Medicare beneficiaries to whom they are providing care, but "the agency does not have a way to verify whether beneficiaries and providers were actually present at the point of care when processing claims," the report notes.
Three Key Uses
While electronically readable cards could be implemented by Medicare for a number of different purposes, GAO spotlights three proposed uses as they relate to fighting fraud:
- Authenticating beneficiary and provider presence at the point of care - Beneficiary and provider cards could be used for authentication to potentially help limit certain types of Medicare fraud, as CMS could use records of the cards being swiped to verify that they were present at the point of care.
- Electronically exchanging beneficiary medical information - Beneficiary cards could be used to store and exchange medical information, such as electronic health records, beneficiary medical conditions, and emergency care information, such as allergies. In addition, provider ID cards could also be used as a means to authenticate providers accessing EHR systems that store and electronically exchange beneficiary health information.
- Electronically conveying beneficiary identity and insurance information to providers - Beneficiary cards could be used to auto-populate beneficiary information, such as identity and insurance data, into provider IT systems and to automatically retrieve existing beneficiary records from provider IT systems. The primary purpose of this potential use would be to improve provider record keeping by allowing providers the option to capture beneficiary information electronically.
Pros and Cons
GAO says its analysis found that smart cards "could provide substantially more rigorous authentication of the identities of Medicare beneficiaries and providers than magnetic stripe or bar code cards."
Although all three types of electronically readable cards could be used for authentication, smart cards provide a higher level of assurance in their authenticity because they are difficult to counterfeit or copy, the report says. "Magnetic stripe and bar code cards, on the other hand, are easily counterfeited or copied."
All three types of cards could be used in conjunction with various authentication factors, such as a PIN or biometric information, to achieve a higher level of authentication, the report notes. However, only smart cards are capable of performing on-card verification of other authentication factors.
And while electronically readable beneficiary identity cards can potentially bolster Medicare anti-fraud efforts, there are various drawbacks depending on how the cards are used, GAO says.
For instance, because data storage on smart cards is limited, it's unlikely that the cards would be able to store all of a beneficiary's medical records or medical records of a larger file size, such as medical images that could be used for transmittal to insurers or for health data exchange. Also, GAO notes that there are no current plans under the HITECH financial incentive program for EHRs to include the use of electronically readable cards to store or exchange medical information.
Other hurdles in Medicare embracing these cards for fraud-fighting purposes include CMS and healthcare providers facing technical and cost challenges implementing the ID card technology.
"The biggest hurdle by far is the cost and updating of systems that the government and providers would have to incur to enable these cards to be used at the 'point of sale,' meaning when the patient has the encounter with their caregiver," McMillan notes. "The cost of the cards is an issue with respect to initial implementation and replacements," he says. For instance, "who bears the cost for a lost card? What happens to the patient who has lost their card and needs care?"
Despite these questions, "once implemented, this technology generally enhances the engagement process - meaning less difficulty, less chance of user error, etc," he says.
Ultimately, a decision about whether to implement an electronically readable card will depend upon a comparison of the costs and benefits of electronically readable cards versus the current paper card or other strategies and solutions, GAO concludes. "The success of any electronically readable card system will also depend on participation from health care providers, and therefore any planned use will need to take provider costs and potential challenges into consideration."
Privacy and security expert Kate Borten, founder of consulting firm The Marblehead Group says, "as with replacing bank credit/debit cards, there is cost to replacing infrastructure and cards. But I think we need to bite the bullet and do it."
A CMS spokesman declined to comment on the GAO's report, saying "official guidance is forthcoming" from the agency about potential plans related to new Medicare ID cards.