Medicare Information Technology:

Centers for Medicare and Medicaid Services Needs to Pursue a Solution for Removing Social Security Numbers from Cards

GAO-13-761: Published: Sep 10, 2013. Publicly Released: Oct 17, 2013.

Additional Materials:

Contact:

Valerie C. Melvin
(202) 512-6304
melvinv@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The Centers for Medicare and Medicaid Services (CMS)--which is the agency within the Department of Health and Human Services (HHS) responsible for administering Medicare--has not taken needed steps, such as designating a business owner and establishing a business case for an information technology (IT) project, that would result in selecting and implementing a technical solution for removing Social Security numbers (SSN) from Medicare cards. However, the agency has collected information and data as part of its most recent study of SSN removal that could contribute to the identification and development of an IT solution. These include information relevant to examining alternative approaches, identifying costs and risks, and assessing the impact of different approaches on the agency's existing IT systems. For example, the agency identified two approaches for removing the SSN: (1) replacing it with a new identifier, referred to as the Medicare Beneficiary Identifier, and (2) masking the first five digits of the SSN for display on Medicare cards. CMS system and business owners also conducted high-level assessments of the types of changes that would need to be made to systems identified in the agency's IT inventory. For example, system owners estimated the level of complexity of the changes, the number of hours of work at each life-cycle phase, business and technical risks, and the potential to leverage related efforts. CMS noted in its most recent study that replacing the SSN with a new identifier could reduce the risk of identity theft from a lost or stolen card, and actions taken thus far could inform a future IT project to address SSN removal. However, according to CMS officials, agency leadership has not directed them to initiate such a project. Until such a project is undertaken, the agency will not be positioned to identify or implement a solution to support the removal of SSNs from beneficiaries' cards.

CMS has efforts under way to modernize its IT systems, some of which could be leveraged to facilitate the removal of SSNs from Medicare cards. Specifically, one of CMS's high-level modernization goals is to establish an architecture to support "shared services"--IT functions that can be used by multiple organizations and facilitate data sharing. According to agency officials, a service established to automate and manage certain aspects of CMS programs could be used to support a "crosswalk" function that would translate the existing claims number to the new beneficiary identifier (and vice versa). This would enable internal systems to receive information containing the new identifier and continue to process data based on the existing number. Another project was intended to consolidate eligibility determination services from four systems, which could reduce the extent of modifications that would have to be made to each of the systems. However, because the agency has not initiated a project for removing SSNs from identification cards, officials have not considered including shared services or other IT initiatives in their modernization activities and related plans to specifically support changes needed as a result of SSN removal. As a result, CMS may miss opportunities to incorporate such a project into ongoing agencywide modernization initiatives that could facilitate efforts to design, develop, and implement an IT solution for SSN removal in a timely and cost-effective manner.

Why GAO Did This Study

The health insurance claims number on Medicare beneficiaries' cards includes as one component the beneficiary's (or other eligible person's, such as a spouse's) SSN. This introduces risks to beneficiaries' personal information, as the number may be obtained and used to commit identity theft. Many organizations have replaced SSNs on these types of cards with alternative identifiers. However, the introduction of such a new data element into IT environments can require changes to systems that process and share data. Moreover, previous assessments of CMS's IT environment have found that it consists of many aging, "stove-piped" systems that cannot easily share data or be enhanced; thus the agency has ongoing efforts to modernize its environment.

As requested, GAO studied CMS's efforts related to the removal of SSNs from Medicare cards. GAO's objectives were to (1) assess actions CMS has taken to identify and implement IT solutions for removing SSNs from Medicare cards and (2) determine whether CMS's ongoing IT modernization initiatives could facilitate SSN removal efforts. To do this, GAO reviewed agency documentation and interviewed officials.

What GAO Recommends

GAO recommends that CMS initiate an IT project to develop a solution for SSN removal and incorporate such a project into plans for ongoing IT modernization initiatives. HHS agreed with GAO's recommendations, if certain constraints were addressed. However, GAO maintains that its recommendations are warranted as originally stated.

For more information, contact Valerie C. Melvin at (202) 512-6304 or melvinv@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: In commenting on the report, the Department of Health and Human Services agreed with our recommendations and, in accordance with the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) (PL 114-10) Section 501, CMS is leading the SSN removal initiative in partnership with the Social Security Administration and The Railroad Retirement Board. According to CMS officials, the agency is in the process of establishing a program management organization to conduct the planning, execution, and completion of the initiative. As part of the initiative, CMS has issued a task order to a contractor who is to support planning efforts, including the initiation of an IT project. In July 2015 CMS officials stated that planning would take place from June 2015 through January 2016; however, the agency had not yet initiated the IT project for making the systems changes that would need to be made to support the removal of the SSN from Medicare cards. Until it does so, CMS will not be positioned to implement an IT solution that addresses the removal of SSNs from Medicare cards. Thus, this recommendation remains open.

    Recommendation: To better position the agency to efficiently and cost-effectively identify, design, develop, and implement an IT solution that addresses the removal of SSNs from Medicare beneficiaries' health insurance cards, the Administrator of CMS should direct the initiation of an IT project for identifying, developing, and implementing changes that would have to be made to CMS's affected systems, including designating a business owner and establishing a business case, issuing a project charter, and conducting project selection and architectural reviews of proposed approaches for the removal of SSNs from Medicare beneficiaries' cards.

    Agency Affected: Department of Health and Human Services: Centers for Medicare and Medicaid Services

  2. Status: Open

    Comments: In commenting on the report, the Department of Health and Human Services agreed with our recommendations. This recommendation remains open pending CMS's initiation of an IT initiative to support the overall SSN removal project, and incorporation of the project into the agency's enterprisewide IT modernization initiatives. Until CMS takes these steps, the agency will not be positioned to implement an IT solution that addresses the removal of SSNs from Medicare beneficiaries' card.

    Recommendation: To better position the agency to efficiently and cost-effectively identify, design, develop, and implement an IT solution that addresses the removal of SSNs from Medicare beneficiaries' health insurance cards, the Administrator of CMS should incorporate such a project into plans for ongoing enterprisewide IT modernization initiatives.

    Agency Affected: Department of Health and Human Services: Centers for Medicare and Medicaid Services

 

Explore the full database of GAO's Open Recommendations »

Jun 23, 2016

Jun 20, 2016

Jun 15, 2016

Jun 9, 2016

Jun 7, 2016

Jun 3, 2016

Jun 1, 2016

May 24, 2016

May 13, 2016

Looking for more? Browse all our products here