Skip to main content

Medicare Information Technology: Centers for Medicare and Medicaid Services Needs to Pursue a Solution for Removing Social Security Numbers from Cards

GAO-13-761 Published: Sep 10, 2013. Publicly Released: Oct 17, 2013.
Jump To:
Skip to Highlights

Highlights

What GAO Found

The Centers for Medicare and Medicaid Services (CMS)--which is the agency within the Department of Health and Human Services (HHS) responsible for administering Medicare--has not taken needed steps, such as designating a business owner and establishing a business case for an information technology (IT) project, that would result in selecting and implementing a technical solution for removing Social Security numbers (SSN) from Medicare cards. However, the agency has collected information and data as part of its most recent study of SSN removal that could contribute to the identification and development of an IT solution. These include information relevant to examining alternative approaches, identifying costs and risks, and assessing the impact of different approaches on the agency's existing IT systems. For example, the agency identified two approaches for removing the SSN: (1) replacing it with a new identifier, referred to as the Medicare Beneficiary Identifier, and (2) masking the first five digits of the SSN for display on Medicare cards. CMS system and business owners also conducted high-level assessments of the types of changes that would need to be made to systems identified in the agency's IT inventory. For example, system owners estimated the level of complexity of the changes, the number of hours of work at each life-cycle phase, business and technical risks, and the potential to leverage related efforts. CMS noted in its most recent study that replacing the SSN with a new identifier could reduce the risk of identity theft from a lost or stolen card, and actions taken thus far could inform a future IT project to address SSN removal. However, according to CMS officials, agency leadership has not directed them to initiate such a project. Until such a project is undertaken, the agency will not be positioned to identify or implement a solution to support the removal of SSNs from beneficiaries' cards.

CMS has efforts under way to modernize its IT systems, some of which could be leveraged to facilitate the removal of SSNs from Medicare cards. Specifically, one of CMS's high-level modernization goals is to establish an architecture to support "shared services"--IT functions that can be used by multiple organizations and facilitate data sharing. According to agency officials, a service established to automate and manage certain aspects of CMS programs could be used to support a "crosswalk" function that would translate the existing claims number to the new beneficiary identifier (and vice versa). This would enable internal systems to receive information containing the new identifier and continue to process data based on the existing number. Another project was intended to consolidate eligibility determination services from four systems, which could reduce the extent of modifications that would have to be made to each of the systems. However, because the agency has not initiated a project for removing SSNs from identification cards, officials have not considered including shared services or other IT initiatives in their modernization activities and related plans to specifically support changes needed as a result of SSN removal. As a result, CMS may miss opportunities to incorporate such a project into ongoing agencywide modernization initiatives that could facilitate efforts to design, develop, and implement an IT solution for SSN removal in a timely and cost-effective manner.

Why GAO Did This Study

The health insurance claims number on Medicare beneficiaries' cards includes as one component the beneficiary's (or other eligible person's, such as a spouse's) SSN. This introduces risks to beneficiaries' personal information, as the number may be obtained and used to commit identity theft. Many organizations have replaced SSNs on these types of cards with alternative identifiers. However, the introduction of such a new data element into IT environments can require changes to systems that process and share data. Moreover, previous assessments of CMS's IT environment have found that it consists of many aging, "stove-piped" systems that cannot easily share data or be enhanced; thus the agency has ongoing efforts to modernize its environment.

As requested, GAO studied CMS's efforts related to the removal of SSNs from Medicare cards. GAO's objectives were to (1) assess actions CMS has taken to identify and implement IT solutions for removing SSNs from Medicare cards and (2) determine whether CMS's ongoing IT modernization initiatives could facilitate SSN removal efforts. To do this, GAO reviewed agency documentation and interviewed officials.

Recommendations

GAO recommends that CMS initiate an IT project to develop a solution for SSN removal and incorporate such a project into plans for ongoing IT modernization initiatives. HHS agreed with GAO's recommendations, if certain constraints were addressed. However, GAO maintains that its recommendations are warranted as originally stated.

Recommendations for Executive Action

Agency Affected Recommendation Status
Centers for Medicare & Medicaid Services
Priority Rec.
To better position the agency to efficiently and cost-effectively identify, design, develop, and implement an IT solution that addresses the removal of SSNs from Medicare beneficiaries' health insurance cards, the Administrator of CMS should direct the initiation of an IT project for identifying, developing, and implementing changes that would have to be made to CMS's affected systems, including designating a business owner and establishing a business case, issuing a project charter, and conducting project selection and architectural reviews of proposed approaches for the removal of SSNs from Medicare beneficiaries' cards.
Closed – Implemented
In commenting on the report, the Department of Health and Human Services agreed with our recommendation. Further, in accordance with the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) (PL 114-10) Section 501, the Centers for Medicare and Medicaid Services (CMS) initiated an IT project to remove Social Security numbers (SSN) from Medicare cards in March 2016. CMS's Social Security Number Removal Initiative (SSNRI) Program Management Plan includes a charter for the IT project that identifies goals and objectives, governance and ownership, and key stakeholders, such as the Social Security Administration and the Railroad Retirement Board. Project planning documents also identify an Integrated Project Team that is to be responsible for, among other things, collaborating with other business owners throughout the agency to identify systems that need to be changed; defining requirements for making the changes; and selecting a systems integrator to conduct and implement the IT project for replacing the SSNs with a Medicare Beneficiary Identifier (MBI)--a randomly generated identifier that will not include an SSN or any personally identifiable information. The agency's plans also identify actions intended to ensure that the approach for making the needed system changes are in compliance with CMS's enterprise architecture standards. The plans call for needed systems changes to be made beginning in April 2016 and for testing to be completed in August 2016. The new MBI is to be used in information exchanges between beneficiaries', providers', and external partners' systems. CMS has indicated that it plans to issue new cards with an MBI to approximately 60 million Medicare beneficiaries starting in early 2018.
Centers for Medicare & Medicaid Services
Priority Rec.
To better position the agency to efficiently and cost-effectively identify, design, develop, and implement an IT solution that addresses the removal of SSNs from Medicare beneficiaries' health insurance cards, the Administrator of CMS should incorporate such a project into plans for ongoing enterprisewide IT modernization initiatives.
Closed – Implemented
In August 2016, the Centers for Medicare and Medicaid Services (CMS) developed plans for its Social Security Number Removal Initiative (SSNRI) to guide the development of IT solutions for removing Social Security numbers (SSN) from Medicare cards. These plans include changing the identification number from the SSN to a new Medicare Beneficiary Identifier that does not include the SSN or any portion of the number. Such actions are intended to help ensure beneficiaries' privacy by protecting the security of their SSN from identity theft and, thus, better protect personal health information that is stored and maintained by CMS and providers throughout the country. We recommended that the agency include such a project as part of its enterprise-wide information technology (IT) modernization initiative. Further, in conducting the SSNRI project, CMS implemented technical capabilities resulting from the enterprise-wide modernization initiative that were intended to support improvements to multiple IT projects throughout the agency, including changes to systems that were needed to process a new beneficiary identifier. For example, a technical capability implemented through a shared service provided a common technique to translate SSNs into the Medicare Beneficiary Identifier, eliminating the need to duplicate the development of the translator in multiple systems, and a subsequent need to conduct duplicative maintenance activities when any changes might be needed. Because outcomes of CMS's modernization initiative provided capabilities that proved to be beneficial for developing solutions to replace the SSN on Medicare beneficiaries' cards, CMS successfully incorporated the SSNRI project into its enterprise-wide modernization initiative. Thus, the agency is better-positioned to more efficiently and cost-effectively make the needed changes to its systems that process Medicare data, and to help protect and secure the personal health information of millions of Medicare beneficiaries.

Full Report

GAO Contacts

Valerie C. Melvin
Managing Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Public Inquiries

Topics

BeneficiariesClaims processingClaims settlementComputer securityEligibility determinationsHealth care programsHealth insuranceIdentification cardsIdentity theftInformation technologyMedicaidMedicare