ICFE eNEWS #17-27 - July 10th 2017
CMS Enters the 21st Century - Medicare Cards
Will No Longer Show Social Security Numbers - In A Year or Two
By Yan Ross, Director of Special Projects,
As we enter the second half of 2017, picture this time line:
1936 - The Social Security Administration begins assigning account
numbers to workers, subsequently issuing cards which from time to
time carry the restrictive use legend "For Social Security
Purposes -- Not for Identification." This number is still used
as an authenticator by many organizations, for a broad variety of
applications; notably, there is no federal prohibition against using
the SSN by private parties for legitimate purposes.
- Medicare requires enrollment for those 65 and older, and begins
issuing identification cards to participants, piggy-backing on Social
Security numbers with cards that do not carry the restrictive use
legend. Typically, the participant's Social Security Number is followed
by a single alpha letter, such as "A" or "B."
Late 20th Century - Identity theft becomes a mainstream criminal
activity, with identity thieves using data elements such as Social
Security numbers in perpetrating their crimes. Both identity theft
risk management professionals and privacy advocates begin campaigning
for the separation of Social Security Numbers and Medicare Account
Numbers. By 2015, official figures indicate some 2.5 million seniors
become victims of identity theft each year, although in fairness,
these incidents cannot all be traced directly to abuse of Medicare
2015 - The Medicare Access and CHIP Reauthorization
Act (MACRA) is enacted, and requires, among other provisions, the
Centers for Medicare and Medicaid Services (CMS) to remove Social
Security numbers from all Medicare cards by April 2019.
- CMS announces the transition to new Medicare cards which will
replace the beneficiary's Social Security number with a randomly-assigned
and unique identifying number. At the time of this writing, CMS
expects to start mailing out the new cards in April 2018, and to
comply fully with the MACRA requirement by the 2019 deadline. During
the transition period, participants and health services providers
will be able to use either the new Medicare beneficiary identifier
number or the Social Security-based health insurance claim number.
From the perspective of identity theft risk management, separating
these two identifiers is certainly a positive development. However,
during the transition and beyond, various challenges will persist.
Among them are both legacy vulnerabilities and new applications
of law and regulation of the health services sector.
among the legacy issues is the protection and ultimate disposition
of existing patient files. Both new patient forms and periodic updates
of patient information held by medical service providers usually
include the patient's Social Security number. While this practice
is generally believed not to be a legal requirement for accepting
a patient for services, the appearance of a blank space on the forms
for the Social Security number does tend to result in the patient
filling it in. The transition to use of the new Medicare Patient
number will likely not result in the expungement of the Social Security
number, at least for some extended period of time.
forward, the aging population indicates that this capture and storage
of both numbers will go on for a long while. Statistically, some
10,000 Americans reach the age of 65 each day, nearly all of them
becoming Medicare participants. That means there will be about 10,000
patients whose patient files will be updated and presumably still,
based on historical precedent and completeness of such files, include
Social Security numbers. This choice must be made in a mindful manner,
especially to assure continuity if the decision is made to expunge
al Social Security number references from the patient file when
the Medicare number is added.
Of course, it is within the
responsibilities of CMS to deal with this transition on a practicable
and cost-effective basis. Coordination with HIPAA and HITECH requirements
will be necessary, especially since these rules apply to both Medicare
and non-Medicare patients. It seems appropriate to expect CMS to
promulgate regulations and provide guidance on how best to complete
the separation of Social Security and Medicare identifiers.
This brief article does not attempt to cover all of the issues
involved in the transition, or the likely application of the Law
of Unintended Consequences. But it's a certainty that the ultimate
success of this initiative will depend on including an effective
response to the broad array of challenges common to the practice
of identity theft risk management.
For more a more detailed
history of the Social Security Number and Card, read "The
Story of the Social Security Number"
Ross is ICFE's Director of Special Projects, and the author of the
Certified Identity Theft Risk Management Specialist ® XV CITRMS®
course. As an accredited educator for over 20 years, he has addressed
Identity Theft Risk Assessment and management for consumers, organizations
holding personally identifiable information, and professionals who
work with individuals and organizations who are at risk of falling
victim to identity thieves.
The ICFE's Certified Identity
Theft Risk Management Specialist ® XV CITRMS® course is now available
both in printed format and online.
The Textbook and Desk
Reference edition of the course book is also available online. Bulk
pricing and discounts for veterans and students available. Inquire