GAO to CMS: Remove SSNs from insurance cards to minimize security risks
Big Risk - 53.16 Kb
More than 48 million Medicare beneficiaries’ insurance cards show their Social Security numbers (SSNs). To reduce the risk of identity theft, the Government Accountability Office (GAO) recommended that the Centers for Medicare & Medicaid Services (CMS) develop an approach and cost estimate for removing them from Medicare cards.

Medicare beneficiaries are issued cards with visible health insurance claims numbers (HICN) constructed using the nine-digit SSN of the wage earner whose work history qualifies an individual for Medicare. These numbers are used by beneficiaries, providers and health plan administrators to access claims information, verify coverage and pay providers for services rendered.

While the functional importance of HICNs is undeniable, the GAO believes unique identifiers separate from SSNs are required to protect beneficiaries from identity theft, according to an Aug. 1 report.

A 2011 report prepared by CMS for Congress proposed three options for removing SSNs from insurance cards and estimated that each of the three options would cost at least $800 million. One option would truncate SSNs and the other two would replace SSNs with a new identifiers.

Based on the CMS report and its interviews with representatives of other federal agencies that have removed SSNs from forms of identification, the GAO recommended that CMS replace the SSN with a new identifier for use by both beneficiaries and providers, and develop an accurate cost estimate for this project.

“Beneficiaries’ vulnerability to identity theft would be reduced because the card would no longer display the SSN and providers would not need the SSN to provide services or submit claims, negating the need for providers to store the SSN,” the report read.

Federal agencies, including the Department of Defense and the Department of Veterans Affairs, and many private insurers have already taken steps to remove SSNs from identification cards to protect their users’ identities. CMS has concurred with the contents of the GAO report.