This is the accessible text file for GAO report number GAO-12-831 entitled 'Medicare: CMS Needs an Approach and a Reliable Cost Estimate for Removing Social Security Numbers from Medicare Cards' which was released on August 1, 2012. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Report to Congressional Requesters: August 2012: Medicare: CMS Needs an Approach and a Reliable Cost Estimate for Removing Social Security Numbers from Medicare Cards: GAO-12-831: GAO Highlights: Highlights of GAO-12-831, a report to congressional requesters. Why GAO Did This Study: More than 48 million Medicare cards display the SSN, which increases Medicare beneficiaries’ vulnerability to identity theft. GAO was asked to review the options and associated costs for removing SSNs from the Medicare card. This report (1) describes the various options for removing the SSN from Medicare cards; (2) examines the potential benefits and burdens associated with different options; and (3) examines CMS’s cost estimates for removing SSNs from Medicare cards. To do this work, GAO reviewed CMS’s report, cost estimates, and relevant supporting documentation. GAO also interviewed officials from CMS and other agencies that perform Medicare related activities (the Social Security Administration and Railroad Retirement Board), as well as officials from DOD and VA, which have undertaken SSN removal efforts. GAO also interviewed private health insurance companies and relevant stakeholder groups. What GAO Found: The Centers for Medicare & Medicaid Services’ (CMS) 2011 report to Congress proposed three options for removing Social Security numbers (SSN) from Medicare cards. One option would truncate the SSN displayed on the card, but beneficiaries and providers would continue to rely on the SSN. The other two options would replace the SSN with a new identifier that would be displayed on the card and either be used only by beneficiaries, or by both beneficiaries and those who provide Medicare services. CMS, however, has not selected or committed to implementing any of these options. The Departments of Defense (DOD) and Veterans Affairs (VA), and private insurers have already removed or taken steps to remove SSNs from display on their identification or health insurance cards. CMS’s option to replace the SSN with a new identifier for use by both beneficiaries and providers offers the greatest protection against identity theft. Beneficiaries’ vulnerability to identity theft would be reduced because the card would no longer display the SSN and providers would not need the SSN to provide services or submit claims (negating the need for providers to store the SSN). This option would also pose fewer burdens than the other two options because beneficiaries would not have to remember an SSN to receive services or to interact with CMS. Providers also would not need to conduct additional activities, such as querying a CMS database, to obtain the SSN. The burdens for CMS would generally be similar across all the options, but CMS reported that this option would require more information technology (IT) system modifications. Figure: Risk of Identity Theft with Medicare Card under CMS’s Three Proposed Options: [Refer to PDF for image: illustrated table] New Identifier: (Beneficiary and Provider Use): Beneficiary carries card to access medical services: SSN fully protected; Beneficiary presents card to provider at time of service: SSN fully protected; Provider stores beneficiary's identifier and uses it for claims: SSN fully protected. New Identifier (Beneficiary Use Only): Beneficiary carries card to access medical services: SSN fully protected; Beneficiary presents card to provider at time of service: SSN fully protected; Provider stores beneficiary's identifier and uses it for claims: SSN vulnerable to identity theft. Truncated SSN: Beneficiary carries card to access medical services: SSN partially protected; Beneficiary presents card to provider at time of service: SSN partially protected; Provider stores beneficiary's identifier and uses it for claims: SSN vulnerable to identity theft. Current Medicare card: Beneficiary carries card to access medical services: SSN vulnerable to identity theft; Beneficiary presents card to provider at time of service: SSN vulnerable to identity theft; Provider stores beneficiary's identifier and uses it for claims: SSN vulnerable to identity theft. Source: GAO analysis of information provided by the Centers for Medicare & Medicaid Services (CMS). [End of figure] CMS reported that each of the three options would cost over $800 million to implement, and that the option to replace the SSN with a new identifier for use by both beneficiaries and providers would be somewhat more expensive, largely because of the IT modifications. However, the methodology and assumptions CMS used to develop its estimates raise questions about their reliability. For example, CMS did not use appropriate guidance, such as GAO’s cost-estimating guidance, when preparing the estimates to ensure their reliability. Additionally, CMS could provide only limited documentation related to how it developed the estimates for the two largest cost areas, both of which involve modifications to IT systems. What GAO Recommends: GAO recommends that CMS (1) select an approach for removing SSNs from Medicare cards that best protects beneficiaries from identity theft and minimizes burdens for providers, beneficiaries, and CMS and (2) develop an accurate, well-documented cost estimate for such an option. CMS concurred with our recommendations. VA, DOD, and RRB had no substantive comments. SSA had a technical comment. View [hyperlink, http://www.gao.gov/products/GAO-12-831]. For more information, contact Kathleen King at (202) 512-7114 or kingk@gao.gov, or Daniel Bertoni at (202) 512-7215 or bertonid@gao.gov. [End of section] Contents: Letter: Background: Options for Removing SSNs from Medicare Cards Include Altering the Display or Replacing the Number with a Different Identifier: Replacing SSN with a New Identifier for Beneficiary and Provider Use Offers Greatest Protection Against Identity Theft and Minimizes Burdens: CMS Reported Significant Costs Associated with Removing SSNs from Medicare Cards, but These Estimates May Not Be Reliable: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Burdens of CMS's Proposed Options for Removal of SSN from Medicare Card (Accessible Text): Appendix II: Comments from the Centers for Medicare & Medicaid Services: Appendix III: Comments from the Railroad Retirement Board: Appendix IV: GAO Contacts and Staff Acknowledgments: Tables: Table 1: Examples of Interactions Requiring the Health Insurance Claim Number (HICN): Table 2: Display and Use of the Identifier in Various CMS Options for Removing the SSN from Medicare Cards: Table 3: Agency Cost Estimates for CMS Options for Removing SSNs from Medicare Cards: Figures: Figure 1: Medicare Card: Figure 2: Risk of Identity Theft with Medicare Card under CMS's Three Proposed Options: Figure 3: Burdens of CMS's Proposed Options for Removal of SSNs from Medicare Cards: Abbreviations: CMS: Centers for Medicare & Medicaid Services: DOD: Department of Defense: EDIPI: Electronic Data Interchange Person Identifier: HHS: Department of Health and Human Services: HICN: health insurance claim number: IT: information technology: MBI: Medicare Beneficiary Identifier: RRB: Railroad Retirement Board: SSA: Social Security Administration: SSN: Social Security number: VA: Department of Veterans Affairs: VIC: Veterans Identification Card: [End of section] United States Government Accountability Office: Washington, DC 20548: August 1, 2012: The Honorable Sam Johnson: Chairman: Subcommittee on Social Security: Committee on Ways and Means: House of Representatives: The Honorable Lloyd Doggett: Ranking Member: Subcommittee on Human Resources: Committee on Ways and Means: House of Representatives: More than 48 million Medicare cards display Social Security numbers (SSN). Thieves can steal the information from these cards to commit various acts of identity theft, such as opening bank or credit card accounts or receiving medical services in a beneficiary's name. In 2010, 7 percent of households in the United States, or about 8.6 million households, had at least one member age 12 or older who experienced identity theft, according to U.S. Department of Justice figures. The estimated financial cost of identity theft during that time was approximately $13.3 billion.[Footnote 1] Additionally, theft of this information could result from a data breach--the unauthorized disclosure of a beneficiary's personally identifiable information. [Footnote 2] Between September 2009 and March 2012, the Department of Health and Human Services' (HHS) Office for Civil Rights identified over 400 reports of provider data breaches involving protected health information that each affected more than 500 individuals.[Footnote 3] The SSN is displayed on Medicare cards, and it is the main component of the health insurance claim number (HICN). The Social Security Administration (SSA) and the Railroad Retirement Board (RRB) assign the HICNs to eligible Medicare beneficiaries. HHS's Centers for Medicare & Medicaid Services (CMS) administers the Medicare program, [Footnote 4] and relies on the HICN for numerous Medicare purposes. For example, CMS requires beneficiaries to provide the HICN to document eligibility for Medicare services; requires providers to use the number to bill for services; and uses the number and claims information to analyze Medicare's performance and conduct program integrity efforts.[Footnote 5] Each beneficiary is issued a Medicare card that prominently displays the HICN, and CMS advises beneficiaries to carry this card with them at all times and show this card to medical providers when receiving services. As we have reported, however, the explicit display and use of the SSN poses a threat of identity theft.[Footnote 6] The importance of enhancing security protections for SSN display and use has resulted in multiple actions by federal and state governments and the private sector. For example, SSA has advised for years that individuals not carry their Social Security card with them. In 2007, the Office of Management and Budget issued a directive to all federal agencies to develop a plan for reducing the unnecessary use of SSNs and exploring alternatives to their use.[Footnote 7] Many federal agencies, including the Departments of Defense (DOD) and Veterans Affairs (VA), have taken significant steps to remove SSNs from their health insurance and identification cards. In the private sector, health insurers have also removed SSNs from their insurance cards in an effort to comply with state laws and protect beneficiaries from identity theft. In 2004, we reported that CMS determined it would be cost-prohibitive to remove the SSN from the Medicare card.[Footnote 8] In a 2006 report to Congress, CMS highlighted an option for removing the SSN from the Medicare card and estimated it would cost over $300 million to do so. [Footnote 9] In 2010, members of Congress asked CMS to update that report in light of the fact that CMS had not taken actions to remove SSNs from Medicare cards. CMS subsequently issued a report in November 2011.[Footnote 10] You asked that we review CMS's 2011 report, including the options it presented for removing the SSN from Medicare cards and the estimated costs. In addition, you asked that we examine the lessons learned from DOD and VA's efforts to remove SSNs from their insurance cards. Consequently, this report (1) describes the various options for removing the SSN from Medicare cards; (2) examines the potential benefits and burdens associated with the various options for removing SSNs from Medicare cards; and (3) examines CMS's cost estimates for removing SSNs from Medicare cards. To describe the options for removing SSNs from Medicare cards, we reviewed CMS's 2011 report to Congress titled Update on the Assessment of the Removal of Social Security Numbers from Medicare Cards, as well as supporting documentation provided by CMS. We interviewed officials from CMS, SSA, and RRB. To obtain a broader perspective on efforts to remove SSNs from health insurance and identification cards, we interviewed officials from DOD, VA, and the following relevant stakeholders: three private health insurers that implemented efforts to remove SSNs from their cards;[Footnote 11] a provider association for physician group practices; a health insurance industry association; and a membership organization for people age 50 and older, a population that would be significantly affected by the removal of SSNs from Medicare cards. To examine the potential benefits and burdens of the options CMS proposed for removing SSNs from Medicare cards, we interviewed officials from CMS to obtain more information about the options presented in its report. We also interviewed officials from DOD and VA to learn about their efforts to remove SSNs from their cards and the factors they considered when implementing such efforts. During our interviews with private health insurers and other stakeholders, we obtained information about the benefits and burdens faced by providers and beneficiaries when removing SSNs from health insurance cards. We assessed the options presented by CMS based on the following criteria: (1) maximized protection against identity theft; and (2) minimized burdens on beneficiaries, providers, and CMS. These criteria were developed based on prior GAO work on identity theft and informed by information from CMS's 2011 report and interviews with CMS officials and others. To examine CMS's cost estimates for removing SSNs from Medicare cards, we interviewed officials at CMS, SSA, and RRB to obtain details about the development of the cost estimates, including the methods and underlying assumptions used to derive them. We also interviewed officials from DOD and VA to obtain information on the costs to those agencies related to their initiatives to remove SSNs from DOD and VA identification cards. When interviewing relevant stakeholders, we obtained information about the costs associated with switching from an SSN-based to a non-SSN based identifier on their health insurance cards, to the extent such information was available. In addition, as part of our assessment of CMS's cost estimates, we used GAO's Cost Estimating and Assessment Guide, as appropriate.[Footnote 12] This guide identifies best practices that should be followed to ensure that a reliable cost estimate is comprehensive, well-documented, accurate, and credible. Our assessment included examining the extent to which CMS cost estimates were documented, and that the assumptions used to develop these estimates were supported and appeared to be reasonable. We conducted this performance audit from January 2012 to July 2012 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background: Medicare, Medicare Cards, and the HICN: Medicare, the federal health insurance program that serves the nation's elderly, certain disabled individuals and individuals with end-stage renal disease, had total program expenditures of $565 billion in 2011, making it one of the largest federal programs. The Medicare program is administered by CMS and consists of four parts: A, B, C, and D. Medicare parts A and B are also referred to as fee-for- service programs. Part A covers hospital and other inpatient stays, hospice, and home health service; and Part B covers hospital outpatient, physician, and other services. The Medicare card is used as proof of eligibility for both of these programs. Part C is Medicare Advantage, under which beneficiaries receive benefits through private health plans. Part D is the Medicare outpatient prescription drug benefit. CMS requires that cards issued by Part C and Part D health plans do not display an SSN. For most individuals, SSA determines eligibility for Medicare and assigns the individual's HICN. However, for the approximately 550,000 Railroad Retirement beneficiaries and their dependents, the RRB determines Medicare eligibility and assigns this number. CMS or RRB mails paper cards to all beneficiaries, which display the individual's full name, gender, eligibility status (Part A and/or Part B), their effective date of eligibility, and the SSN-based HICN, referred to on the card as the Medicare Claim Number. (See figure 1.) Figure 1: Medicare Card: [Refer to PDF for image: sample card] Source: Centers for Medicare and Medicaid Services. [End of figure] The HICN is constructed using the 9-digit SSN of the primary wage earner whose work history qualifies an individual for Medicare, followed by a 1-or 2-character code, referred to as the beneficiary identification code, that specifies the relationship of the card holder to the individual who makes the beneficiary eligible for benefits.[Footnote 13] In most cases, the SSN on the card is the card holder's own; however, approximately 14 percent of Medicare beneficiaries have cards that contain the SSN of the family member whose work history makes the beneficiary eligible for Medicare benefits. A unique identifier is an essential component for administering health insurance. Such an identifier is used by providers to identify beneficiaries and submit claims for payment. As Medicare's primary unique identifier, the HICN is used by beneficiaries, providers, and CMS and its contractors. State Medicaid programs, which are jointly funded federal-state health care programs that cover certain low- income individuals, use the HICN to coordinate payments for dual- eligible beneficiaries--individuals who are enrolled in both Medicare and Medicaid.[Footnote 14] (See table 1 for examples of various interactions that require the HICN). Table 1: Examples of Interactions Requiring the Health Insurance Claim Number (HICN): Stakeholder: Beneficiaries (48.7 million); Interactions requiring HICN: * Accessing care from Medicare providers; * Logging into the Medicare website administered by CMS for Medicare beneficiaries; * Calling 1-800-MEDICARE (the Medicare help line) for assistance; * Submitting appeals for coverage. Stakeholder: Providers (1.4 million); Interactions requiring HICN: * Verifying Medicare eligibility at the time of service; * Submitting claims to receive payment for services provided; * Collecting data for evaluating quality of care; * Submitting appeals for coverage. Stakeholder: Centers for Medicare & Medicaid Services (CMS) and contractors; Interactions requiring HICN: * Confirming eligibility; * Processing claims submitted by providers; * Paying providers for services rendered; * Conducting program integrity activities to prevent or identify Medicare fraud, waste, and abuse. Stakeholder: State Medicaid programs; Interactions requiring HICN: * Coordinating payments for services provided by Medicare and Medicaid[A]. Source: GAO analysis of Centers for Medicare & Medicaid Services (CMS) information. [A] This effort is conducted for dual-eligible individuals who are enrolled in both the Medicare and Medicaid programs. [End of table] Beneficiaries must use their HICN when interacting with CMS, such as when they log into the Medicare website or call 1-800-MEDICARE for assistance. Using their issued card, beneficiaries also provide this information to providers at the time of service, and providers use this information to confirm eligibility and submit claims to receive payment for services. CMS and its contractors operate approximately 50 information technology (IT) systems,[Footnote 15] many of which are interdependent, that use this information in some manner to process beneficiary services and claims and conduct a number of other activities related to payment and program-integrity efforts. These IT systems vary considerably in terms of age and interoperability, making them difficult to change. Options for Removing SSNs from Medicare Cards Include Altering the Display or Replacing the Number with a Different Identifier: CMS Proposed Three Options for Removing SSNs from the Medicare Cards: In its November 2011 report, CMS proposed three options for removing SSNs from Medicare cards. One option would involve altering the display of the SSN through truncation,[Footnote 16] and the other two options would involve the development of a new identifier.[Footnote 17] All three options would vary with regard to the type of identifier displayed on the card and the actions providers and beneficiaries would need to take in order to use the identifier for needed services. CMS officials told us that they limited their options to those retaining the basic format of the current paper card, and did not consider other options that they believed were outside the scope of the congressional request. For example, CMS did not consider using machine-readable technologies, such as bar codes or magnetic stripes. [Footnote 18] * Option 1: Truncating the SSN: Under this option, the first five digits of the SSN would be replaced with 'X's (e.g., XXX-XX-1234) for display on the card. However, the full SSN would continue to be used for all Medicare business processes. As a result, when interacting with CMS, beneficiaries would need to recall the full SSN or provide additional personally identifiable information in order for CMS to match the beneficiary with his or her records.[Footnote 19] To interact with CMS, providers would also need to obtain the complete SSN using an existing resource. This would involve querying an existing database, calling a CMS help line, or asking the beneficiary for the complete SSN or other personally identifiable information. [Footnote 20] * Option 2: Developing a New Identifier for Beneficiary Use: Under this option, the SSN would be replaced by a new identifier not based on the SSN that would be displayed on the card, similar to private health insurance cards. CMS refers to this new identifier as the Medicare Beneficiary Identifier (MBI). This number would be used by beneficiaries when interacting with CMS. Providers, however, would be required to continue to use the SSN when interacting with CMS and conducting their business processes. To obtain this information, providers would be expected to electronically request it from CMS using the new identifier. CMS said it would need to create a new database for this purpose.[Footnote 21] * Option 3: Developing a New Identifier for Beneficiary and Provider Use: Under this option, the SSN would be replaced by a new identifier not based on the SSN, which would be displayed on the card. As in option 2, CMS referred to this number as the MBI. In contrast to option 2, however, this new number would be used by both beneficiaries and providers for all interactions with CMS. Under this option, the SSN would no longer be used by beneficiaries or providers when interacting with CMS, which could eliminate the need for providers to collect or keep the SSN on file.[Footnote 22] CMS and its contractors would continue to use the SSN for internal data purposes, such as claims processing. Table 2 summarizes the characteristics of the CMS options. Table 2: Display and Use of the Identifier in Various CMS Options for Removing the SSN from Medicare Cards: Display and use of the identifier: Identifier displayed on card; Current Medicare card: SSN; Truncated SSN: Truncated SSN; New identifier (beneficiary use only): New identifier; New identifier (beneficiary and provider use): New identifier. Display and use of the identifier: Identifier used by beneficiary to interact with CMS; Current Medicare card: SSN; Truncated SSN: SSN; New identifier (beneficiary use only): New identifier; New identifier (beneficiary and provider use): New identifier. Display and use of the identifier: How beneficiary obtains identifier to interact with CMS; Current Medicare card: Refer to card; Truncated SSN: Recall first 5 digits of SSN or call CMS[A]; New identifier (beneficiary use only): Refer to card; New identifier (beneficiary and provider use): Refer to card. Display and use of the identifier: Identifier used by provider to interact with CMS; Current Medicare card: SSN; Truncated SSN: SSN; New identifier (beneficiary use only): SSN; New identifier (beneficiary and provider use): New identifier. Display and use of the identifier: How provider obtains the identifier to interact with CMS; Current Medicare card: Refer to card; Truncated SSN: Use existing resources to obtain full SSN[B]; New identifier (beneficiary use only): Electronically request SSN using new identifier; New identifier (beneficiary and provider use): Refer to card. Source: GAO analysis of information provided by Centers for Medicare & Medicaid Services (CMS). [A] When calling CMS, beneficiaries would also need to provide additional personally identifiable information, which could include date of birth, spouse's name, or address in order to obtain complete information. [B] Existing resources include an online database or a call-center operated by a CMS contractor. Providers would need to obtain additional personally identifiable information from the beneficiary and submit it to CMS in order to identify the beneficiary. Providers could also request the full Social Security number (SSN) from the beneficiary at the time of service. [End of table] CMS, SSA, and RRB reported that all three options would generally require similar efforts, including coordinating with stakeholders; converting IT systems; conducting provider and beneficiary outreach and education; conducting training of business partners; and issuing new cards. However, the level and type of modifications required to IT systems vary under each option. These systems are responsible for various business functions that perform claims processing, eligibility verification, health plan enrollment, coordination of benefits, program integrity, and research efforts. According to CMS, between 40 and 48 of its IT systems would require modifications, depending on the option selected. The truncated SSN option would require modifications to 40 systems; the option that uses a new identifier for beneficiary use would require modifications to 44 systems; and the option that uses a new identifier for beneficiary and provider use would require modifications to 48 systems. In its 2011 report, CMS estimated that any of the 3 proposed options would likely take up to 4 years to implement. During the first 3 years, CMS would coordinate with stakeholders; complete necessary IT system conversions; conduct provider and beneficiary outreach and education; and conduct training of business partners. In the fourth year, CMS would issue new Medicare cards to all beneficiaries over a 12-month period. CMS officials stated that the agency could not implement any of the options without additional funding from Congress. In its report, CMS noted that the actual time needed for implementation could vary due to changing resources or program requirements. Similar to its 2006 report, CMS has not taken action needed to implement any of the options for removing the SSN it presented in its report. DOD, VA, and Private Health Insurers Have Taken Steps to Remove SSNs from Cards' Display: DOD has taken steps to remove the SSN from display on the approximately 9.6 million military identification cards that are used by active-duty and retired military personnel and their dependents to access health care services.[Footnote 23] DOD is replacing the SSNs previously displayed on these cards with two different unique identifiers not based on the SSN.[Footnote 24] In 2008, DOD began its SSN removal effort by removing dependents' SSNs from display on their military identification cards, but retained the sponsor's SSN and left SSNs embedded in the cards' bar codes. The dependents' cards did not display any unique identifier. On June 1, 2011, DOD discontinued issuing any military identification card that displayed an SSN and began issuing cards that displayed two different unique identifiers; however, SSNs continued to be embedded in the cards' bar codes. Starting December 1, 2012, DOD will discontinue embedding the SSN in the cards' bar codes. With the exception of cards issued to retired military personnel, DOD anticipates that the SSNs will be completely removed from all military identification cards by December 2016. [Footnote 25] DOD officials reported that because retirees' cards may still contain the SSN as an identifier, and because some contractors providing health care services may continue to use the SSN for eligibility purposes and processing claims, DOD's IT systems will continue to support multiple identifiers, including the SSN, until such time as all SSNs have been replaced with the two new unique identifiers. DOD cards issued to active-duty military personnel also contain a smart chip, which is used for accessing facilities and IT systems, and may be used to access health care services in some facilities.[Footnote 26] Cardholders' SSNs are concealed in the smart chip. VA has also taken steps to remove the SSN from display on its identification and health care cards. The Veterans Identification Card (VIC) is issued by VA to enrollees and can be used by veterans to access health care services from VA facilities and private providers. In 2011, 8.6 million veterans were eligible to receive health care services and, according to VA officials, about 363,000 dependents of veterans were eligible to receive care through VA's dependent-care programs.[Footnote 27] VA began removing SSNs from display on the VIC in 2004, but the SSN continues to be embedded in the cards' magnetic stripes and bar codes. Since that time, VA officials report that the department has issued approximately 7.7 million VICs. VA officials also stated that, in the first quarter of fiscal year 2013, VA will start issuing new VICs that will display a new unique identifier for the veteran and embed the new identifier in the card's magnetic stripe and bar code, replacing the SSN.[Footnote 28] VA also removed SSNs from display on the cards issued to beneficiaries in VA dependent-care programs without replacing it with a new identifier, and beneficiaries in these programs now provide their SSN verbally at the time of service.[Footnote 29] Representatives from a national organization representing private health insurers told us that, to their knowledge, all private health insurers have removed the SSN from display on insurance cards and replaced it with a unique identifier not based on the SSN. Private insurers use these new identifiers for all beneficiary and provider interactions, including determining eligibility and processing claims. According to these officials, private health insurers took those steps to comply with state laws and protect beneficiaries from identity theft. Consistent with this, representatives from the private health insurers we interviewed reported removing SSNs from their cards' display and issuing beneficiaries new identifiers not based on the SSN, which are now used in all beneficiary and provider interactions. Officials we interviewed from DOD, VA, and private health insurers all reported that the process to remove the SSN from cards and replace the SSN with a different unique identifier is taking or took several years to implement and required considerable planning. During their transition periods, DOD, VA, and private health insurers reported that they made modifications to IT systems; collaborated with providers and contractors; and educated providers and beneficiaries about the change. One private health insurer we interviewed reported that it allowed for a transition period during which providers could verify eligibility or submit claims using either the SSN or the new unique identifier. This health insurer noted that this allowance, along with the education and outreach it provided to both beneficiaries and providers, resulted in a successful transition. Another health insurer reported that it is providing IT support for both the SSN and the new unique identifier indefinitely in case providers mistakenly use the SSN when submitting claims. Replacing SSN with a New Identifier for Beneficiary and Provider Use Offers Greatest Protection Against Identity Theft and Minimizes Burdens: CMS's Option to Replace the SSN with a New Identifier for Use by Beneficiaries and Providers Offers the Greatest Protection Against Identity Theft: Replacing the SSN with a new identifier for use by beneficiaries and providers offers beneficiaries the greatest protection against identity theft relative to the other options CMS presented in its report. (See figure 2.) Under this option, only the new identifier would be used by beneficiaries and providers. This option would lessen beneficiaries' risk of identity theft in the event that their card was lost or stolen, as the SSN would no longer be printed on the card. Additionally, because providers would not need to collect a beneficiary's SSN or maintain that information in their files, beneficiaries' vulnerability to identity theft would be reduced in the event of a provider data breach. Figure 2: Risk of Identity Theft with Medicare Card under CMS's Three Proposed Options: [Refer to PDF for image: illustrated table] New Identifier: (Beneficiary and Provider Use): Beneficiary carries card to access medical services: SSN fully protected; Beneficiary presents card to provider at time of service: SSN fully protected; Provider stores beneficiary's identifier and uses it for claims: SSN fully protected. New Identifier (Beneficiary Use Only): Beneficiary carries card to access medical services: SSN fully protected; Beneficiary presents card to provider at time of service: SSN fully protected; Provider stores beneficiary's identifier and uses it for claims: SSN vulnerable to identity theft. Truncated SSN: Beneficiary carries card to access medical services: SSN partially protected; Beneficiary presents card to provider at time of service: SSN partially protected; Provider stores beneficiary's identifier and uses it for claims: SSN vulnerable to identity theft. Current Medicare card: Beneficiary carries card to access medical services: SSN vulnerable to identity theft; Beneficiary presents card to provider at time of service: SSN vulnerable to identity theft; Provider stores beneficiary's identifier and uses it for claims: SSN vulnerable to identity theft. Source: GAO analysis of information provided by the Centers for Medicare & Medicaid Services (CMS). [End of figure] The other two options CMS presented in its 2011 report provide less protection against identity theft. For example, replacing the SSN with a new number just for beneficiary use would offer some protection against identity theft for beneficiaries because no portion of the SSN would be visible on the Medicare card. This would reduce the likelihood of identity theft with the SSN if a card is lost or stolen. However, providers would still need to collect and store the SSN, leaving beneficiaries vulnerable to identity theft in the event of a provider data breach. CMS's truncated SSN option would provide even less protection against identity theft. This option would eliminate full visibility of the SSN on the Medicare card, making it more difficult to use for identity theft. However, we have previously reported that the lack of standards for truncation mean that identity thieves can still construct a full SSN fairly easily using truncated SSNs from various electronic and hard copy records.[Footnote 30] In addition, under this option, providers would still store the SSN in their files, thereby making beneficiaries vulnerable to identity theft in the event of a provider data breach. CMS's Option to Replace the SSN with a New Identifier for Use by Beneficiaries and Providers Would Minimize Burdens for Beneficiaries and Providers: We found that CMS's option to replace the SSN with a new identifier for use by beneficiaries and providers presents fewer burdens for beneficiaries and providers relative to the other options presented in CMS's 2011 report. (See figure 3.) Under this option, the new identifier would be printed on the card, and beneficiaries would use this identifier when interacting with CMS, eliminating the need for beneficiaries to memorize their SSN or store it elsewhere as they might do under other options. This option may also present fewer burdens for providers, as they would not have to query databases or make phone calls to obtain a beneficiary's information to submit claims.[Footnote 31] Private health insurers we interviewed all reported using a similar approach to remove SSNs from their insurance cards. Representatives from these insurers reported that while there was some initial confusion and issues with claims submission during the transition period, proactive outreach efforts to educate providers about this change, as well as having a grace period during which the SSN or new identifier could be used by providers to submit claims, minimized issues and resulted in a relatively smooth transition. Figure 3: Burdens of CMS's Proposed Options for Removal of SSNs from Medicare Cards: Interactive graphic: Directions: Roll over each cell for additional information about the burdens related to each option. To print text version of this graphic, go to appendix I. Source: GAO analysis of information provided by the Centers for Medicare & Medicaid Services (CMS) and interviews with relevant stakeholders. [End of figure] The other two options CMS presented in its 2011 report would create additional burdens for beneficiaries and providers. Beneficiaries may experience difficulties under the truncated SSN option, as they may need to recall their SSN, which could be their own SSN or that of a family member. CMS officials stated that the age of Medicare beneficiaries and the fact that their current identification number may be based on another family member's SSN could make it difficult for beneficiaries to remember the number. In addition, about 31 percent of Medicare beneficiaries residing in the community have a known cognitive or mental impairment, making recalling their number by memory potentially difficult.[Footnote 32] Under both of these remaining options, providers would need to perform additional tasks, such as querying a CMS database or calling CMS, to obtain the full SSN to verify eligibility and submit claims.[Footnote 33] Regardless of option, the burdens experienced by CMS would likely be similar because the agency would need to conduct many of the same activities and would incur many of the same costs. For example, it would need to reissue Medicare cards to current beneficiaries; conduct outreach and education to beneficiaries and providers; and conduct training for business partners. CMS would also likely see increased call volume to its 1-800-Medicare line with questions about the changes. In addition, there would likely be costs associated with changes to state Medicaid IT systems. However, according to CMS officials, the option that calls for replacing the SSN with a new identifier to be used by beneficiaries and providers would have additional burdens because of the more extensive changes required to CMS's IT systems compared to the other options. This option, however, would also potentially provide an additional benefit to CMS, as the agency would be able to completely "turn off" the identification number and replace it with a new one in the event that a beneficiary's number is compromised, something that is not possible with the SSN. [Footnote 34] Other Options Not Explored by CMS for Removing SSNs Would Present Additional Burdens for Beneficiaries, Providers, and CMS: CMS did not consider in its 2011 report how machine readable technologies--such as bar codes, magnetic stripes, or smart chips-- could assist in the effort to remove SSNs from Medicare cards. Machine- readable technologies have been implemented to varying degrees by DOD and VA. According to DOD and VA officials, DOD is using a smart chip and barcode to store the cardholder's personally identifiable information, and VA is issuing cards in which such information and other identifiers are stored in magnetic stripes and bar codes. Machine-readable technologies may provide additional benefits, such as increased efficiency for providers and beneficiaries. Furthermore, machine readable technologies provide some additional protection against identity theft, but officials we spoke with stated that the widespread availability of devices to read magnetic stripes and bar codes have made these technologies less secure. Because of this, both DOD and VA have plans to remove SSNs that are stored in these technologies on their cards. If CMS were to use machine-readable technologies, they could present significant challenges to providers. For example, providers could experience difficulties due to the lack of standardization across these technologies. Representatives from one private health insurer we interviewed stated that while the use of cards with magnetic stripes worked well within a small region where they have large market- penetration, implementing such an effort in regions where providers contract with multiple insurers would be more difficult due to this lack of standardization. In addition, use of machine-readable cards would likely require providers to purchase additional equipment and could be problematic for providers that lack the necessary infrastructure, such as high-speed internet connections, to make machine-readable technologies feasible. According to CMS officials, implementing machine-readable technologies may also require cards that cost more than the paper Medicare card currently in use. Removing the SSN from the Medicare card and not replacing it with a new identifier, an option also not considered in CMS's report to Congress, could reduce beneficiaries' vulnerability to identity theft, but would create burdens for beneficiaries, providers, and CMS. Complete removal of the SSN from the Medicare card would protect beneficiaries from identity theft in the event that a card is lost or stolen. However, like the truncation option, beneficiaries may have difficulty recalling their SSN at the time of service or when interacting with CMS. This could also be difficult because the SSN needed to show eligibility may not be the beneficiary's own. In addition, providers would likely need to change their administrative processes to obtain the needed information either by querying a database, calling CMS, or obtaining it directly from the beneficiary. Finally, because providers would still need to collect and store the SSN for eligibility verification and claims submission, beneficiaries would remain vulnerable to identity theft in the event of a provider data breach.[Footnote 35] The VA used this approach to remove SSNs from the approximately 363,000 dependent care program cards, and officials stated that it requires providers to obtain the SSN at the time of service. However, Medicare covers over 48 million beneficiaries who receive services from 1.4 million providers, making such a change more burdensome. In addition, CMS would still encounter similar burdens as in the options presented in its 2011 report to Congress, including the need to educate beneficiaries and providers, and issue new cards, though the extent of the necessary changes to CMS IT systems under such an option is unknown. CMS Reported Significant Costs Associated with Removing SSNs from Medicare Cards, but These Estimates May Not Be Reliable: CMS Reported that Removing SSNs from Medicare Cards would Cost Over $800 Million: In its 2011 report to Congress, CMS, in conjunction with SSA and RRB, developed cost estimates for the three options to alter the display of the SSN on Medicare cards or replace the SSN with a different unique identifier. CMS projected that altering or removing the SSN would cost between $803 million and $845 million. CMS's costs represent the majority of these costs (approximately 85 percent); while SSA and RRB's costs represent approximately 12 percent and 0.2 percent, respectively. (See table 3.)[Footnote 36] Table 3: Agency Cost Estimates for CMS Options for Removing SSNs from Medicare Cards: CMS cost estimates: Option: Modifications to existing state Medicaid IT systems and related costs (federal)[A]; 1. Truncated SSN: $261,000,000; 2. New identifier (beneficiary use only): $261,000,000; 3. New identifier (beneficiary and provider use): $261,000,000. Option: Modifications to CMS IT systems; 1. Truncated SSN: 231,790,000; 2. New identifier (beneficiary use only): 222,055,000; 3. New identifier (beneficiary and provider use): 263,725,000. Option: Reissuance of Medicare cards; 1. Truncated SSN: 69,320,000; 2. New identifier (beneficiary use only): 69,320,000; 3. New identifier (beneficiary and provider use): 69,320,000. Option: Beneficiary outreach and education needs; 1. Truncated SSN: 58,200,000; 2. New identifier (beneficiary use only): 58,200,000; 3. New identifier (beneficiary and provider use): 58,200,000. Option: CMS 1-800-Medicare communication plan; 1. Truncated SSN: 48,200,000; 2. New identifier (beneficiary use only): 48,200,000; 3. New identifier (beneficiary and provider use): 48,200,000. Option: Provider outreach and education needs; 1. Truncated SSN: 18,700,000; 2. New identifier (beneficiary use only): 18,700,000; 3. New identifier (beneficiary and provider use): 18,700,000. Option: Training CMS business partners and beneficiaries; 1. Truncated SSN: 166,800; 2. New identifier (beneficiary use only): 166,800; 3. New identifier (beneficiary and provider use): 166,800. Total CMS costs[B]: 1. Truncated SSN: $687,376,800; 2. New identifier (beneficiary use only): $677,641,800; 3. New identifier (beneficiary and provider use): $719,311,800. SSA cost estimates: Option: Responding to beneficiary inquires and requests for new cards; 1. Truncated SSN: 62,000,000; 2. New identifier (beneficiary use only): 62,000,000; 3. New identifier (beneficiary and provider use): 62,000,000. Option: Processing undeliverable cards; 1. Truncated SSN: 28,000,000; 2. New identifier (beneficiary use only): 28,000,000; 3. New identifier (beneficiary and provider use): 28,000,000. Option: Online query access for SSA field offices to obtain new identifier; 1. Truncated SSN: 3,000,000; 2. New identifier (beneficiary use only): 3,000,000; 3. New identifier (beneficiary and provider use): 3,000,000. Option: Outreach, training, revisions to current forms, and additional application time; 1. Truncated SSN: 2,000,000; 2. New identifier (beneficiary use only): 2,000,000; 3. New identifier (beneficiary and provider use): 2,000,000. Total SSA costs: 1. Truncated SSN: $95,000,000; 2. New identifier (beneficiary use only): $95,000,000; 3. New identifier (beneficiary and provider use): $95,000,000. RRB cost estimates: Option: RRB IT system conversions; 1. Truncated SSN: 225,204; 2. New identifier (beneficiary use only): 444,459; 3. New identifier (beneficiary and provider use): 444,459. Option: Issuing new Medicare cards; 1. Truncated SSN: 388,905; 2. New identifier (beneficiary use only): 388,905; 3. New identifier (beneficiary and provider use): 388,905. Option: Responding to beneficiary inquiries; 1. Truncated SSN: 278,912; 2. New identifier (beneficiary use only): 278,912; 3. New identifier (beneficiary and provider use): 278,912. Option: User costs related to system and procedure changes; 1. Truncated SSN: 145,952; 2. New identifier (beneficiary use only): 145,952; 3. New identifier (beneficiary and provider use): 145,952. Option: Beneficiary education and publications); 1. Truncated SSN: 52,500; 2. New identifier (beneficiary use only): 52,500; 3. New identifier (beneficiary and provider use): 52,500. Total RRB costs[C]: 1. Truncated SSN: $1,091,473; 2. New identifier (beneficiary use only): $1,310,728; 3. New identifier (beneficiary and provider use): $1,310,728. State costs: Option: Modifications to existing state Medicaid IT systems and related costs (state)[A]; 1. Truncated SSN: 29,000,000; 2. New identifier (beneficiary use only): 29,000,000; 3. New identifier (beneficiary and provider use): 29,000,000. Total state costs: 1. Truncated SSN: $29,000,000; 2. New identifier (beneficiary use only): $29,000,000; 3. New identifier (beneficiary and provider use): $29,000,000. Total estimated costs[D]: 1. Truncated SSN: $812,468,273; 2. New identifier (beneficiary use only): $802,952,528; 3. New identifier (beneficiary and provider use): $844,622,528. Source: GAO analysis of data provided by the Centers for Medicare & Medicaid Services (CMS), the Social Security Administration (SSA), and the Railroad Retirement Board (RRB). [A] CMS estimates that total modifications to existing state Medicaid systems would cost $290 million, of which CMS would be responsible for a federal share of $261 million. The states would be responsible for the remaining $29 million. Related costs include, for example, business process changes, training, and updates to system documentation. [B] Totals presented in CMS's report were $716,377,000; $706,642,000; and $748,311,000; however, CMS officials confirmed that state Medicaid costs should have been reported separately from CMS's costs and that rounding errors were made in some of the totals presented in its report. GAO numbers reflect corrected calculations. [C] Totals presented in CMS's report were $1,092,000; $1,311,000; and $1,311,000; however, CMS officials confirmed that rounding errors were made in some totals presented in its report. GAO numbers reflect corrected calculations. [D] Totals presented in CMS's report were $812,469,000; $802,952,000; and $844,622,000; however, CMS officials confirmed that rounding errors were made in some totals presented in its report. GAO numbers reflect corrected calculations. [End of table] Approximately two-thirds of the total estimated costs (between $512 million and $554 million depending on the option) are associated with modifications to existing state Medicaid IT systems and CMS's IT system conversions.[Footnote 37] While modifications to existing state Medicaid IT systems and related costs are projected to cost the same across all three options, the estimated costs for CMS's IT system conversions vary. This variation is due to the differences in the number of systems affected and the costs for modifying affected systems for the different options. CMS would incur costs related to modifying 40 IT systems under the truncated SSN option, 44 systems under the new identifier for beneficiary use option, and 48 systems under the new identifier for beneficiary and provider use option. In addition, the cost associated with changes to specific systems varied depending on the option. CMS's estimates for all non-IT related cost areas are constant across the options. Other significant cost areas for CMS include reissuing the Medicare card, conducting outreach and education to beneficiaries about the change to the identifier, and responding to beneficiary inquires related to the new card. Both SSA and RRB would also incur costs under each of the options described in CMS's 2011 report.[Footnote 38] SSA estimated that implementing any of the three options presented in the 2011 report would cost the agency $95 million. SSA's primary costs included $62 million for responding to inquiries and requests for new Medicare cards from beneficiaries and $28 million for processing new cards mailed by CMS that are returned as undeliverable. SSA officials told us that even though CMS would be responsible for distributing new Medicare cards, SSA anticipated that about 13 percent of the beneficiary population would contact SSA with questions. RRB's costs totaled between $1.1 million and $1.3 million. Between 21 and 34 percent of RRB's total costs were related to IT system updates and changes, depending on the option. The rest of RRB's costs were related to business functions, such as printing and mailing new cards; user costs related to system and procedure changes; and education and outreach. The cost estimates included in CMS's 2011 report were as much as 2.5 times higher than those estimated in its 2006 report to Congress. [Footnote 39] CMS attributed these increases to the inclusion of costs not included in the 2006 report, such as those associated with changes to state Medicaid systems and changes to its IT systems related to Part D, as well as a more thorough accounting of costs associated with many of the other cost areas, including SSA costs. In addition, CMS said in its 2006 report that phasing in a new identifier for beneficiaries over a 5-to 10-year period would reduce costs. However, in its 2011 report, CMS stated that such an option would be cost prohibitive because it would require running two parallel IT systems for an extended period of time.[Footnote 40] The Methods and Assumptions CMS Used to Derive Cost Estimates Raise Questions about Their Reliability: There are several key concerns regarding the methods and assumptions CMS used to develop its cost estimates that raise questions about the reliability of its overall cost estimates. First, CMS did not use any cost estimating guidance when developing its estimates. GAO's Cost Estimating and Assessment Guide identifies a number of best practices designed to ensure a cost estimate is reliable.[Footnote 41] However, CMS officials acknowledged that the agency did not rely on any specific cost-estimating guidance, such as GAO's cost-estimating guidance, during the development of the cost estimates presented in the agency's report to Congress. The agency also did not conduct a complete life-cycle cost estimate on relevant costs,[Footnote 42] such as those associated with IT system conversions.[Footnote 43] CMS officials told us they did not conduct a full life-cycle cost estimate for each option because this was a hypothetical analysis, and doing so would have been too resource intensive for the purpose of addressing policy options.[Footnote 44] Second, the procedures used to develop estimates for the two largest cost categories--changes to existing state Medicaid IT systems and CMS's IT system conversions--are questionable and not well documented. For each of CMS's options, the agency estimated Medicaid IT changes would cost $290 million.[Footnote 45] Given the size of this cost category, we have concerns about the age of the data, the number of states used to generalize these estimates, as well as the completeness of the information CMS collected. For example, CMS's estimates for costs associated with its proposed changes were based on data collected in 2008, at which time the agency had not developed all of the options presented in its 2011 report.[Footnote 46] In addition, while CMS asked for cost data from all states in 2008, it received data from only five states--Minnesota, Montana, Oklahoma, Rhode Island, and Texas--and we were unable to determine whether these states are representative of the IT system changes required by all states. CMS extrapolated national cost estimates based on the size of these states, determined by the number of Medicare eligible beneficiaries in them. However, the cost of IT modifications to Medicaid systems would likely depend more on the specific IT systems and their configurations in use by the state than on the number of Medicare beneficiaries in the state. CMS was unable to provide documentation about the data it requested from states related to its cost projections, or documentation of the responses it received from states on the specific modifications to Medicaid IT systems that would be required. CMS officials also acknowledged that each state is different and their IT systems would require different modifications. For the CMS IT-system conversion costs, officials told us that CMS derived its IT-system conversion cost estimates by asking its IT system owners for costs associated with changes to the systems affected under each of the three options.[Footnote 47] However, CMS provided us with limited documentation related to the information it supplied to its system owners when collecting cost data to develop its estimates, and no supporting documentation for the data it received from system owners. The documentation CMS provided asked system owners to provide the basis for their estimates (including, for example, costs related to labor and hardware, and software changes and additions), and laid out general assumptions for system owners to consider. However, because CMS asked for estimates for broad cost categories, the data it received were general in nature and not a detailed accounting of specific projected costs. CMS officials also told us that system requirements changed over the course of their work; however, they provided no documentation related to how these changes were communicated to system owners. In addition, CMS officials told us that they generally did not attempt to verify estimates submitted by system owners. CMS could not explain how or why a number of the systems the agency believed would require modifications would be affected under its three options, or the variance in the costs to modify these systems across the options. Moreover, CMS's cost estimates for the IT-related costs in its 2011 report were approximately three times higher than the estimate in the agency's 2006 report.[Footnote 48] That report stated that the majority of changes necessary to replace the existing number with a non-SSN-based identifier would affect only two systems;[Footnote 49] however, the agency estimated in its 2011 report that up to 48 systems would require modification, depending on the option selected.[Footnote 50] Furthermore, CMS's 2006 report stated that the 2 primary IT systems affected--the Medicare Beneficiary Database and the Enrollment Database--account for $70 million, or 85 percent, of the IT-related costs. However, in the 2011 report, these 2 systems accounted for 5 percent or less of the IT-related costs, depending on the option implemented. CMS officials we interviewed were unable to explain the differences in the number of systems affected, or the costs of required modifications to IT systems between the 2006 and 2011 reports. Third, there are inconsistencies in some assumptions used by CMS and SSA in the development of the estimates. For example, CMS and SSA used different assumptions regarding the number of Medicare beneficiaries that would require new Medicare cards. According to CMS officials, the agency based its cost estimates on the number of Medicare beneficiaries at the time the report was prepared (47 million), whereas SSA officials told us the agency based its estimates on the expected number of beneficiaries in 2015 (55 million), the year they estimated the new card would likely be issued. In addition, nearly 30 percent of SSA's costs were related to processing newly-issued Medicare cards that are returned as undeliverable. However, SSA officials told us that they were not aware that CMS's cost estimates included plans to conduct an address-verification mailing at a cost of over $45 million prior to issuing new cards. Such a mailing could reduce the number of cards returned as undeliverable, and thus SSA's costs associated with processing such cards.[Footnote 51] Finally, CMS did not take into account other factors when developing its cost estimates, including related IT modernization efforts or potential savings from removing the SSN from Medicare cards. In developing its estimates, CMS did not consider ways to integrate IT requirements for removing the SSN from Medicare cards with those necessitated by other IT modernization plans to realize possible efficiencies. DOD and a private health insurer we interviewed reported that when removing SSNs from their cards, they updated their systems to accommodate this change in conjunction with other unrelated system upgrades. CMS officials told us that because many of the agency's other IT modernization plans are unfunded, the agency does not know when or if these efforts will be undertaken. As a result, the agency is unable to coordinate the SSN removal effort or to estimate savings from combining such efforts. In its report, CMS also acknowledged that if the agency switched to a new identifier used by both beneficiaries and providers, there would likely be some savings due to improved program integrity and reduced need to monitor SSNs that may be stolen and used fraudulently. However, in developing its estimates, CMS did not include any potential savings the agency might accrue as a result of removing the SSN from Medicare cards.[Footnote 52] Conclusions: Nearly six years have passed since CMS first issued a report to Congress that explored options to remove the SSN from the Medicare card, and five years have elapsed since the Office of Management and Budget directed federal agencies to reduce the unnecessary use of the SSN. While CMS has identified various options for removing the SSN from Medicare cards, CMS has not committed to a plan to remove them. The agency lags behind other federal agencies and the private sector in reducing the use of the SSN. DOD, VA, and private health insurers have taken significant steps to eliminate the SSN from display on identification and health insurance cards, and reduce its role in operations. Of the options presented by CMS, the option that calls for developing a new identifier for use by beneficiaries and providers offers the best protection against identity theft and presents fewer burdens for beneficiaries and providers than the other two. Consistent with the approach taken by private health insurers, this option would eliminate the use and display of the SSN for Medicare processes conducted by beneficiaries and providers. While CMS reported that this option is somewhat more costly than the other options, the methods and assumptions CMS used to develop its estimates do not provide enough certainty that those estimates are credible. Moreover, because CMS did not have well-documented cost estimates, the reliability of its estimates cannot be assessed. Use of standard cost-estimating procedures, such as GAO's estimating guidance, would help ensure that CMS cost estimates are comprehensive, well documented, accurate and credible. Moving forward, CMS could also explore whether the use of magnetic stripes, bar codes, or smart chips could offer other benefits such as increased efficiencies. Absent a reliable cost estimate, however, Congress and CMS cannot know the costs associated with this option and how to prioritize it relative to other CMS initiatives. Lack of action on this key initiative leaves Medicare beneficiaries exposed to the possibility of identity theft. Recommendations for Executive Action: In order for CMS to implement an option for removing SSNs from Medicare cards, we recommend that the Administrator of CMS: * select an approach for removing the SSN from the Medicare card that best protects beneficiaries from identity theft and minimizes burdens for providers, beneficiaries, and CMS, and: * develop an accurate, well-documented cost estimate for such an option using standard cost-estimating procedures. Agency Comments and Our Evaluation: We provided a draft of this report to CMS, DOD, RRB, SSA, and VA for review and comment. CMS and RRB provided written comments which are reproduced in appendixes II and III. DOD, SSA, and VA provided comments by e-mail. CMS concurred with our first recommendation to select an approach for removing the SSN from Medicare cards that best protects beneficiaries from identity theft and minimizes burdens for providers, beneficiaries, and CMS. The agency noted that such an approach could protect beneficiaries from identity theft resulting from loss or theft of the card and would allow CMS a useful tool in combating Medicare fraud and medical identity theft. CMS also concurred with our second recommendation that CMS develop an accurate, well-documented cost estimate using standard cost-estimating procedures for an option that best protects beneficiaries from identity theft and minimizes burdens for providers, beneficiaries, and CMS. CMS noted that a more rigorous and detailed analysis of a selected option would be necessary in order for Congress to appropriate funding sufficient for implementation, and that it will utilize our suggestions to strengthen its estimating methodology for such an estimate. DOD had no comments and did not comment on the report's recommendations. RRB stated that the report accurately reflected its input and had no additional comment. SSA provided only one technical comment, which we incorporated as appropriate, but did not comment on the report's recommendations. VA concurred with our findings, but provided no additional comments. We are sending copies to the Secretaries of HHS, DOD and VA, the Administrator of CMS, the Commissioner of SSA, the Chairman of RRB, interested congressional committees, and others. In addition, the report will be available at no charge on the GAO website at [hyperlink, http://www.gao.gov]. If you or your staffs have questions about this report, you may contact us at: Kathleen King, (202) 512-7114 or kingk@gao.gov or Daniel Bertoni, (202) 512-7215 or bertonid@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made key contributions to this report are listed in appendix II. Signed by: Kathleen King: Director, Health Care: Signed by: Daniel Bertoni: Director, Education, Workforce, and Income Security Issues: [End of section] Appendix I: Burdens of CMS's Proposed Options for Removal of SSN from Medicare Card (Accessible Text): Beneficiary; New identifier (beneficiary and provider use): [A]; New identifier (beneficiary use only): [B]; Truncated Social Security number (SSN): [C]. Provider; New identifier (beneficiary and provider use): [D]; New identifier (beneficiary use only): [E]; Truncated Social Security number (SSN): [F]. CMS; New identifier (beneficiary and provider use): [G]; New identifier (beneficiary use only): [H]; Truncated Social Security number (SSN): [I]. Source: GAO analysis of information provided by the Centers for Medicare & Medicaid Services and interviews with relevant stakeholders. [A] While any change to the beneficiary identifier could cause initial confusion for beneficiaries, this option creates no additional burden for the beneficiary because the number on the card would be used to receive services and interact with CMS. [B] While any change for the beneficiary identifier could cause initial confusion for beneficiaries, this option creates no additional burdens to the beneficiary because the number on the card would be used to receive services and interact with CMS. [C] Could create additional burdens for beneficiaries because they could be required to remember their SSN in order to receive services and interact with CMS. [D] While any change to the beneficiary identifier could cause initial confusion among providers, this option would not create additional burdens for the provider, as the provider would be able to obtain the number from the card provided by the beneficiary. [E] Could create an additional burden for providers because it would require the provider to obtain the beneficiary's SSN either from the beneficiary, by querying a CMS database, or by calling CMS in order to verify eligibility. [F] Could create an additional burden for providers because it would require the provider to obtain the beneficiary's SSN either from the beneficiary, by querying a CMS database, or by calling CMS in order to verify eligibility. [G] According to CMS, this option would require the most significant modifications to its IT systems. All other burdens for CMS would be similar across the three options. [H] According to CMS, this option would require the least significant modifications to its IT systems. All other burdens for CMS would be similar across the three options. [I] According to CMS, this option would require more significant modifications to its IT systems than the new identifier-beneficiary use only option, and less significant modifications than the new identifier--beneficiary and provider use option. All other burdens for CMS would be similar across the three options. [End of table] [End of section] Appendix II: Comments from the Centers for Medicare & Medicaid Services: Department of Health & Human Services Office of The Secretary: Assistant Secretary for Legislation: Washington, DC 20201: July 27, 2012: Kathleen King, Director: Health Care: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Ms. King: Attached are comments on the U.S. Government Accountability Office's (GAO) report entitled, "Medicare: CMS Needs an Approach and A Reliable Cost Estimate for Removing Social Security Numbers from Medicare Cards" (GAO-12-831). The Department appreciates the opportunity to review this report prior to publication. Sincerely, Signed by: Jim R. Esquea: Assistant Secretary for Legislation: Attachment: [End of letter] General Comments Of The Department Of Health And Human Services (HHS) On The Government Accountability Office's (GAO) Draft Report Entitled, "Medicare: CMS Needs An Approach And A Reliable Cost Estimate For Removing Social Security Numbers From Medicare Cards" (GAO-12-831): The Department appreciates the opportunity to comment on this draft report. As part of its analysis, GAO conducted an assessment of a report prepared by CMS, with assistance from the Social Security Administration and the Railroad Retirement Board entitled, "Update on the Assessment of the Removal of Social Security Numbers front Medicare Cards." This report, which was completed in November 2011, represented an update on a 2006 report, and it examined three different options for removing the social security, number (SSN) from the Medicare card. HHS and CMS take seriously the risk of identity theft for Medicare beneficiaries. CMS has already removed SSNs from Medicare Summary Notices, and has prohibited Medicare private health and drug plans from using SSNs on enrollees' insurance cards. In addition, CMS continues to educate beneficiaries on how they can prevent medical identity theft and fight Medicare fraud. CMS has continued to use the SSN as the basis for beneficiary identification because it is fundamental to multiple CMS systems that are required to process and track beneficiary claims and enrollment, to conduct antifraud and quality improvement efforts, and to coordinate with Medicaid programs across the country. As the 2011 report describes, transitioning to a new identifier would be a task of enormous complexity and cost and one that, undertaken without sufficient funding or time for preparation, presents great risks to continued access to healthcare for Medicare beneficiaries. GAO's recommendations and HHS's response to those recommendations are discussed in detail below. GAO Recommendation 1: In order for CMS to implement an option for removing SSNs from Medicare cards, GAO recommends that CMS select an approach for removing the SSN from the Medicare card that best protects beneficiaries from identity theft and minimizes burdens for providers, beneficiaries, and CMS. HHS Response: HMS concurs. GAO further concludes that the option in the 2011 report that would replace the SSN with a new identifier on the Medicare card best meets these goals. HHS and CMS agree that such an approach could protect beneficiaries from identity theft from loss or theft of the card itself, Further, as CMS's November 2011 report explained, replacing the SSN with a new identifier would allow CMS to "turn off" a beneficiary number that had been compromised, which could prove a useful tool in combating Medicare fraud and medical identity thefts FITIS and CMS agree that of the three options presented in the 2011 report, this option best meets the goals of reducing the risk of identity theft and preventing fraud while minimizing the burden on beneficiaries and providers. GAO Recommendation 2: In order for CMS to implement an option for removing SSNs from Medicare cards, GAO recommends that CMS develop an accurate, well- documented cost estimate for such an option using standard cost- estimating procedures. HHS Response: HHS concurs. CMS provided Congress with a cost estimate for removing SSNs from Medicare cards in 2006 and in 2011 updated this estimate to reflect additional implementation options, a new timeframe for implementation and an estimate for Medicaid costs. The more recent analysis in the 2011 report provides an accurate order of magnitude estimate of the cost to remove the SSN from the Medicare card for the purpose of discussing the policy options. A more rigorous and detailed analysis of the selected option would be necessary in order for Congress to appropriate funding sufficient for implementation. CMS will conduct a new estimate and utilize GAO's suggestions to strengthen our estimating methodology. [End of section] Appendix III: Comments from the Railroad Retirement Board: United States of America: Railroad Retirement Board: Senior Executive Officer: 544 North Rush Street: Chicago, Illinois 60611-2092: July 17, 2012: Ms. Kathleen M. King: Director, Health Care: U.S. Government Accountability Office: Washington, D.C. 20548: Dear Ms. King: The Railroad Retirement Board (RRB) reviewed your draft report entitled Medicare: CMS Needs An Approach and A Reliable Cost Estimate for Removing Social Security Numbers from Medicare Cards (GAO-12-631). The report accurately reflects our input, and we have no additional comments. The RRB intends to work cooperatively with the Centers for Medicare and Medicaid Services and the Social Security Administration in implementing the selected approach, thank you for the opportunity to review this draft. Sincerely, Signed by: Dorothy Isherwood: Senior Executive Officer: [End of section] Appendix IV: GAO Contacts and Staff Acknowledgments: GAO Contacts: Kathleen King, (202) 512-7114 or kingk@gao.gov or Daniel Bertoni, (202) 512-7215 or bertonid@gao.gov. Staff Acknowledgments: In addition to the contacts named above, the following individuals made key contributions to this report: Lori Rectanus, Assistant Director; Thomas Walke, Assistant Director; David Barish; James Bennett; Carrie Davidson; Sarah Harvey; Drew Long; and Andrea E. Richardson. [End of section] Footnotes: [1] Lynn Langston, Identity Theft Reported by Households, 2005-2010, NCJ 236245 (Washington, D.C.: U.S. Department of Justice, Office of Justice Programs, Bureau of Justice Statistics, November 2011). [2] For the purposes of this report, we define a data breach as the unauthorized acquisition, access, use, or disclosure of individually identifiable information. [3] We use the term provider to refer to any organization, institution, or individual that provides health care services to Medicare beneficiaries. These include hospitals, nursing facilities, physicians, hospices, ambulatory surgical centers, outpatient clinics, and suppliers of durable medical equipment, among others. [4] Medicare is the federal health insurance program for individuals over the age of 65, individuals under the age of 65 with certain disabilities, and individuals with end-stage renal disease. [5] CMS's program integrity efforts for Medicare include the detection of improper billing through analysis of claims. [6] See GAO, Social Security Numbers: More Could Be Done to Protect SSNs. [hyperlink, http://www.gao.gov/products/GAO-06-586T] (Washington, D.C.: Mar. 30, 2006). [7] Office of Management and Budget Memorandum M-07-16. Safeguarding Against and Responding to the Breach of Personally Identifiable Information (Washington, D.C.: May 22, 2007). [8] GAO, Social Security Numbers: Governments Could Do More to Reduce Display in Public Records and on Identity Cards, [hyperlink, http://www.gao.gov/products/GAO-05-59] (Washington, D.C.: Nov. 9, 2004). [9] Centers for Medicare & Medicaid Services, Report to Congress: Removal of Social Security Number from the Medicare Health Insurance Card and Other Medicare Correspondence (Baltimore, Md.: October 2006). [10] Centers for Medicare & Medicaid Services, Update on the Assessment of the Removal of Social Security Numbers from Medicare Cards (Baltimore, Md.: November 2011). [11] Combined, these three health insurers cover more than 48 million individuals. [12] GAO Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Capital Program Costs. [hyperlink, http://www.gao.gov/products/GAO-09-3SP] (Washington, D.C.: March 2009). [13] For example, an A suffix indicates the card holder is a retired or disabled worker (primary claimant). The B or B1 suffix indicates a wife or husband, respectively, of the retired wage earner. The C suffix indicates a child of a retiree, or a disabled child or student. The D suffix indicates a widow and an E suffix signifies a widowed mother. Additional letters or numerical digits may also be used as part of the beneficiary identification code to provide more-detailed relationship information. [14] Medicare beneficiaries may become eligible for Medicaid if, for example, their income and resources decline below certain thresholds. In addition, Medicaid beneficiaries may become eligible for Medicare by, for example, turning 65 years old. [15] IT systems refer to systems and databases. [16] Truncation refers to the practice of masking certain digits in the SSN. [17] In all three options, CMS would continue to use the SSN in its internal systems and to communicate with various partners including SSA and RRB. [18] A bar code is an optical machine-readable representation of data. Bar codes use printed and variously patterned bars and spaces that can be scanned and read into computer memory. A magnetic stripe, such as those found on credit cards, is placed on a card and used to store information that can be read by swiping the card through a machine. [19] Examples of such information include date of birth, address, spouse's name, or other personal or identifying information that is linked or linkable to a specific individual. This additional information would be necessary because the last four digits of an SSN are not sufficient on their own to uniquely identify an individual because more than one individual may have the same last four digits. [20] The database and help line are efforts maintained by existing CMS contractors. Providers could also use the SSN that is stored in the beneficiary's record. [21] Providers could also call CMS or ask beneficiaries for their full SSN. [22] Providers frequently store a beneficiary's health care identifier in electronic or paper records in order to submit claims for payment. Providers may collect a beneficiary's SSN for other purposes. [23] Military personnel and federal employees provide health care to DOD's active-duty and retired military personnel and their dependents in military treatment facilities under the military health care program known as TRICARE. Active duty and retired military personnel and their dependents present their military identification cards at the time of service. DOD active duty and retired military personnel and their dependents also access health care through private providers. When beneficiaries access care from private providers, they must present both their military identification card and a separate health care card issued by the DOD contractor administering their TRICARE plan at the time they receive service. [24] The two identifiers are being added only to cards issued after June 1, 2011. One identifier, the Electronic Data Interchange Person Identifier (EDIPI), is used DOD-wide to identify a specific individual. The other identifier, the DOD Benefits Number is assigned to each individual eligible for DOD health benefits and other entitlements. [25] Unlike military identification cards issued to active-duty military personnel and dependents, cards issued to military retirees do not have an expiration date. [26] The smart chip is an integrated circuit chip that can be used to store large amounts of information, including SSNs or other unique identifiers, and can exchange data with other systems and process information. By securely exchanging information, a smart card can authenticate the identity of the individual possessing the card in a more rigorous way than is possible with traditional identification cards. [27] Dependents of veterans may have received health care from: the Civilian Health and Medical Program of the Department of Veterans Affairs; the Spina Bifida program; and the Children of Women Vietnam Veterans program. [28] This new identifier will be the EDIPI. DOD has assigned an EDIPI for 17 million veterans. [29] These cards do not have magnetic stripes or bar codes. [30] In past work, we have reported that it is possible to reconstruct truncated SSNs by comparing different public records that had truncated SSNs in different ways. See GAO, Social Security Numbers: Federal Actions Could Further Decrease Availability in Public Records, though Other Vulnerabilities Remain, [hyperlink, http://www.gao.gov/products/GAO-07-752] (Washington, D.C.: June 15, 2007). [31] There may be some initial burdens for providers and beneficiaries under any of the three options presented by CMS. For example, according to CMS officials, some providers may be required to update their IT software and beneficiaries may be confused by any change to their identifier. [32] The Kaiser Family Foundation, "Medicare Chartbook, Fourth Edition," November 2010. [33] Providers may also request the SSN from beneficiaries or rely on the SSN documented in a patient's records. [34] CMS currently monitors nearly 275,000 compromised HICNs, which are HICNs that have been subject to actual or possible unauthorized disclosure or access as the result of physical or electronic theft. As long as CMS uses the HICN for transactions, the agency must continue to monitor compromised HICNs. [35] According to a membership organization for people aged 50 and older, completely removing the SSN from the Medicare card and not replacing it with another identifier would create concerns related to verification of eligibility and could potentially lead to increased incidences of fraud. [36] The remaining approximately 3.5 percent of the costs are state costs related to Medicaid IT system modifications. However, in its report CMS included these costs under CMS's total. [37] Modifications to state Medicaid IT systems would be needed in order to process information on individuals eligible for both Medicare and Medicaid. CMS would incur $261 million as the federal share of the estimated total of $290 million. The remaining $29 million would be the responsibility of the States. [38] Both SSA and RRB perform Medicare related activities and would need to make changes to their business processes and IT systems as a result of any of the options to remove SSNs from Medicare cards. SSA determines Medicare eligibility for persons who receive or are about to receive Social Security benefits, enrolls those who are eligible into Medicare, and assigns them a HICN. Though CMS prints and distributes the Medicare card, beneficiaries often contact SSA when they need a replacement card. RRB is responsible for determining Medicare eligibility for qualified railroad retirement beneficiaries, enrolling them into Medicare, assigning HICNs to these individuals, and issuing Medicare cards to them. [39] In 2006, CMS estimated that removing the SSN from the Medicare card and replacing it with a new non-SSN based identifier would cost $338 million. [40] DOD officials told us that in its effort to remove SSNs from cards, DOD is issuing cards without SSNs as old cards expire and, for retirees, allowing them to keep their current card with the SSN printed on the front indefinitely unless they request a new card. According to DOD officials, the agency does not expect to incur additional costs associated with this phased approach, which is similar to the phased approach CMS described in its 2006 report. [41] [hyperlink, http://www.gao.gov/products/GAO-09-3SP]. [42] A life-cycle cost estimate provides an exhaustive and structured accounting of all resources and associated cost elements required to develop, produce, deploy, and sustain a particular program. This entails identifying all cost elements that pertain to the program from initial concept all the way through operations, support, and disposal. Life-cycle costing enhances decision making, especially in early planning and concept formulation of acquisition. [43] CMS officials told us that if the agency proceeded with one of the options described in the report, they would conduct a life-cycle cost estimate. [44] HHS also has specific guidance for conducting IT alternative analyses--HHS-IRM-2003-0002 Policy for Conducting Information Technology Alternative Analysis. CMS officials also told us that although they performed such an analysis, they were unaware of this guidance and followed no specific HHS guidance on alternative analysis or cost estimating. [45] It addition to Medicaid IT system modification costs, this cost category includes related costs, such as business process changes, training, and updates to system documentation. [46] CMS officials told us that the new identifier for beneficiary use, and new identifier for beneficiary and provider use options had already been developed at the time CMS requested data from the states, but the agency did not include the truncation option when it requested data from the states. [47] System owners refer to CMS employees or contractors who manage CMS IT systems. [48] In its 2006 report to Congress, CMS estimated that removal of the SSN from Medicare cards would cost approximately $338 million, of which $80.2 million was attributable to start up costs for IT system modifications. [49] The 2006 report stated that "less extensive, but still significant change to other systems" would be required; however, 85 percent of the system conversion costs were associated with only two systems. [50] CMS's 2011 report cited 51 systems that would be affected; however, information provided by CMS to GAO shows that between 40 and 48 IT systems would require modifications depending on the option implemented. [51] SSA officials said that although they were unaware of this planned address verification mailing, they believe their estimate of the percent of cards returned as undeliverable is still appropriate. [52] In its 2011 report, CMS noted that the ability to "turn off" a beneficiary's identifier under one of its proposed options could improve the agency's ability to combat Medicare fraud, waste, and abuse. [End of section] GAO’s Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO’s website [hyperlink, http://www.gao.gov]. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to [hyperlink, http://www.gao.gov] and select “E-mail Updates.” Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO: Connect with GAO on facebook, flickr, twitter, and YouTube. Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts. Visit GAO on the web at [hyperlink, http://www.gao.gov]. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; E-mail: fraudnet@gao.gov; Automated answering system: (800) 424-5454 or (202) 512-7470. Congressional Relations: Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-4400 U.S. Government Accountability Office, 441 G Street NW, Room 7125 Washington, DC 20548. Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548.