What GAO Found
The Centers for Medicare and Medicaid Services (CMS)--which is the agency within the Department of Health and Human Services (HHS) responsible for administering Medicare--has not taken needed steps, such as designating a business owner and establishing a business case for an information technology (IT) project, that would result in selecting and implementing a technical solution for removing Social Security numbers (SSN) from Medicare cards. However, the agency has collected information and data as part of its most recent study of SSN removal that could contribute to the identification and development of an IT solution. These include information relevant to examining alternative approaches, identifying costs and risks, and assessing the impact of different approaches on the agency's existing IT systems. For example, the agency identified two approaches for removing the SSN: (1) replacing it with a new identifier, referred to as the Medicare Beneficiary Identifier, and (2) masking the first five digits of the SSN for display on Medicare cards. CMS system and business owners also conducted high-level assessments of the types of changes that would need to be made to systems identified in the agency's IT inventory. For example, system owners estimated the level of complexity of the changes, the number of hours of work at each life-cycle phase, business and technical risks, and the potential to leverage related efforts. CMS noted in its most recent study that replacing the SSN with a new identifier could reduce the risk of identity theft from a lost or stolen card, and actions taken thus far could inform a future IT project to address SSN removal. However, according to CMS officials, agency leadership has not directed them to initiate such a project. Until such a project is undertaken, the agency will not be positioned to identify or implement a solution to support the removal of SSNs from beneficiaries' cards.
CMS has efforts under way to modernize its IT systems, some of which could be leveraged to facilitate the removal of SSNs from Medicare cards. Specifically, one of CMS's high-level modernization goals is to establish an architecture to support "shared services"--IT functions that can be used by multiple organizations and facilitate data sharing. According to agency officials, a service established to automate and manage certain aspects of CMS programs could be used to support a "crosswalk" function that would translate the existing claims number to the new beneficiary identifier (and vice versa). This would enable internal systems to receive information containing the new identifier and continue to process data based on the existing number. Another project was intended to consolidate eligibility determination services from four systems, which could reduce the extent of modifications that would have to be made to each of the systems. However, because the agency has not initiated a project for removing SSNs from identification cards, officials have not considered including shared services or other IT initiatives in their modernization activities and related plans to specifically support changes needed as a result of SSN removal. As a result, CMS may miss opportunities to incorporate such a project into ongoing agencywide modernization initiatives that could facilitate efforts to design, develop, and implement an IT solution for SSN removal in a timely and cost-effective manner.
Why GAO Did This Study
The health insurance claims number on Medicare beneficiaries' cards includes as one component the beneficiary's (or other eligible person's, such as a spouse's) SSN. This introduces risks to beneficiaries' personal information, as the number may be obtained and used to commit identity theft. Many organizations have replaced SSNs on these types of cards with alternative identifiers. However, the introduction of such a new data element into IT environments can require changes to systems that process and share data. Moreover, previous assessments of CMS's IT environment have found that it consists of many aging, "stove-piped" systems that cannot easily share data or be enhanced; thus the agency has ongoing efforts to modernize its environment.
As requested, GAO studied CMS's efforts related to the removal of SSNs from Medicare cards. GAO's objectives were to (1) assess actions CMS has taken to identify and implement IT solutions for removing SSNs from Medicare cards and (2) determine whether CMS's ongoing IT modernization initiatives could facilitate SSN removal efforts. To do this, GAO reviewed agency documentation and interviewed officials.
GAO recommends that CMS initiate an IT project to develop a solution for SSN removal and incorporate such a project into plans for ongoing IT modernization initiatives. HHS agreed with GAO's recommendations, if certain constraints were addressed. However, GAO maintains that its recommendations are warranted as originally stated.
Recommendations for Executive Action
|Centers for Medicare and Medicaid Services||
Priority Rec.1. To better position the agency to efficiently and cost-effectively identify, design, develop, and implement an IT solution that addresses the removal of SSNs from Medicare beneficiaries' health insurance cards, the Administrator of CMS should direct the initiation of an IT project for identifying, developing, and implementing changes that would have to be made to CMS's affected systems, including designating a business owner and establishing a business case, issuing a project charter, and conducting project selection and architectural reviews of proposed approaches for the removal of SSNs from Medicare beneficiaries' cards.
|Centers for Medicare and Medicaid Services||
Priority Rec.2. To better position the agency to efficiently and cost-effectively identify, design, develop, and implement an IT solution that addresses the removal of SSNs from Medicare beneficiaries' health insurance cards, the Administrator of CMS should incorporate such a project into plans for ongoing enterprisewide IT modernization initiatives.