Despite nearly a decade of studies and warnings, Medicare cards continue to display participants’ SSNs prominently on the face of the card as their Health Insurance Claim Number (HICN) or patient identification number. This number is also displayed on all claim forms mailed to participants’ homes.

As the studies and warnings clearly point out, this practice leaves participants vulnerable to identity theft when Medicare cards are stolen or claim forms are mailed to the wrong address. This is a common occurrence. It also leaves the Medicare program itself more vulnerable to fraud when identity thieves use stolen Medicare cards to obtain personal medical care and/or to submit fraudulent claims. Using SSNs as a patient identifier is just a bad idea, particularly in light of the fact that other state and federal laws specifically prohibit the use of SSNs in this way.

Both the (CMS) and the U.S. Government Accountability Office (GAO) have studied this issue in some depth. Yet, despite across-the-board agreement that the practice needs to change, no relevant government agency, nor Congress, has taken the necessary action to require the change.

A key reason for this inaction, beyond the studies, is the cost. A 2012 GAO Report examined two options to address the issue:

1. Continue to use SSNs but hide the first five digits.
2. Replace SSNs with a new Medicare Beneficiary Identifier

However, CMS concluded that implementing either option would involve between 40 to 48 government IT systems and would take approximately four years to complete. Early CMS estimates indicated that replacing SSNs with the new MBIs would cost up to $845 million. More recent GAO estimates bring that number down considerably to between $255 million to $317 million. Note that these estimates do not include costs hospitals and providers would incur when making changes to accommodate the new MBIs.

So, things stand pretty much where they have stood since this issue first became a key point of study and discussion years ago. The most recent GAO Report (September 2013) on the matter concluded that despite the many warnings resulting from the studies and the increasing level of Medicare card theft, CMS still had not given the green light to any project that would remove SSNs as the Medicare card patient identifier. CMS has also failed to follow the lead of other existing state and federal laws prohibiting the use of SSNs as patient identifiers.

But hope springs eternal. Maybe CMS will seize the opportunity to make the change during the current modernization project of CMS’s overall IT systems. As proposed in the September 2013 GAO Report, "...one of CMS’s high-level modernization goals is to establish an architecture to support ‘shared services’ - IT functions that can be used by multiple organizations and facilitate data-sharing..." This effort includes a crosswalk function that could translate existing SSNs on claims to the new MBIs and vice-versa. The transition from the SSN to the new MBI would be much more efficient by receiving information on CMS’s modernized system with the new MBI, rather than by processing the information into the modernized system with the SSN and then making the transition.

Is it an impossible dream that the common-sense state and federal regulations already prohibiting SSNs from being used as patient identifiers will also apply to Medicare? It remains to be seen.

The HITECH law puts a cap on fines that the Department of Health and Human Services (HHS) can assess for HIPAA violations at $1.5 million per incident per year. However, other federal, state and regional regulatory agencies have authority to impose fines for violations of the HIPAA privacy and security standards, and can do so simultaneously for the same offense.

Health insurer, Triple-S Management Corporation (Triple S) of San Juan, was recently fined $6.8 million by the Puerto Rico Health Insurance Administration (PRHIA) for improperly handling protected health information (PHI) of 13,336 of its beneficiaries who were dual-eligible for Medicare and Medicaid. Accreditation requirements to sell insurance in Puerto Rico required Triple S to sign a contract agreeing to maintain compliance with HIPAA or face fines and additional sanctions for violations.

The breach resulted from a September 20, 2013 incident where Triple S mailed out pamphlets to its beneficiaries with their Medicare numbers visible from the outside. Medicare numbers are unique client identifiers deemed PHI when held by or on behalf of a HIPAA covered entity. As a result of the HIPAA violations, the PRHIA assessed a $6.8 million fine and called for Triple-S to suspend dual-eligibility enrollment, notify affected individuals of their right to end their enrollment, and implement a corrective action plan to prevent future breaches.

Cooperation is Key

In this case, the fine was assessed at $500 for each of Triple S’ 13,336 affected beneficiaries in accordance with the contract Triple S signed with PRHIA. An additional $100,000 was assessed for its failure to cooperate with PRHIA’s investigation into the incident, providing misleading information, and, in response to some requests, not supplying any information to PRHIA at all, as reported by 4Medapproved HIT Security in HIPAA Enforcement Blind Spots (March 3, 2014).

The fines levied against Triple-S put Covered Entities and Business Associates on notice about their absolute obligation of full compliance with HIPAA and implementing proper procedures for reporting and investigating breaches. This is an essential part of HIPAA compliance planning. Further, Covered Entities and Business Associates need to be aware of the concurrent authority of the Federal Trade Commission (FTC) to address HIPAA violations. The FTC can exercise regulatory oversight through corrective action plans for up to 20 years for HIPAA violations. Complying with HIPAA privacy and security standards is the right thing to do for your healthcare practice and/or business—but most important, for your patients and clients.