Despite nearly a decade of studies and warnings, Medicare cards continue to display participants’ SSNs prominently on the face of the card as their Health Insurance Claim Number (HICN) or patient identification number. This number is also displayed on all claim forms mailed to participants’ homes.

As the studies and warnings clearly point out, this practice leaves participants vulnerable to identity theft when Medicare cards are stolen or claim forms are mailed to the wrong address. This is a common occurrence. It also leaves the Medicare program itself more vulnerable to fraud when identity thieves use stolen Medicare cards to obtain personal medical care and/or to submit fraudulent claims. Using SSNs as a patient identifier is just a bad idea, particularly in light of the fact that other state and federal laws specifically prohibit the use of SSNs in this way.

Both the (CMS) and the U.S. Government Accountability Office (GAO) have studied this issue in some depth. Yet, despite across-the-board agreement that the practice needs to change, no relevant government agency, nor Congress, has taken the necessary action to require the change.

A key reason for this inaction, beyond the studies, is the cost. A 2012 GAO Report examined two options to address the issue:

1. Continue to use SSNs but hide the first five digits.
2. Replace SSNs with a new Medicare Beneficiary Identifier

However, CMS concluded that implementing either option would involve between 40 to 48 government IT systems and would take approximately four years to complete. Early CMS estimates indicated that replacing SSNs with the new MBIs would cost up to $845 million. More recent GAO estimates bring that number down considerably to between $255 million to $317 million. Note that these estimates do not include costs hospitals and providers would incur when making changes to accommodate the new MBIs.

So, things stand pretty much where they have stood since this issue first became a key point of study and discussion years ago. The most recent GAO Report (September 2013) on the matter concluded that despite the many warnings resulting from the studies and the increasing level of Medicare card theft, CMS still had not given the green light to any project that would remove SSNs as the Medicare card patient identifier. CMS has also failed to follow the lead of other existing state and federal laws prohibiting the use of SSNs as patient identifiers.

But hope springs eternal. Maybe CMS will seize the opportunity to make the change during the current modernization project of CMS’s overall IT systems. As proposed in the September 2013 GAO Report, "...one of CMS’s high-level modernization goals is to establish an architecture to support ‘shared services’ - IT functions that can be used by multiple organizations and facilitate data-sharing..." This effort includes a crosswalk function that could translate existing SSNs on claims to the new MBIs and vice-versa. The transition from the SSN to the new MBI would be much more efficient by receiving information on CMS’s modernized system with the new MBI, rather than by processing the information into the modernized system with the SSN and then making the transition.

Is it an impossible dream that the common-sense state and federal regulations already prohibiting SSNs from being used as patient identifiers will also apply to Medicare? It remains to be seen.