Investigators: CMS needs better identity theft database
By National Underwriter
By Allison Bell
The Centers for Medicare & Medicaid Services (CMS) should try to get away from basing Medicare numbers on Social Security numbers, according to officials at the Office of the Inspector General for the U.S. Department of Health and Human Services (HHS OIG).
HHS OIG officials have included that recommendation in a report on how CMS Medicare program managers have handled breaches of Medicare enrollee information and actual cases of Medicare-related identity theft.
A provision in the American Recovery and Reinvestment Act (ARRA) requires CMS to notify the affected Medicare enrollees and provide other help when breaches occur, HHS OIG officials said in the report.
The investigators used CMS breach data to conduct the analysis.
The investigators found 14 reported breaches of protected health information that took place between Sept. 23, 2009, when ARRA took effect, and the end of 2011.
The breaches affected about 14,000 Medicare enrollees.
Although CMS identified the affected enrollees, it had trouble with meeting other ARRA requirements, such as sending information in a timely fashion, giving a description of how CMS is investigating the breach, a description of what happened, and steps enrollees can take to protect themselves, officials said.
One challenge is that CMS updates the identity theft database just once a month and another challenge is that the database is difficult for contractors to use, officials said.
Another problem is that CMS usually creates Medicare numbers by adding the letter A to the end of an enrollee's Social Security number, or by adding B to the end of the Social Security number of an enrollee's breadwinner spouse.
Today, there is no easy way to issue enrollees new Medicare numbers because of the Social Security number link, officials said.
CMS officials "have cited high costs, the volume of changes, and operational and systems issues as barriers to altering beneficiary numbers," HHS OIG officials said.
In spite of those obstacles, "CMS should explore different options and then develop a method for reissuing Medicare numbers to beneficiaries affected by medical identity theft," OIG HHS officials said. CMS also should make sure enrollees can get access to care when others are misusing their Medicare numbers, officials said.
"Misuse of a beneficiary’s number could delay or prevent that beneficiary from receiving needed services, particularly when the services are subject to a cap," officials said. "CMS could insert an indicator in the beneficiary claim record that would exclude certain claims from frequency and utilization edits, allowing for payment of legitimate claims for victims of medical identity theft. CMS could also develop other methods for providing assurances and documentation to these beneficiaries that their access to services will not be restricted as a consequence of the theft."
Originally published on LifeHealthPro.com