ICFE eNEWS #17-27 - July 10th 2017
View this eNEWS online
As we enter the second half of 2017, picture this time line:
1936 - The Social Security Administration begins assigning account numbers to workers, subsequently issuing cards which from time to time carry the restrictive use legend "For Social Security Purposes -- Not for Identification." This number is still used as an authenticator by many organizations, for a broad variety of applications; notably, there is no federal prohibition against using the SSN by private parties for legitimate purposes.
1965 - Medicare requires enrollment for those 65 and older, and begins issuing identification cards to participants, piggy-backing on Social Security numbers with cards that do not carry the restrictive use legend. Typically, the participant's Social Security Number is followed by a single alpha letter, such as "A" or "B."
Late 20th Century - Identity theft becomes a mainstream criminal activity, with identity thieves using data elements such as Social Security numbers in perpetrating their crimes. Both identity theft risk management professionals and privacy advocates begin campaigning for the separation of Social Security Numbers and Medicare Account Numbers. By 2015, official figures indicate some 2.5 million seniors become victims of identity theft each year, although in fairness, these incidents cannot all be traced directly to abuse of Medicare Account Numbers.
2015 - The Medicare Access and CHIP Reauthorization Act (MACRA) is enacted, and requires, among other provisions, the Centers for Medicare and Medicaid Services (CMS) to remove Social Security numbers from all Medicare cards by April 2019.
2017 - CMS announces the transition to new Medicare cards which will replace the beneficiary's Social Security number with a randomly-assigned and unique identifying number. At the time of this writing, CMS expects to start mailing out the new cards in April 2018, and to comply fully with the MACRA requirement by the 2019 deadline. During the transition period, participants and health services providers will be able to use either the new Medicare beneficiary identifier number or the Social Security-based health insurance claim number.
From the perspective of identity theft risk management, separating these two identifiers is certainly a positive development. However, during the transition and beyond, various challenges will persist. Among them are both legacy vulnerabilities and new applications of law and regulation of the health services sector.
Chief among the legacy issues is the protection and ultimate disposition of existing patient files. Both new patient forms and periodic updates of patient information held by medical service providers usually include the patient's Social Security number. While this practice is generally believed not to be a legal requirement for accepting a patient for services, the appearance of a blank space on the forms for the Social Security number does tend to result in the patient filling it in. The transition to use of the new Medicare Patient number will likely not result in the expungement of the Social Security number, at least for some extended period of time.
Looking forward, the aging population indicates that this capture and storage of both numbers will go on for a long while. Statistically, some 10,000 Americans reach the age of 65 each day, nearly all of them becoming Medicare participants. That means there will be about 10,000 patients whose patient files will be updated and presumably still, based on historical precedent and completeness of such files, include Social Security numbers. This choice must be made in a mindful manner, especially to assure continuity if the decision is made to expunge al Social Security number references from the patient file when the Medicare number is added.
Of course, it is within the responsibilities of CMS to deal with this transition on a practicable and cost-effective basis. Coordination with HIPAA and HITECH requirements will be necessary, especially since these rules apply to both Medicare and non-Medicare patients. It seems appropriate to expect CMS to promulgate regulations and provide guidance on how best to complete the separation of Social Security and Medicare identifiers.
This brief article does not attempt to cover all of the issues involved in the transition, or the likely application of the Law of Unintended Consequences. But it's a certainty that the ultimate success of this initiative will depend on including an effective response to the broad array of challenges common to the practice of identity theft risk management.
For more a more detailed history of the Social Security Number and Card, read "The Story of the Social Security Number"
The ICFE's Certified Identity Theft Risk Management Specialist ® XV
CITRMS® course is now available both in printed format and online.
The Textbook and Desk Reference edition of the course book is also available online. Bulk pricing and discounts for veterans and students available. Inquire at firstname.lastname@example.org
Yan Ross is ICFE's Director of Special Projects, and the author of the Certified Identity Theft Risk Management Specialist ® XV CITRMS® course. As an accredited educator for over 20 years, he has addressed Identity Theft Risk Assessment and management for consumers, organizations holding personally identifiable information, and professionals who work with individuals and organizations who are at risk of falling victim to identity thieves.
ICFE eNEWS is available FREE upon request by visiting the ICFE's
and filling out the contact form, selecting "Yes" for "Add to Mailing List."
Please pass this eNEWS on to your peers and interested others and
invite them to subscribe for free. Also, visit the ICFE's new Web site:
Paul S. Richard
President - Executive Director
Institute of Consumer Financial Education (ICFE)
ICFE - Institute of Consumer Financial Education - ICFE.info - 619.239.1401