The Centers for Medicare & Medicaid Services (CMS) should try to get away from basing Medicare numbers on Social Security numbers, according to officials at the Office of the Inspector General for the U.S. Department of Health and Human Services (HHS OIG).
HHS OIG officials have included that recommendation in a report on how CMS Medicare program managers have handled breaches of Medicare enrollee information and actual cases of Medicare-related identity theft.
A provision in the American Recovery and Reinvestment Act (ARRA) requires CMS to notify the affected Medicare enrollees and provide other help when breaches occur, HHS OIG officials said in the report.
The investigators used CMS breach data to conduct the analysis.
The investigators found 14 reported breaches of protected health information that took place between Sept. 23, 2009, when ARRA took effect, and the end of 2011.
The breaches affected about 14,000 Medicare enrollees.
Although CMS identified the affected enrollees, it had trouble with meeting other ARRA requirements, such as sending information in a timely fashion, giving a description of how CMS is investigating the breach, a description of what happened, and steps enrollees can take to protect themselves, officials said.
One challenge is that CMS updates the identity theft database just once a month. and another challenge is that the database is difficult for contractors to use, officials said.
Another problem is that CMS usually creates Medicare numbers by adding the letter A to the end of an enrollee's Social Security number, or by adding B to the end of the Social Security number of an enrollee's breadwinner spouse.
Today, there is no easy way to issue enrollees new Medicare numbers because of the Social Security number link, officials said.
CMS officials "have cited high costs, the volume of changes, and operational and systems issues as barriers to altering beneficiary numbers," HHS OIG officials said.
In spite of those obstacles, "CMS should explore different options and then develop a method for reissuing Medicare numbers to beneficiaries affected by medical identity theft," OIG HHS officials said.