Report: Medicare ID Theft a Burden on Providers, Beneficiaries

Theft of Medicare identification information via data breaches and other methods create a tremendous burden on healthcare providers and the Medicare patients they serve who are victims of identity theft.

According to a new report, the Centers for Medicare and Medicaid Services (CMS) has promised to take steps to do what it can on its part to provide meaningful solutions to resolving identity theft by means other than holding up Medicare transactions by victims to time-consuming reviews and additional scrutiny.

The Office of Inspector General in the U.S. Department of Health and Human Services published the report, “CMS Response to Breaches and Medical Identify Theft” this week. It offered the following five recommendations, listed below, along with CMS’s response:

OIG Recommendation: Ensure That Breach Notifications Meet Recovery Act Requirements 
CMS should ensure that breach notifications are sent within the required timeframe and include the required information. Notifications must include a description of how CMS is investigating the breach, mitigating losses, and protecting against further breaches. They must also include a description of what happened, the type of information involved, steps individuals should take to protect themselves, and contact procedures for individuals who want to learn more.

CMS response: CMS concurred and stated that it will develop new procedures and/or modify existing ones to improve the breach notification process.

OIG Recommendation: Improve the Compromised Number Database 
CMS should solicit input from the benefit integrity contractors and improve the completeness and quality of the database. CMS should also make the database more user friendly, moving away from monthly mailings to a system that would allow for timelier reporting and access. Improving the database would enable contractors to use it more extensively to better detect and deter medical identity theft.

CMS response: CMS concurred and is working with system users to both identify improvements to design a more user-friendly database and add critical information about each compromised number to support fraud detection efforts. CMS is also developing a Web-based interface that will allow direct access by users.

OIG Recommendation: Provide Guidance to Contractors About Using Database Information and Implementing Edits 
We recognize that CMS uses database information in its predictive modeling initiative. In addition, CMS should provide guidance to contractors about how to incorporate database information into their benefit integrity activities. CMS should also provide contractors with protocols for developing edits for compromised numbers. These protocols should outline the circumstances that warrant edits and the types of edits that are most appropriate for compromised provider and beneficiary numbers. These protocols could help promote consistent use of edits across contractors.

CMS response. CMS also concurred  and stated that it has issued instructions and guidance to contractors regarding updating, entering, and redefining entries in the database. Also, CMS intends to share edit development best practices for compromised numbers and issue edit development protocols.

OIG Recommendation: Develop a Method for Ensuring That Beneficiaries Who Are Victims of Medical Identity Theft Retain Access to Needed Services
CMS should mitigate the damage of medical identity theft by ensuring that beneficiaries retain their access to services if their Medicare numbers have been misused by others. Misuse of a beneficiary’s number could delay or prevent that beneficiary from receiving needed services, particularly when the services are subject to a cap. CMS could insert an indicator in the beneficiary claim record that would exclude certain claims from frequency and utilization edits, allowing for payment of legitimate claims for victims of medical identity theft. CMS could also develop other methods for providing assurances and documentation to these beneficiaries that their access to services will not be restricted as a consequence of the theft.

CMS response: CMS did not concur with the  recommendation to correct beneficiary billing histories. CMS cited concerns that changing billing records could negatively impact criminal and civil prosecutions and the integrity of the Medicare claims processing system. However, CMS stated that it will consider the insertion of an indicator on the beneficiary claim record that would allow for payment of legitimate claims for victims of medical identity theft. In response, we modified the fourth recommendation to include CMS’s comments and to focus on developing a method for ensuring that beneficiaries who are victims of medical identity theft retain access to needed services.

OIG Recommendation: Develop a Method for Reissuing Identification Numbers to Beneficiaries Affected by Medical Identity Theft
The issuance of new Medicare beneficiary numbers is complex. We recognize that there is no easy solution to this problem, given that beneficiaries’ Medicare numbers currently are linked to their Social Security numbers. However, CMS should explore different options and then develop a method for reissuing Medicare numbers to beneficiaries affected by medical identity theft.

CMS response: CMS concurred and noted that making the necessary changes to allow CMS to reissue identification numbers for beneficiaries will require significant monetary investments and multiple systems and operational changes for CMS, its contractors, the Social Security Administration, State Medicaid programs, private health plans, and providers. CMS stated it is reviewing options and cost estimates for developing an identification number that is not based on the Social Security number.