Does the Centers for Medicare & Medicaid Services really need the SSN or HICN from the RRE for compliance with the MMSEA or is there another approach that will protect the Medicare beneficiary’s privacy?
Roy Franco
June 2, 2010

Is it really necessary for the Centers of Medicare & Medicare Services (CMS) to require Responsible Reporting Entities (RRE) to collect private information such as Social Security Numbers (SSN) or Health Identification Card Numbers (HICN) from Medicare claimants who file tort claims? While contradictory to the usual Government mantra for its citizens to protect their private information, CMS has now issued two alerts explaining to Medicare beneficiaries why such information should be released to entities who are adversary to their claim. See CMS Alert 8/24/2009 and CMS Alert  4/6/2010. Why this is happening has to do with a recent law passed by Congress known as the Medicare & Medicaid Schip Extension Act of 2007 (MMSEA). That law requires the RRE to electronically report all settlements, awards and judgments or face severe penalties. For CMS to process the electronic reported information it needs to match it with its records and purportedly can only do so by having a complete SSN or HICN. Thus, the Medicare beneficiary must give it up and receives nothing in exchange on how such information is being protected.

The effect of this law is already evident in at least one court decision recently reported by Franco Signor LLC. That case, Gary E. Seger et. al. vs. Tank Collection, LLC et. al (2010) U.S. Dist. LEXIS 49013 required the Medicare beneficiary to give up his SSN and HICN during litigation even before it was legally required by the defendants because “there is no harm to the plaintiffs in providing the information sooner.” I am not as confident as the Seger Court and would like to put forth a possible solution which allows compliance with MMSEA reporting and while at the same time does not compromise the Medicare beneficiary’s private information.

It is important to consider this option as Congress is moving to prohibit the use of SSN and HICN for any reporting purposes under the Medicare Secondary Payer Act. HR #4796 introduced by Representative Patrick Murphy (D-8th Dist. PA) and Representative Tim Murphy (R-18th Dist. PA) will accomplish just that and is gathering momentum for passage as the protection of privacy makes common sense.

Should HR #4796 become law of the land, CMS will not be paralyzed in accomplishing what needs to be done for implementation of MMSEA reporting. The author agrees that such reporting is appropriate and necessary to make certain the Medicare Trust Fund is properly reimbursed. However, the RRE should not be required to collect the SSN or HICN as it is not rationally related to the purposes of the MMSEA. The same could be accomplished with far less information. Here is how and it is something today’s society is fairly comfortable with when identifying itself with a credit card company, bank or any other financial institution.

Why not only provide a part of the SSN or HICN? Every day untold numbers of people identify themselves with usually the last four digits of their SSN, DOB, Name and address. Could this not work for CMS as well? It would seem so, but perhaps a valid criticism is that it is not 100% accurate. Notwithstanding couldn’t accuracy be increased if perhaps the last five characters of the SSN or HICN were used? And, further what would be the result of a no match. A claim would not be reported, compared to the innumerable millions of Medicare beneficiaries whose SSNs and HICNs that would be maintained on tens of thousands private databases without the beneficiary understanding how his privacy is being protected. It would appear from that perspective the loss of a few claims in reporting is well worth the price of maintaining privacy.

If CMS were to adopt such a process it would certainly benefit the RRE who has legitimate concerns of privacy protection that vary from state to state. It would also in this author’s opinion reduce misunderstandings early on in the liability claim process that lead to unnecessary and protracted litigation. An injured party would not be alarmed to provide information to the RRE that is usually and customarily provided in normal situations. Asking for a SSN or HICN the day of or shortly after the accident is awkward and creates an atmosphere of distrust that does not need to occur. The proffered solution increases privacy protection, yet achieves reporting compliance necessary to preserve the Medicare Trust. Would it make sense to employ this now? Is it really necessary for Congress to pass HR #4796 before doing so?