Connecticut State Court Follows Seger, requires disclosure of Social Security Numbers.
Roy Franco
August 9, 2010

Seger v. Tank Connection, LLC, Docket No. 8:08CV75 (D.Neb. 2010) is less than a few months old but is already having an impact on at least one State Court ruling regarding disclosure to insurance carriers and defendants of plaintiff’s private information. New reporting requirements created by Pub. L. No. 110-73, codified under 42 USC §1395y(b)(8), have established penalties against insurance carriers and self insureds if they fail to report settlements, awards, or judgments that involve a Medicare beneficiary that occur after 10/1/2010. Medicare reporting requires use of Social Security Numbers or Health Identification Card Numbers to match reported information with Government records. The matched records will enable Medicare to seek reimbursement from parties for any related payments it may have made for medical items or services.

Harold Hackley v. James Garofano, et. al, 2010 Conn. Super. LEXIS 1669 takes Seger a step further and liberalizes the disclosure of private information beyond the litigated case. This particular action involved a motor vehicle accident in which a minor sustained personal injuries. The minor’s father filed the claim on his son’s behalf with USAA, the insurance carrier for the defendant. An offer was made by the USAA adjuster for $7,500 and accepted by the attorney for the plaintiffs on January 5, 2010. No defense attorney and it is unclear whether any litigation was actually filed.

Subsequent to the acceptance of the settlement offer, USAA required both the minor child plaintiff and his father to turn over their Social Security Numbers in order to verify their Medicare beneficiary status. The plaintiffs refused and a motion was brought by plaintiffs to enforce the settlement.

In reaching its decision the Hackley Court sought to answer two questions: 1) whether an insurer may legitimately condition the settlement of a civil case on the receipt of the plaintiffs’ social security numbers? And 2) whether there was an unambiguous agreement to settle?

An insurance company may legitimately require social security numbers as a condition to settlement in Connecticut. The Hackley court found the reasoning in Seger persuasive. Although plaintiff’s counsel argued that his office had established its own privacy policy under state law which prohibited disclosure of such information, the Court reasoned that Connecticut State Law should not vitiate or undermine the reporting requirements of the Medicare Secondary Payer Act (MSP). Plaintiffs are protected under Connecticut State Law because USAA’s confidentially policy provides reasonable, albeit not foolproof, assurance that this personal identifying information will not be compromised. Consequently, it is a necessary and permissible requirement in order to protect Medicare’s interests when a Medicare-eligible person receives a verdict or settlement in a personal injury case.

The Hackley court’s conclusion is interesting on several grounds. First, the basis for requiring social security numbers to “protect Medicare’s interest” is based on a reporting law that applies to a settlement after 10/1/2010, but in this particular case the parties had purportedly settled on January 5, 2010. This begs the question of what legitimate interest is being protected. Second, the plaintiffs are obviously not Medicare beneficiaries. While the Court dismisses this concern by stating that the purpose of the statute was to avoid having insurers “at the mercy” of plaintiffs when the time comes to ascertain Medicare eligibility; rather than rely on plaintiffs’ representations, the statute expresses a preference for a standardized procedure based on Social Security Number or Medicare Health Insurance Claim Numbers with which the insurer can make the determination itself electronically. Nonetheless, the statute is completely silent on the use of social security numbers and Medicare Health Insurance Claim Numbers. The statute allows CMS to create rules by program directive, but the intent of the statute was to report, not to query on probable Medicare beneficiaries. CMS has only offered the query process as an accommodation to responsible reporting entities. Social Security Numbers and Health Identification Claim Numbers are still protected pieces of information under the Privacy Act of 1974 and without amendment to that Act CMS itself recognizes the limitations on disclosure under the Privacy Act and because non-Medicare beneficiaries may rightfully wish to not disclose such private information has provided a method to satisfy Medicare status with the execution of an Affidavit.

The Social Security Number or Health Insurance Claim Number is essential to the administration of the Medicare program as it is used to identify well over 44 million Medicare beneficiaries currently enrolled in the system. At first blush it would appear disclosure of such information is a legitimate and necessary use that would permit Medicare to match records with settlements, awards and judgments to seek reimbursement and therefore permissible under HIPAA. However, is this really the least restrictive method? Even HIPAA recognizes the “minimum necessary” concept when disclosing Personal Health Information. Does Medicare really need a Reporting Responsible Entity to provide the entire Social Security Number or Health Identification Card Number or can it match records with a partial number as argued in my earlier article published on this topic on June 2, 2010?

Not all plaintiffs have Social Security Numbers or Health Identification Card Numbers. One does not need to be a U.S. Citizen to file a liability claim for damages in the U.S. Would not an available affidavit from CMS solve some of these concerns? Aside from this concern, what new responsibilities does this lay at the Responsible Reporting Entities’ feet? At least in Connecticut now that this information is part of the privacy policy, are there notice requirements to plaintiffs every time that policy is changed? Do plaintiffs have a right of discovery to such policy and the right to inquire about any past breaches? Prudent Risk Managers for Responsible Reporting Entities will need to evaluate exposure before engaging in a policy of requiring private information, especially from claimants that have not filed litigation and the protection to secure that information is allowed under the discovery statutes.

However, does that mean that non- Medicare beneficiaries must simply give up privacy concerns for that end? It does not seem rationally related and having another method of attesting to non-Medicare beneficiary status without divulging that information is a more reasonable approach. Nevertheless, the Hackley court has spoken and social security numbers, at least in Connecticut can be required as a conditional precedent to disbursement of funds for all tort cases.

Hackley also stands for another important proposition. In regards to the second question, the Court would not enforce the settlement agreement as to the $7,500 because there was no meeting of the minds. An essential term, disclosure of the private information was not discussed before acceptance of the settlement and therefore was no agreement to settle. That’s an important point as it again demonstrates that under the MSP parties must cooperate to ensure the Medicare obligations are properly disposed of. How that is to be accomplished should be carefully outlined in the settlement agreement. If not, a lot of time, money and settlements will be lost that could simply be handled up front from the moment the claim was filed.

Franco Signor LLC is able to assist in these sorts of issues to prevent unnecessary litigation expense related to MSP compliance. Acting as a broker of cooperation between both sides allows for better clarity and understanding of Medicare’s obligations. Let Franco Signor LLC handle your MSP requirements. When the parties are ready to resolve the case, Franco Signor will have the MSP details necessary to allow the matter to conclude.