GAO Report Analyzes Options for Medicare Card Technology
Historically, the Center for Medicare and Medicaid Services ("CMS") issues all Medicare beneficiaries a paper card that includes the beneficiary's name, Medicare number and eligibility status. Beneficiaries present the cards to providers who in turn use the cards to verify eligibility and to submit claims for reimbursement. The Medicare Access and CHIP Reauthorization Act of 2015 ("MACRA") contains two provisions related to the identification cards.
Originally recommended by the Government Accountability Office ("GAO") in 2013, the first card-related provision in MACRA requires CMS to banish Social Security Numbers ("SSNs") from the identification cards within four years after the date MACRA is enacted. The relevant provision of MACRA can be found here.
The second provision requires the Secretary of Health and Human Services ("HHS") to consider using electronic Medicare beneficiary and provider cards if the Secretary determines that it is cost effective and technologically viable. In light of the GAO's recent report entitled "Medicare -- Potential Uses of Electronically Readable Cards for Beneficiaries and Providers", it is unlikely that the Secretary will determine that a robust implementation of electronically readable cards is either cost effective or technologically viable. However, as discussed below, electronically readable Medicare cards could receive a more limited introduction as means of more efficiently conveying beneficiary identity and insurance information.
The report was commissioned by various members of congress, including U.S. Senators Tom Carper (D-Del.), Ron Johnson (R-Wis.), Mark Kirk (R-Ill.), and Ron Wyden (D-Ore.), as well as by U.S. Representatives Sander Levin (D-Mich.), Kevin Brady (R-Texas), Peter Roskam (R-Ill.) and Earl Blumenauer (D-Ore.). In its report, the GAO:
- evaluates the different functions and features of electronically readable cards;
- examines the potential benefits and limitations associated with the use of electronically readable cards in Medicare;
- examines the steps CMS and Medicare providers would need to take to implement and use electronically readable cards; and
- describe the lessons learned from the implementation and use of electronically readable cards in other countries.
Functions and Features of Electronically Readable Cards
The GAO concluded that three types of electronically readable cards could potentially replace paper Medicare cards:
- Smart cards. The key distinguishing feature of smart cards is that they contain a microprocessor chip that can both store and process data, much like a very basic computer.
- Magnetic stripe cards. Cards with magnetic stripes, such as credit cards, store information on a magnetic strip, and are read by swiping the card through a card reader.
- Bar code cards. Cards with bar codes contain an electronically readable representation of data—printed and variously patterned bars and spaces—that can be scanned and read.
Of these three types of cards, the GAO concluded that some or all of the cards may provide three primary functions within the Medicare context:
- Authenticating beneficiary and provider presence at the point of care. Beneficiary and provider cards could be used for authentication to potentially limit certain types of Medicare fraud. In this role, records of the cards being used could be analyzed by CMS to verify that the beneficiary (or provider) was actually present at the point of service.
- Electronically exchanging beneficiary medical information. Beneficiary cards could be used to store and exchange medical information, such as electronic health records, beneficiary medical conditions, and emergency care information, such as allergies.
- Electronically conveying beneficiary identity and insurance information to providers. Beneficiary cards could be used to autopopulate beneficiary information into provider information technology (IT) systems and to automatically retrieve existing beneficiary records from provider IT systems.
The GAO produced the following summary of the functions and features of electronically readable cards:
Summary of the GAO's Findings
The GAO found that since smart cards offer the ability to process data (due to their integrated chip) they are able to provide higher levels of authentication and provide better information security than either of the other types of cards. Part of the high level of assurance in smart card authentication is due to the difficulty of copying or counterfeiting smart cards. Smart cards also have the ability to utilize encryption techniques as well as more sophisticated multi-factor authentication. For example, smart cards can verify whether a user provides a correct PIN or can confirm a fingerprint match, and can do so without being connected to a separate IT system. The GAO report found that if the federal government chooses to store detailed health information on the card itself, then smart cards must be used given their significantly greater storage capacity. However, as the GAO points out, even smart cards do not currently have the capacity to store an individual's entire medical record.
While smart cards are more technologically sophisticated, the report highlights a general hurdle that all three card types face when attempting to use them to reduce fraud and abuse. Both CMS and various stakeholders told the GAO that requiring cards to be used would not be feasible because of concerns that doing so would limit beneficiaries' access to care. As the GAO points out, CMS has taken the position that the federal government would continue to pay claims regardless of whether a card was used. Consequently,while the GAO found that using electronically readable cards to authenticate beneficiary and provider presence at the point of care could potentially limit certain types of Medicare fraud, they found that it would have limited effect due to CMS's position on payment.
Stakeholders also conveyed their belief that the use of electronically readable cards would simply have little effect on many fraudulent practices, including, billing for medically unnecessary services, or adding a service that was not provided to an otherwise legitimate claim. The GAO was unable to determine the extent to which authenticating beneficiaries (or providers) at the point of care could limit fraud because there is no reliable estimate of the extent or total dollar value associated with specific types of Medicare fraud schemes. Officials from France and Germany told the GAO that the use of electronically readable cards in their countries has not limited certain types of fraud. In fact, the GAO report found that the use of electronically readable cards could introduce new types of fraud and new ways for individuals to illegally access Medicare beneficiary data. Officials at CMS told the GAO that malicious software written onto an electronically readable card could be used to compromise provider IT systems. Additionally, individuals could illicitly access beneficiary information through the unauthorized reading and collection of data stored on the cards, a practice known as "card skimming."
The GAO also found technical limitations to implementing electronically readable cards. The report concludes that CMS would need to update and obtain additional resources to use electronically readable cards for authentication purposes. Card management processes include issuing cards, replacing cards, updating information on cards, deactivating cards, and addressing cardholder issues. The GAO found that implementing these processes for electronically readable cards used to authenticate beneficiaries (or providers) would present challenges, particularly because the implementation requires changes to industry-wide standards for claim submission as well as the way in which CMS's information technology systems receive submitted claims.
Technical as well as practical limitations would also present themselves if electronically readable cards are to be used to store and exchange medical information. Using electronically readable cards to store and exchange medical records is not part of current federal efforts to facilitate health information exchange, and would likely present challenges. Stakeholders told the GAO that adding another medium, such as a card, outside of provider EHR systems could lead to inconsistencies with provider records. If medical data were to be stored on the card, Stakeholders expressed concern that the data would become "out of sync" with the data in the patients EHR. For example, beneficiaries receiving laboratory tests after an encounter would have no way of uploading the results to their cards before returning to their provider (or before visiting another provider).
Not all of the findings were negative. The GAO found that using electronically readable cards to convey beneficiary identity and insurance information could reduce reimbursement errors and improve medical record keeping. As the report notes, many providers capture identity information by photocopying insurance cards and manually entering beneficiary information into their IT systems. This results in lost time and often introduces errors. These errors can lead to rejections and/or delays in reimbursement. Based on data provided by CMS, the GAO found that up to 44 percent of the more than 70 million Medicare claims that CMS rejected between January 1, 2014, and September 29, 2014, may have been rejected because of invalid or incorrect beneficiary information. In contrast with using electronically readable cards for authentication or to store and exchange beneficiary medical information, the GAO found that CMS would not necessarily need to make changes to current standards and procedures for the cards to electronically convey beneficiary identity and insurance information. As the GAO noted, the cards would not be used in a significantly different way than they are now.