CMS's Controls Over Assigning Medicare Beneficiary Identifiers and Mailing New Medicare Cards Were Generally Effective but Could Be Improved in Some Areas
Why OIG Did This Audit
From the beginning of the Medicare program, beneficiaries' Medicare cards displayed Social Security numbers (SSNs), which increased beneficiaries' vulnerability to identity theft. To meet the requirements of a 2015 Federal law, the Centers for Medicare & Medicaid Services (CMS) generated new randomized insurance numbers, called Medicare Beneficiary Identifiers (MBIs), to replace SSNs on Medicare cards; assigned the MBIs to beneficiaries; and mailed new Medicare cards. Because deficiencies in assigning MBIs and mailing new Medicare cards could have resulted in unintended consequences, such as claim processing errors and inappropriate release of personally identifiable information, we evaluated CMS's internal controls over implementation of the new MBIs.
Our objective was to assess CMS's internal controls over assigning MBIs and mailing new Medicare cards to beneficiaries.
How OIG Did This Audit
We reviewed policies, procedures, and system controls; Medicare Enrollment Database (EDB) records; Medicare card mailing data (e.g., beneficiary names, MBIs, and mailing addresses); and Medicare payments from January 2018 through March 2019. Specifically, we identified beneficiaries with multiple MBIs, new Medicare cards mailed to deceased beneficiaries, and payments for claims with service dates after beneficiaries' dates of death.
What OIG Found
CMS's controls were generally effective in ensuring that (1) beneficiaries were properly assigned MBIs, (2) deceased beneficiaries were not mailed new Medicare cards, and (3) payments were not made on behalf of deceased beneficiaries. However, in a small percentage of cases, CMS's controls did not prevent multiple MBIs from being assigned to beneficiaries or prevent mailing of new Medicare cards to deceased beneficiaries. In addition, CMS made improper payments of $2.3 million on claims for deceased beneficiaries.
Specifically, we found that CMS assigned to 22,662 beneficiaries 2 or more MBIs associated with multiple enrollment records that contained the same SSN and date of birth because CMS's system controls did not always identify and merge multiple enrollment records before assigning the MBIs. (The MBIs represented 0.02 percent of the MBIs assigned to Medicare beneficiaries.) In addition, CMS mailed 58,420 new Medicare cards after the beneficiaries' dates of death, of which 2,222 were mailed after the EDB was already updated with the dates of death because CMS's system controls did not always check the EDB's date-of-death information in a timely manner before card mailing data were sent to the print/mail contractor. (The 58,420 Medicare cards represented 0.09 percent of the total cards mailed.) Finally, CMS made improper payments for claims with dates of service after the beneficiaries' dates of death even though it had policies, procedures, and system controls to ensure that payments were not made for Medicare services on behalf of deceased beneficiaries. By improving its controls, CMS can limit unintended consequences, such as claim processing errors and inappropriate release of personally identifiable information.
What OIG Recommends and CMS Comments
We recommend that CMS improve its system controls by checking the EDB's date-of-death information as close as reasonably possible to the date that card mailing data are sent to the print/mail contractor to ensure that Medicare cards are not mailed to deceased beneficiaries. We also make two more recommendations, which are shown in the report.
CMS concurred with our recommendations and provided information on actions that it planned to take to address our recommendations.
Filed under: Centers for Medicare and Medicaid Services