Healthcare Information Security

Patient Privacy News

Will CMS Improve Patient Data Security with SSNRI?

The Social Security Number Removal Initiative hopes to strengthen patient data security measures by adjusting the Medicare beneficiary identification process.

By Elizabeth Snell

One aspect to the Medicare Access and CHIP Reauthorization Act (MACRA) of 2015 could affect patient data security measures, as it requires healthcare organizations to remove Social Security Numbers (SSNs) from all Medicare cards by April 2019.

SSNRI can potentially improve patient data security

The Social Security Number Removal Initiative (SSNRI) will use a randomly generated Medicare Beneficiary Identifier (MBI) on Medicare cards, used for Medicare billing transactions, as well as eligibility and claim status, according to the Centers for Medicare and Medicaid Services (CMS) website.

Currently, an SSN-based Health Insurance Claim Number (HICN) is used on the cards. By eliminating that number, CMS explains that private healthcare and financial information can be better protected. Furthermore, Federal healthcare benefit and service payments security can also improve.

“Moving to new Medicare numbers and cards requires a lot of changes to our systems and how we do business,” CMS states. “The same is true for you -- our business partners. We’ve already started this work and want to help you shift to the new MBIs by April 2018. No earlier than April 2018, we’ll start sending the new Medicare cards with the MBI to all people with Medicare.”

The transition period will start no earlier than April 1, 2018 and will then run through December 31, 2019.

CMS notes that the MBI won’t change Medicare benefits, and that individuals with Medicare can use the new Medicare cards and MBIs as soon as they are received.

It is also important to know that the MBI will be “clearly different” than the HICN and the United States Railroad Retirement Board (RRB). The MBI will be made of only of numbers and uppercase letters, and will be 11 characters long.

With cybersecurity threats continuing to evolve, healthcare organizations need to keep their data security measures up to date. Medical identity theft is just one potential outcome from a healthcare data breach, but can be particularly devastating and difficult for individuals to recover from.

Removing SSNs might not prevent a healthcare data breach from occurring, but should an individual lose his or her Medicare card, it will ensure that SSNs do not as easily fall into unauthorized hands.

The SSNRI has been a long time coming. Previously, the Government Accountability Office (GAO) has called upon CMS to find an efficient system that removes SSNs from Medicare cards.

In a 2013 report, GAO determined that CMS hasn’t selected and implemented a technical solution for removing SSNs from Medicare cards.

CMS had also previously conducted studies in October 2006, November 2011, and May 2013 to replace the SSN-based Medicare identifier, GAO said. However, they “were not intended to identify a specific technical solution for removing SSNs from cards.”

“We believe that CMS is currently positioned to implement both our recommendations, regardless of perceived constraints, and to take the actions needed to initiate an IT project as part of its agencywide modernization initiative,” GAO said in the report. “If such actions are taken CMS could improve HHS’s ability to protect Medicare beneficiaries against increased risk of identity theft introduced by the use of SSNs on Medicare cards.”

Dig Deeper:


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks