Attachment B

The Need for Health Insurance Claim Numbers and/or Social Security Numbers

The Centers for Medicare & Medicaid Services (CMS) seeks to collect various data elements from the applicable reporting entities for purposes of implementing the mandatory Medicare Secondary Payer (MSP) reporting requirements of Section 111 of the Medicare Medicaid and SCHIP Extension Act of 2007 (P.L. 110-173). The reporting of Medicare Health Insurance Claim Numbers (HICNs) or, if unavailable, Social Security Numbers (SSNs), is critical for accurate coordination of benefits.

The Medicare program uses the HICN to identify Medicare beneficiaries receiving health care services and to otherwise meet its administrative responsibilities to pay for health care and operate the Medicare program. Pursuant to 42 U.S.C. 1395y(b), Medicare is the secondary payer to GHP coverage under certain defined circumstances; and to liability insurance (including self-insurance), no-fault insurance, and workers’ compensation (collectively referred to as “NGHP” coverage).

Medicare uses an individual’s HICN to ensure that Medicare makes payment in the proper payer order and/or takes the necessary recovery actions. Absent the HICN, CMS would not be able to systematically link the reported data to a particular Medicare beneficiary. But while the HICN is the CMS required data element, if an insurer is unable to obtain a HICN we request that they provide an SSN. The SSN is used as the basis for the HICN, and CMS will use the SSN to retrieve the HICN.

Effective January 5, 2015, in the case where a NGHP RRE cannot obtain an individual’s HICN or full SSN, the NGHP RRE may provide the last 5 digits of the individual’s SSN, first initial, surname, date of birth, and gender. NGHP RREs may continue to submit the HICN or full SSN as before without making any changes to the field and file formats.

We understand that some individuals may be hesitant about providing their HICNs or SSNs. CMS recognizes that the collection and use of individual HICNs or SSNs is limited by an evolving body of federal and state law and regulation. When a HICN or SSN is to be used for personal health information, management of the HICN/SSN (e.g., who can collect it, for what reason and with what other entities or persons will it be shared) is directed by regulations required by the federal Health Insurance Portability and Accountability Act (HIPAA). These regulations are referred to as the HIPAA privacy rules. These rules are quite strict, and after they were fully implemented in 2004, measures to protect personal health information became stronger. Collection of HICNs and SSNs for the purposes of coordinating benefits with Medicare is a required, legitimate and necessary use of the HICN/SSN under Federal law.

We also note that there are some state laws that restrict when SSNs can be collected and how SSNs can be used. These state initiatives do not preempt the MSP statutory or regulatory provisions or the “permitted use” provisions of the HIPAA privacy rules. These referenced federal laws allow for the collection and use of the SSNs to help providers and insurers manage their operations. Some states now restrict how SSNs may be displayed, such as prohibiting a health plan from including an SSN on an individual’s plan ID card. Such state laws are permissible, to the extent they augment but do not conflict with or constrain the will requirements of federal laws or regulations.