This Alert is from AHLA’s Hospitals and Health Systems Practice Group.
In an effort to combat identity theft and prevent fraud as well as to comply with the provisions of the
Medicare Access and CHIP Reauthorization Act (MACRA) of 2015, the Centers for Medicare and
Medicaid Services (CMS) will be sending Medicare beneficiaries new Medicare cards beginning in
April 2018 and continuing through April 2019. The new cards will contain a Medicare Beneficiary
Number (MBI) that will replace the beneficiary’s social security number-based Health Insurance
Claim Number (HICN). The MBI will be used for items such as eligibility, billing, and claims, and
should be treated as confidential Personally Identifiable Information.
CMS has been providing updates in an effort to better prepare providers and suppliers for the
transition, beginning with a press release in May 2017. Since that date, CMS has provided periodic
guidance on its website covering such topics as how the mailings will be done with a phased
approach by geographic location, to a transition period during which either the MBI or the HCIN
can be used, to Open Door Forums to target interested parties. The transition will have far
reaching implications and affects numerous parties and processes.
The most recent CMS update, issued on February 5, 2018, provides information on remittance
advices. The guidance indicates that starting in October 2018 and continuing through the transition
period, when claims are submitted using a patient’s HCIN, CMS will include both the HCIN and
MBI on each remittance advice. CMS goes on to provide examples of various remittance advices.
For Medicare Part B providers and suppliers, the example shows a remittance advice screen shot
illustrating the new field that will show the MBI when a provider or supplier submits an active, valid
HICN. In another example for institutions, a screen shot shows the field where the MBI will display
when the provider submits an active, valid HICN. Providers and suppliers are able to see how the
new numbers will be captured as they prepare for the transition period.
The guidance also reminds providers that beneficiaries can check the status of their new cards
beginning in April 2018 on the Medicare.gov website. In addition, CMS provides an overview of the
mailing strategy and how the distribution of cards by geographic location will unfold. Finally, the
guidance provides a link to messaging guidelines for providers to use as a resource for patient
questions. The guidance has preferred language and terms to use in patient communication
materials. It also has tips on communications for Medicare Advantage members who would
continue to use plan cards. Providers wishing to create messaging for their patients should
reference the guidelines when crafting communications so as to follow CMS’ preferred language
and overall approach.
While the change from social security numbers to MBIs will not happen overnight and will likely
encounter hiccups along the way as systems and processes change, adding protections for
beneficiaries is indeed a positive outcome. The focus on identity theft prevention coupled with
regular reports of cyberattacks serve as a good reminder for all providers that managing risks
associated with sensitive information and federal and state privacy and security laws must play a
key role in the organization’s enterprise risk management process and involve stakeholders from
across the organization.