Thursday, June 04, 2009

Worried about privacy? You should be. Update on MMSEA 111 teleconference

I just finished my first live Tweet reporting of a teleconference hosted by Medicare (technically, the "Centers for Medicare and Medicaid," or CMS). It was about the new federal requirement for employers to send quarterly reports of all subscriber personal information. I will create a report of my Tweets and post them where you can read them, or feel free to browse In the meantime, here are my impressions:

1. CMS representatives sounded supportive, asking participants with questions to send details via email so they could help them after the teleconference.

2. HOWEVER--although CMS representative Bill Decker opened the session with assurances that this new government regulation is for cross-checking Medicare beneficiaries only, questions from attendees came up about getting social security numbers of spouses or employees in other locations who were refusing to provide them, as well as dates of birth. CMS's response: "We ask you to *ask* for the SSN, it doesn't hurt to ask." Sounds like if SSNs can be obtained, then go for it.

3. The new mandatory reporting allows employers to satisfy this requirement in either of two ways:
  • By submitting "Active Covered Individuals" [those eligible for Medicare: age 55, handicapped, or on kidney dialysis]
  • Or by using the "Finder File" feature [collect ALL employee and dependent personal information, filter list against Medicare's list or hire an outside contractor to do this, then submit to Medicare].
However, in both cases, the employer will be asking employees for spousal and dependent SSNs and dates of birth in order to determine Medicare eligibility--or, like my husband's employer, collect the information and send it to an outside third party to do the filter for submission to CMS.

I reiterate--I DO NOT WANT my husband's employer to have my SSN, or worse, some "outside third party." The SSN was never intended to be used as a de facto identifier anyway, so I object anytime it is used in this manner. Also, giving my SSN to an employer with whom I have no other contact is creepy. Why should they be able to access any information about me (or my children)? I know they're not "supposed to," but the potential for that exists; just think of Joe the Plumber (more details here).

But perhaps most frighteningly, giving up my SSN exposes me to greater potential of identity theft, since the information will be collected and disseminated in a myriad of electronic locations beyond my control, or beyond legitimate uses by the IRS or any of my previous actual employers. All it takes is for someone to lose a hard drive or for someone to steal a laptop for my personal information--and yours--to be compromised.

Tell me what you think.

In the meantime, if your spouse's employer asks for your SSN, use this form instead provided by the same agency requiring the collection of this information.

As for the potential for turning this into a National Healthcare Database, I think you can see how easy it would be to enlarge this system beyond simply "Medicare recipients." To comply, employers are already gathering your personal information for their quarterly reports to the government, including unprecedented collection of information on spouses and children of employees. It could be used as a national database of current healthcare beneficiaries, just a step away from becoming a national healthcare database.


Jeremy said...

On the SSN issue, in public higher Ed around here we go to great lengths to keep a person's SSN private. Seems like this is understood as a necessity and I'm surprised that they're asking for this. The only place we report SSN's is to the IRS, where it makes sense.

On the larger privacy issue of a healthcare database, are they also including your "health record". If so, I think this is a bad thing and creates privacy problems.

Jeremy Hickerson

Kimn said...

Hi Jeremy, during the teleconference today an insurer asked about reporting subscriber coverage changes, especially for those who change from plan to plan often. One of the CMS representatives (there were four) affirmed that they should report each change for that reporting period, which is every quarter. Also, Medicare is trying to enforce being the secondary payor on health claims for Medicare beneficiaries, meaning if you have private insurance through an employer, claims must be processed through them first before Medicare pays. I don't object to that at all, but what I DO object to is this collection of SSNs and other personal information (such as DOBs and what insurance plan my family has) and providing that to Medicare, when no one in my family is eligible for Medicare. One of the CMS also reminded the participants to keep in mind that the employees and dependents will, at some point, reach age 55 or have an event like kidney failure (for dialysis, a Medicare-covered condition), or become disabled, so quarterly updates on non-Medicare eligible participants in a group health plan will be "good to keep up."