In an effort to combat growing concerns of identity left, President Obama signed into law last week a bill that will require the removal of Social Security Numbers (SSNs) from all Medicare beneficiary cards. The change, which follows years of warnings to Medicare officials, will be implemented over the next eight years. Medicare has four years to begin issuing cards with new identifiers, and four years after that to reissue cards to current beneficiaries.

The removal of SSNs from the cards is not only expected to decrease the risks associated with identity theft for Medicare beneficiaries, but also Medicare’s risk of exposure associated with breaches of protected health and personal information under the Health Insurance Portability and Accountability Act (HIPAA) and state privacy laws. The impermissible disclosure of SSNs by a health plan, such as Medicare, health care providers and health care clearinghouses (together “covered entities”) are generally considered breaches under the HIPAA Breach Notification Rule and similar state notification laws. Such laws require substantial, and often expensive, action, including notifications to affected individuals, the Office for Civil Rights, state Attorneys General, and consumer protection agencies. Moreover, some states require covered entities to provide complimentary identity theft protection to individuals whose SSNs are breached. Breaches of protected health and personal information may also result in significant monetary penalties.

Additional information on the new Medicare card requirements is available here.