MBI Lookup Tools

The Centers for Medicare & Medicaid Services (CMS) is seeking input and information from stakeholders on the use of Medicare Beneficiary Identifier (MBI) Lookup Tools related to the following topic areas:

• Organizations that operate an externally-controlled MBI lookup tool
• Users of MBI lookup tools, both CMS-operated and externally-controlled
• Potential benefit or impact of prohibiting or restricting externally-controlled MBI lookup tools
• Safeguards or best practices from inside or outside healthcare that CMS should consider for preventing MBI theft and misuse

Comment Deadline: To be assured consideration, comments must be received by Monday, February 17, 2025.
Comment Submission: Comments should be submitted electronically via the survey form.
For Further Information, Contact: MBILookupToolsRFI@cms.hhs.gov with “RFI” in the subject line

Background

Section 501 of the Medicare Access and Children’s Health Insurance Plan (CHIP) Reauthorization Act of 2015 (MACRA) required CMS to remove Social Security Number (SSN)-based Health Insurance Claim Numbers (HICNs) from Medicare cards, and reissue Medicare cards with a non-SSN-derived identifier. CMS elected to utilize a non-SSN-based “Medicare Beneficiary Identifier,” or MBI, to replace SSN-based HICNs. MBIs are 11-digit randomly generated unique identifiers with no connection to the beneficiary’s SSN. MBIs are confidential and considered Personally Identifiable Information (PII).

The use of MBIs for Medicare billing began in 2018, and CMS discontinued the use of HICNs for Medicare billing in 2020. CMS took several steps to help facilitate the transition from HICNs to MBIs, including the creation of a secure MBI lookup tool that providers and suppliers could use to look up a beneficiary’s MBI if they did not have their Medicare card or know their MBI. Other external entities, such as state Medicaid agencies, Medicare Advantage (MA) organizations, and private third-party businesses (e.g., clearinghouses), also host similar MBI lookup tools. These external tools may exist solely to find a beneficiary’s MBI, or they may be part of a more expansive system that has other functions, such as confirming coverage eligibility or assisting with claim submission. We refer to MBI lookup tools not operated by CMS as “externally-controlled MBI lookup tools.”

MBIs have been targeted by individuals seeking to commit Medicare fraud, including the use of MBI lookup tools to commit MBI theft. CMS works to prevent theft and misuse of MBIs through outreach like the “Guard Your Card” campaign and monitoring for reports of compromised MBIs, but fraud continues to occur, much of which is believed to be related to the use of MBI lookup tools. As a part of CMS’s efforts to protect beneficiaries, the agency is considering whether additional safeguards are needed to prevent the misuse of MBI lookup tools to illegally obtain MBIs. Such actions could include restricting or prohibiting externally-controlled MBI lookup tools, but CMS would like to better understand the potential effects of taking such actions. To consider the views of all stakeholders, we are soliciting comments to inform future decision-making regarding how we can best protect MBIs and Medicare beneficiaries. Please fill out the survey to provide comments.

To facilitate survey responses, the full set of questions is reproduced below. Questions marked with an * are required.

RFI Questions

• Please provide the following information for the best point of contact if we have follow-up questions about your responses
  • Email address*
  • Organization
  • Name
     

• Other than state Medicaid agencies, MA organizations, and private third-party businesses, are there any other organizations that operate an externally-controlled MBI lookup tool?

  For reference, we define an externally-controlled MBI lookup tool as any tool not operated by CMS that allows an entity (e.g., a provider) to use other pieces of beneficiary PII (name, date of birth, SSN), to obtain an MBI. These tools may exist solely to find a beneficiary’s MBI or the MBI lookup component may be a component of a more expansive system that has other functions such as confirming eligibility or assisting with claim submission.* 
  (the following question will only display if the answer to this question is “Yes”)

  • What other organizations operate an externally-controlled MBI lookup tool?
     
• Does your organization operate an externally-controlled MBI lookup tool? * 
  (the following questions will only display if the answer to this question is “Yes”)
   
  • What does your organization do?
  • What information does your tool require to be submitted in order to return an MBI?
  • Where do you obtain MBIs to ensure that the information your tool returns is accurate and how do you ensure that these MBIs are retained and disposed of properly?
  • How do you safeguard your MBI lookup tool to ensure that it’s only accessed by the appropriate users for appropriate purposes and it remains compliant with applicable laws and regulations?
    • How do you respond if you detect inappropriate use of your lookup tool?
  • What stakeholders have access to your tool and what training do you provide them about how to appropriately use the tool and handle the information it provides?
  • What value does the tool provide to the Medicare program or other stakeholders?
  • Do you gather feedback from your users about your tool, and if so, how do you collect and use the feedback?
  • How could CMS collaborate with organizations that run externally-controlled MBI lookup tools to prevent MBI theft and misuse?
     

• Does your organization use an MBI lookup tool?

  For reference, we define an MBI lookup tool as any tool that allows an entity (e.g., a provider) to use other pieces of beneficiary PII (name, date of birth, SSN), to obtain an MBI. These tools may exist solely to find a beneficiary’s MBI or the MBI lookup component may be a component of a more expansive system that has other functions such as confirming eligibility or assisting with claim submission.* 
  (the following questions will only display if the answer to this question is “Yes”)

  • Which MBI lookup tool(s) do you use?
  • Who operates the MBI lookup tool(s) that you use most regularly?
  • In what ways are having access to an MBI via a lookup tool beneficial to your operations?
  • What steps do you take to ensure that beneficiaries are aware of how their MBIs are being accessed and used?
  • If you are using an externally-controlled MBI lookup tool, does it offer valuable functionality, access, or information not present in CMS tools? Please describe those capabilities.
  • If externally-controlled MBI lookup tools were not available, what alternative solutions would you use for securely retrieving an MBI?
     
• If externally-controlled MBI lookup tools were prohibited or otherwise restricted, what impact would that have on your organization and operations? How could any negative impacts be mitigated?
   
• Although CMS strives to minimize the number of compromised MBIs, much of the MBI theft results from factors outside of CMS’s control. Based on experience from the healthcare, payment, and other industries that commonly deal with PII, what should CMS consider an expected rate of MBI theft?
  • What additional ideas for safeguards or best practices should CMS consider for preventing MBI theft and misuse that may be effective in non-healthcare settings, such as those used for payment security?
     
• Is there any additional information you would like to provide us?
   
• If you would like to upload a file(s) to support any of your responses, please do so here.

This is a Request for Information (RFI) Only

This RFI is issued solely for information and planning purposes; it does not constitute a Request for Proposal, applications, proposal abstracts, or quotations. This RFI does not commit the Government to contract for any supplies or services or make a grant or cooperative agreement award. Further, CMS is not seeking proposals through this RFI and will not accept unsolicited proposals. Responders are advised that the U.S. Government will not pay for any information or administrative costs incurred in response to this RFI; all costs associated with responding to this RFI will be solely at the interested party’s expense. Not responding to this RFI does not preclude participation in any future procurement, if conducted. It is the responsibility of the potential responders to monitor this RFI announcement for additional information pertaining to this request. Please note that CMS will not respond to questions about the policy issues raised in this RFI. CMS may or may not choose to contact individual responders. Such communications would only serve to further clarify written responses. Contractor support personnel may be used to review RFI responses. Responses to this notice are not offers and cannot be accepted by the Government to form a binding contract. Information obtained as a result of this RFI may be used by the Government for program planning on a non-attribution basis. Respondents should not include any information that might be considered proprietary or confidential. This RFI should not be construed as a commitment or authorization to incur cost for which payment would be required or sought. All submissions become Government property and will not be returned. CMS may publicly post the comments received, or a summary thereof.

Collection of Information Requirements

This document does not impose information collection requirements, that is, reporting, recordkeeping or third-party disclosure requirements. However, this document does contain a general solicitation of comments in the form of a request for information. In accordance with implementing regulations of the Paperwork Reduction Act of 1995 (PRA), specifically 5 CFR 1320.3(h)(4), this general solicitation is exempt from the PRA. Facts or opinions submitted in response to general solicitations of comments from the public, published in the Federal Register or other publications, regardless of the form or format thereof, provided that no person is required to supply specific information pertaining to the commenter other than that necessary for self-identification, as a condition of the agency's full consideration, are not generally considered information collections and therefore not subject to the PRA. Consequently, there is no need for review by the Office of Management and Budget under the authority of the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.).