Superheroes are often thought of as fictional, costumed crusaders who battle villains, but you need not open a comic book to marvel at the employees in various industries (including healthcare and government) who are fighting crime every day. Their weapon of choice? The Death Master File (DMF).
What is the Death Master File?
The Social Security Administration (SSA) maintains an electronic database called the NUMIDENT (short for "numerical identification") containing information on everyone who's received a social security number (SSN) since issuance began in 1936.
The DMF, a subset of the NUMIDENT, contains more than 86 million death records that the SSA has received from a variety of sources, including funeral homes, postal authorities, banks, states and federal agencies. (Note: The DMF doesn't contain information for every deceased person because many deaths go unreported.)
Per the Freedom of Information Act (FOIA), the SSA is required to release death information to the public. However, Section 205(r) of the Social Security Act exempts state information from the FOIA, thus prohibiting the SSA from disclosing death records provided by states (if a state's record is the sole source of that information) to the public. Therefore, the SSA maintains two versions of the DMF:
- The full file (shared only with certain federal/state agencies) is made up of all death records from the NUMIDENT, including records received from states.
- The public file, which is commonly referred to as the Social Security Death Index (SSDI), is provided to the Department of Commerce's National Technical Information Service (NTIS). The NTIS acts as a clearinghouse that sells access to this information to the public (including healthcare entities, insurance companies, federal and state agencies, banks, credit companies, genealogists, etc. that have been certified). The SSDI comprises information from the NUMIDENT, but not the death records that have been provided solely from a state.
Fighting Crime with the DMF
So how do everyday professionals combat crime with the DMF? In short, they help detect and prevent identity theft. Identity theft often involves the fraudulent use of a SSN because of its status as an authenticator of identification for numerous purposes such as obtaining employment and setting up bank accounts. Decedents' SSNs are particularly vulnerable and, thus, a frequent target for identity theft.
Our compliance heroes meticulously and methodically check information they receive in their respective jobs against the DMF to determine if there is fraudulent activity. Examples include:
- Verifying that individuals trying to avoid healthcare sanctions and exclusions are not using a false SSN to obtain employment (onboarding professionals).
- Performing regular (monthly or quarterly) exclusion screenings to monitor for sanctions (compliance/payer credentialing).
- Ensuring that services are not being billed to Medicaid and Medicare under a deceased doctor.
- Ensuring that payments are not made to providers or suppliers for services billed for deceased beneficiaries (surveillance and utilization review staff).
- Tracking study subjects (medical researchers).
- Tracking former patients (hospitals, oncologists).
- Verifying that individuals are not using a false SSN to obtain employment.
- Other Industries
- Ensuring that firearms are not being obtained by someone posing as a US citizen (retailers).
- Determining whether an individual has filed a fraudulent tax return (government).
- Verifying identity when setting up bank accounts, issuing loans or extending lines of credit (financial institutions).
In the past, some large genealogy companies were providing free online versions of the SSDI, which allowed dishonest individuals to obtain SSNs in order to commit fraud. In 2011, changes to the information that is included in the SSDI were effected (including the removal of state records), and access restrictions were increased.
Then, the Bipartisan Budget Act of 2013 implemented a three-year period (beginning on the date of death) during which only authorized users and recipients who qualify can access a decedent's DMF record. Deaths are also not incorporated into the SSDI until the three-year period is complete. These changes mean that individuals and genealogists can no longer use the FOIA to request social security records for individuals who have died within the past three years.
With Great Power Comes Great Responsibility
To further ensure only the good guys are getting their hands on the confidential database, the NTIS established a certification program for those seeking DMF access. This program, under a final rule effective Nov. 28, 2016, limits access to persons or companies that (1) can prove either legitimate fraud prevention interest, or business purpose pursuant to a law, rule, regulation, or fiduciary duty; (2) have network security procedures in place to safeguard the DMF information; and (3) have experience in maintaining the confidentiality, security, and appropriate use of such information.
Organizations seeking access now must obtain an attestation from an independent third-party Accredited Conformity Assessment Body (ACAB) stating that their information security systems, facilities and procedures are effective to protect the DMF. A service organization control (SOC 2) report can document whether an organization meets those requirements, as it provides detailed information about the controls relevant to the security, availability, and processing integrity of the systems that process user data, as well as the confidentiality and privacy of that information.
By Your Powers Combined...
If your organization is ready to join the ranks of everyday heroes, contact an ACAB to have a SOC engagement performed. Receiving an "unqualified" SOC 2 report is a critical step in obtaining certification so that you, too, can use the DMF to help fight identity fraud.
The KraftCPAs PLLC healthcare industry team provides operational, financial, and regulatory services, including external and internal audit, tax, accounting, system & organization control (SOC), and IT audit. For more information, contact Gina Pruitt at gpruitt@KraftCPAs.com.