Death Master Crime Fighters
By Moni J. Cook, CPA
Superheroes are often thought of as fictional, costumed crusaders who battle villains, but you need not open a comic book to marvel at the employees in various industries (including healthcare and government) who are fighting crime every day. Their weapon of choice? The Death Master File (DMF).
The Social Security Administration (SSA) maintains an electronic database called the NUMIDENT (short for "numerical identification") containing information on everyone who's received a social security number (SSN) since issuance began in 1936.
The DMF, a subset of the NUMIDENT, contains more than 86 million death records that the SSA has received from a variety of sources, including funeral homes, postal authorities, banks, states and federal agencies. (Note: The DMF doesn't contain information for every deceased person because many deaths go unreported.)
Per the Freedom of Information Act (FOIA), the SSA is required to release death information to the public. However, Section 205(r) of the Social Security Act exempts state information from the FOIA, thus prohibiting the SSA from disclosing death records provided by states (if a state's record is the sole source of that information) to the public. Therefore, the SSA maintains two versions of the DMF:
So how do everyday professionals combat crime with the DMF? In short, they help detect and prevent identity theft. Identity theft often involves the fraudulent use of a SSN because of its status as an authenticator of identification for numerous purposes such as obtaining employment and setting up bank accounts. Decedents' SSNs are particularly vulnerable and, thus, a frequent target for identity theft.
Our compliance heroes meticulously and methodically check information they receive in their respective jobs against the DMF to determine if there is fraudulent activity. Examples include:
In the past, some large genealogy companies were providing free online versions of the SSDI, which allowed dishonest individuals to obtain SSNs in order to commit fraud. In 2011, changes to the information that is included in the SSDI were effected (including the removal of state records), and access restrictions were increased.
Then, the Bipartisan Budget Act of 2013 implemented a three-year period (beginning on the date of death) during which only authorized users and recipients who qualify can access a decedent's DMF record. Deaths are also not incorporated into the SSDI until the three-year period is complete. These changes mean that individuals and genealogists can no longer use the FOIA to request social security records for individuals who have died within the past three years.
To further ensure only the good guys are getting their hands on the confidential database, the NTIS established a certification program for those seeking DMF access. This program, under a final rule effective Nov. 28, 2016, limits access to persons or companies that (1) can prove either legitimate fraud prevention interest, or business purpose pursuant to a law, rule, regulation, or fiduciary duty; (2) have network security procedures in place to safeguard the DMF information; and (3) have experience in maintaining the confidentiality, security, and appropriate use of such information.
Organizations seeking access now must obtain an attestation from an independent third-party Accredited Conformity Assessment Body (ACAB) stating that their information security systems, facilities and procedures are effective to protect the DMF. A service organization control (SOC 2) report can document whether an organization meets those requirements, as it provides detailed information about the controls relevant to the security, availability, and processing integrity of the systems that process user data, as well as the confidentiality and privacy of that information.
If your organization is ready to join the ranks of everyday heroes, contact an ACAB to have a SOC engagement performed. Receiving an "unqualified" SOC 2 report is a critical step in obtaining certification so that you, too, can use the DMF to help fight identity fraud.
Moni J. Cook, CPA, CHC, CCSFP, a senior manager in the risk assurance & advisory services practice of KraftCPAs PLLC, has more than 22 years of operational, financial and regulatory experience. KraftCPAs provides clients in the healthcare industry with various services, including audit, tax, accounting, service organization control (SOC), and internal audit. For more information, contact Moni at firstname.lastname@example.org.