Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Increased MBS Compliance Audits Initiative; Submission to the Senate Standing Committee on Community Affairs Inquiry (April 2009)

Increased MBS Compliance Audits Initiative Submission to the Senate Standing Committee on Community Affairs Inquiry April 2009

pdfsub_mbs_compliance_audit

Submission to the Senate Standing Committee on Community Affairs Inquiry

April 2009

 

Table of Contents

Executive Summary. 1

The Office of the Privacy Commissioner. 3

Introduction. 3

Background and context of the initiative. 3

Stakeholder engagement and consultation. 3

Privacy Impact Assessment (PIA). 4

Medicare Australia’s current approach to MBS compliance audits. 5

Scope of proposed reform to MBS audit procedures. 6

Public trust and expectations for handling personal health information. 6

General comments and suggestions. 6

Compliance and good privacy practice. 6

Safeguards for handling personal health information under the initiative. 7

Limitations on collection of clinical information. 8

Other policies and statements on limiting clinical information handling. 9

Clarifying how safeguards interoperate. 9

Notice about information collected for MBS audits. 10

Notice to patients. 10

Notice to providers. 11

Review of privacy policies and notice procedures. 11

Protecting privacy and public revenue: proportionality and confidence in Government. 11

Ensuring collection isn’t unreasonably intrusive (IPP 3). 13

Specific comments and suggestions for further consideration. 15

Tailored policies for handling clinical information. 15

Particularly sensitive items and information. 15

Medical practitioner oversight 15

Degree of patient identification required. 16

Reporting and review requirements. 16

Secondary use restrictions. 16

Conclusion. 17

 

Executive Summary

The Office of the Privacy Commissioner (‘the Office’) welcomes the opportunity to comment on the increased MBS compliance audits initiative (‘the initiative’) and the Health Insurance Amendment (Compliance) Bill 2009. The initiative itself was a 2008-09 budgetary measure.

The Office’s submission deals with the privacy and information-handling aspects of the initiative. In particular, the proposed addition to Medicare Australia’s audit powers (in limited circumstances) to compel providers to disclose patient information to Medicare Australia in order to verify MBS claims.

This submission examines the privacy safeguards that are proposed to apply to the initiative, and highlights issues that may warrant further consideration, in the interests of good privacy practice and information handling that accords with the Privacy Act 1988 (Cth).

The Office welcomes the attention paid to privacy issues so far through Medicare Australia and DOHA’s joint privacy impact assessment, and ongoing consultation with professional, consumer and privacy groups as well as the Privacy Commissioner. The intention that privacy impact assessment will be an ongoing process that will guide implementation is also a welcome one.

It is important that adequate safeguards are in place to protect personal health information collected under the initiative. Existing safeguards include protections under the Privacy Act (the Information Privacy Principles) and the Health Insurance Act. Some specific additional protections are also warranted.

Taken together, these safeguards should include:

  • specifying limits around the kind of personal health information that needs to be collected (in particular, clinical information)
  • restricting its further use for other purposes
  • prescribing the type of officers who may view this information
  • providing additional training to those officers, and
  • ensuring adequate sanctions are in place for misuse of patients’ information.

Internal Medicare Australia policies, auditor training and provider education are likely to play an important role in limiting the disclosure of clinical information to what is necessary.

The Office suggests additional Medicare Australia policies would be of benefit, including to:

  • give providers who are subject to an audit a clear idea whether or not clinical information is required, and
  • prevent requests for information drawn from clinical records when other information is sufficient (such as billing or attendance records).

In reviewing and developing additional internal policies for Medicare Australia auditors, it may also be useful to consider the following options:

  • tailoring collection and information handling methods for particularly sensitive Medicare items and information
  • considering the role of medical advisers in audits that involve clinical information
  • limiting the degree of patient identification required during audits, and
  • introducing reporting and review requirements for ongoing accountability and evaluation of the initiative.

The Office believes there is a need to maintain high levels of public trust and confidence in agencies’ handling of personal information. Medicare Australia itself appears highly conscious of the sensitivity of the personal information it currently holds, and the Office would expect these standards to be reflected in the initiative’s development.

Taking a whole-of-government perspective, where arguments for increased protection of public revenue are persuasive, it remains important to minimise impacts on privacy by design, legislation, and policy protections. This is particularly relevant to health and other sensitive information, because of the special significance of that information in the eyes of the community.

The Office believes that minimising requests and compulsory acquisition of clinical notes (by relying on other evidence) should remain a key privacy driver and benchmark for the initiative. This may also assist in ensuring Medicare Australia’s high privacy standards are maintained.

In the Office’s view, the opportunity to consider these and other issues raised in the Senate Committee process will enhance the initiative’s development, building on the valuable privacy impact assessment and consultation processes to date.

The Office looks forward to further engagement on this initiative with relevant agencies and stakeholders, to ensure privacy continues to be protected and respected while maintaining the integrity of the Medicare Benefits Schedule (‘MBS’).

The Office of the Privacy Commissione

1. The Office of the Privacy Commissioner (‘the Office’) is an independent statutory body responsible for promoting an Australian culture that respects privacy. The Office, established under the Privacy Act 1988 (Cth) (‘the Privacy Act’), has responsibilities for the protection of individuals’ personal information held by:

  • Australian and ACT government agencies, and
  • all large private sector organisations, health service providers and some small businesses.

The Office also has responsibilities under the Privacy Act in relation to credit worthiness information held by credit reporting agencies and credit providers, and personal tax file numbers used by individuals and organisations.

Introduction

2. The Office welcomes the opportunity to comment on the increased MBS compliance audits initiative (‘the initiative’) and the Health Insurance Amendment (Compliance) Bill 2009 (‘the Bill’). The Office’s comments deal with the privacy and personal information-handling aspects of the initiative. In particular, the proposed addition to Medicare Australia’s audit powers, to compel providers to disclose patient information to Medicare Australia (including clinical information), in limited circumstances, to verify the accuracy of providers’ MBS claims.

3. This submission comments on existing and additional privacy safeguards that are proposed to apply to the initiative, and highlights issues that may warrant further consideration, in the interests of good privacy practice and personal information-handling in accordance with the Privacy Act 1988 (Cth) (‘Privacy Act’).

Background and context of the initiative

Stakeholder engagement and consultation

4. The Minister for Human Services has emphasised the need to work with key stakeholders, including the Privacy Commissioner, in developing the necessary changes that will give effect to the initiative, which was a 2008-09 budgetary measure.

5. The Department of Health and Ageing (‘DoHA’) and Medicare Australia have sought the Office of the Privacy Commissioner’s advice at various stages since the initiative was put forward. This includes advice under the Office’s ongoing Memorandum of Understanding with Medicare Australia.

6. The Office is committed to assisting Medicare Australia with a view to minimising the initiative’s privacy impacts through an effective range of safeguards. It is important to note that these safeguards will act in concert with the information security requirements and secrecy provisions that already bind Medicare Australia staff. These include the Information Privacy Principles (‘IPPs’) under the Privacy Act, and ‘secrecy provisions’ under the Health Insurance Act 1973 (‘Health Insurance Act’).

7. The Office welcomes the consultation so far undertaken with other relevant stakeholders, including opportunities for input by professional, consumer and privacy groups. In the Office’s view, the ongoing involvement of these stakeholders and the Privacy Commissioner, along with the Senate Community Affairs Committee’s scrutiny, will assist the initiative’s implementation.

Privacy Impact Assessment (PIA)

8. A privacy impact assessment can be an important tool to identify and address the potential privacy impacts of a project that involves personal information handling. PIAs can inform the design and implementation of such projects, to ensure that sound personal information-handling practices are ‘built in’ rather than ‘bolted on’. In 2006 the Privacy Commissioner released a Privacy Impact Assessment Guide to assist Australian and ACT Government agencies to integrate privacy into such projects.[1]

9. The Office welcomes the attention paid to privacy issues so far through Medicare Australia and DOHA’s joint PIA. This process, and public information about the initiative, refers to a range of safeguards intended to minimise privacy impacts. Such protections need to be adequate, effective and enforceable, with reference to:

  • sound personal information management and good privacy practice
  • public and stakeholder confidence in agency policies
  • Medicare Australia’s responsibilities and reputation for sound personal information-handling practices.

10. The Office also welcomes the intention that a further PIA will be conducted to guide Medicare Australia’s implementation of the initiative. This reflects the Office’s view that privacy impact assessment is often an iterative process – one that is ongoing as a project progresses to new stages.

Medicare Australia’s current approach to MBS compliance audits

11. The Office understands that Medicare Australia’s audits follow a risk-based assessment model, focussing on providers and services with a medium to high risk of non-compliance.[2] This is a welcome and preferable approach to random audits. It may also be relevant in considering whether collection of personal information is necessary and relevant under Information Privacy Principles 1 and 3.

12. Being the subject of an MBS audit should not imply a practitioner is deliberately or necessarily doing anything wrong. It is understood that current audit procedures give providers an opportunity to explain anomalies in MBS claiming patterns without requests for further clinical details or patient information, and that audits can be closed if a satisfactory explanation is given. The Office supports the continuation of this staged audit approach, as one method of limiting when patient information will be sought under the initiative.

13. At present, the Office understands that patient information, including some clinical information, is provided voluntarily by some audited providers.[3] The key difference under this initiative is that the Bill would give Medicare Australia limited additional powers to require such information to be produced.

Scope of proposed reform to MBS audit procedures

14. It is understood that the initiative as proposed consists of three main elements:

  1. an increase in the number of audits undertaken by Medicare Australia[4]
  2. a requirement that practitioners must produce evidence to verify their claiming when requested during an audit
  3. introducing a financial penalty for Medicare practitioners who make incorrect claims.[5]

15. The Office’s interest is in the second aspect, particularly with regard to personal information handling and scrutiny of clinical records. The Bill’s proposed changes need to be assessed in the context of Medicare Australia’s existing role in conducting MBS audits (to oversee the appropriate spending of public money), and the secrecy provisions that currently regulate these activities.

Public trust and expectations for handling personal health information

16. The Office believes there is a need to maintain high levels of public trust and confidence in government agencies’ handling of personal information (see also ‘Protecting privacy and public revenue...’, para 36 below). Community Attitudes Surveys conducted by the Office suggest an increase in public trust in government agencies since 2001.[6] Medicare Australia appears highly conscious of the sensitivity of the personal information it currently holds, and the concomitant need to meet the Australian community’s high expectations for information-handling.[7]

General comments and suggestions

Compliance and good privacy practice

17. In the Office’s view, the initiative’s privacy impacts should be assessed in relation to good privacy practice, in addition to legal compliance with relevant laws that bind Medicare Australia. Good privacy practice is important because the Bill would require or authorise certain activities ‘by or under law’ – thereby satisfying relevant Privacy Act requirements regarding use and disclosure. (For example, the Bill may authorise a provider’s disclosure, and Medicare Australia’s use of the information for legally authorised purposes, relating to verifying MBS claims.)

18. Good privacy practice can include general concepts such as:

  • limiting collection to information that is necessary for a relevant function
  • providing adequate notice about collection and information-handling practices where appropriate, either specifically or to the public generally
  • transparency of objectives and information-handling policies (such as using or disclosing personal information only for the intended purpose)
  • respecting the sensitivity of the information involved, and
  • considering the most privacy-friendly options that satisfy project objectives.

Safeguards for handling personal health information under the initiative

19. Any personal information held by MBS providers is likely to be ‘health information’ under the Privacy Act. ‘Health information’ is a subcategory of ‘sensitive information’, which is generally ascribed higher protections under the Act.[8] It is therefore important to ensure that adequate safeguards will protect personal information collected under the initiative. This should include existing protections under the Privacy Act (IPPs), the Health Insurance Act, and some specific additional protections. Examples of necessary safeguards include:

  • specifying limits around the kind of personal information that needs to be collected
  • restricting its further use for other purposes
  • prescribing the type of officers who may view this information
  • providing additional training to those officers, and
  • ensuring sanctions are in place for misuse of patients’ information.

Limitations on collection of clinical information

20. It has been stated that the disclosure and collection of clinical information will not be necessary or relevant in “most compliance audits”.[9] The intention is that clinical information would only be requested where other documentation such as appointment or billing records are not sufficient to verify claims. It is also understood that “Medicare Australia will not be authorised to request whole patient files”,[10] but that relevant excerpts from medical records can be required to substantiate a given claim.

21. The Office supports such limitations, provided they are enforceable – either through clear limitations in the Bill, or in policies that bind Medicare Australia staff (addressed further below). However, the mechanisms that will give effect to these assurances could be clarified. For example, MBS Information Sheet B states: “The proposed legislation will not specify the kind of document a provider should produce.”[11] This is intended to maintain sufficient flexibility for providers to comply.[12]

22. In the absence of legislative definition, it appears that internal Medicare Australia policies, auditor training and provider education will be important in limiting the disclosure of clinical information to what is necessary.[13] Accordingly, the Office suggests additional policies are needed to:

  • give providers who are subject to an audit a clear idea whether or not information from clinical records is required to be produced in a given audit, and
  • prevent requests for information drawn from clinical records when other information is sufficient (such as billing or attendance records).

23. Such policies should help achieve the initiative’s intent to “address [the current] ambiguity”[14], and would align with professional bodies’ calls for limits on collection of clinical information.[15]

24. These policies could be publicised, to the extent appropriate, in a clear and accessible way. For example, in privacy policies, on Medicare Australia’s website, summarised on claim forms, and in other documentation about the initiative.

25. In relation to fines applying to providers for producing insufficient documentation,[16] it may also be appropriate for the Bill to provide additional protection to providers who (in good faith) produce information that they believe is sufficient, but are subsequently required to produce further information to verify MBS claims (and agree to do so).[17]

Other policies and statements on limiting clinical information handling

26. Other relevant policy statements and safeguards are noted briefly below, along with the Office’s comments:

  • Medicare Australia must have a “reasonable concern” that a claim has been made incorrectly.[18]
    • This is a relevant safeguard in the legislation. The standard of ‘reasonable concern’ could be clarified.[19]
  • “The legislation will clearly state that Medicare Australia can only ask for and accept documents relevant to substantiating the MBS item/s of concern.”[20]
    • This is a welcome measure and should help to ensure that only relevant information will be exchanged.

Clarifying how safeguards interoperate

27. The Office understands that some of the safeguards discussed above would be given binding effect through the Bill, or are already in place under the Privacy Act and the Health Insurance Act. Other measures would presumably be given effect and enforced outside of legislation – such as binding Medicare Australia policies (existing or proposed), and provider education programs. It may be useful to outline in further detail how each privacy safeguard described will be given effect, and how they will interoperate.

Notice about information collected for MBS audits

Notice to patients

28. It is often a Privacy Act requirement, and is generally good practice, to notify individuals of when their personal information is being collected, why it is collected, and how it may be used or disclosed. Indeed, the collection of health information by a business generally requires an individual’s consent, although this requirement does not apply to Australian Government agencies.[21]

29. As patient information is collected from providers being audited under the initiative, not from patients themselves, an agency’s usual notice requirements under Information Privacy Principle (IPP) 2 do not apply. The Office also understands that existing MBS audit practices generally do not involve specific notice to individual patients (in contrast to fraud investigations, for example). Nevertheless, the compulsory collection of health information, including from clinical records, introduces a new element to Medicare Australia’s audit powers. The issue of patient notification has therefore been of interest to the Office and other stakeholders.

30. The Office understands that Medicare Australia and DoHA have given substantial thought to notification options and good practice in the PIA process. A range of positive and negative considerations have been weighed up, following consultation with key stakeholders.

31. In the Office’s view, the most convincing arguments against specific notice are the potential for compromising provider privacy, and the likelihood of potential alarm or harm to patients. A number of professional groups raised these concerns.[22] The likelihood of notice causing additional administrative processes is, in the Office’s view, not as compelling.[23]

32. On balance, in light of existing audit practices, stakeholder views, and the substantial consideration of various options by the relevant agencies, it appears that the benefits of specific notice to patients may be outweighed by the risk of negative outcomes. This view is also based on Medicare Australia and DOHA’s acknowledgement that a more general information campaign needs to be undertaken, to raise public awareness of the initiative and the role of MBS audits.

Notice to providers

33. The Privacy Act’s notice requirements (IPP 2) will still apply to information that Medicare Australia collects about practitioners themselves. The Office suggests that privacy notices to providers outline the handling of personal information about the practitioner and about their patients. This seems appropriate because:

  • patient information is subject to duties of doctor-patient confidentiality
  • the records are generally the practitioner’s intellectual property, and
  • the practitioner can inform their patients of certain facts if they deem this appropriate (without replacing Medicare Australia’s role in informing patients more generally about its audit and information handling practices).

34. Privacy notices to providers should also state if there is a legal requirement or authorisation for the collection, as required by IPP 2(d).

Review of privacy policies and notice procedures

35. The Office would also support recommendations to review the privacy policies and notice procedures of Medicare Australia and health service providers in relation to the initiative. The Office has a number of Information Sheets which may be useful reference points in this regard. For example, Private Sector Information Sheet 23 discusses patients’ reasonable expectations about information-handling for the management of a health service, such as for safety and quality assurance purposes.[24] The Office’s Information Sheet 3 also gives an introductory overview of NPP 5 obligations on Openness in the private sector.[25]

Protecting privacy and public revenue: proportionality and confidence in Government

36. This initiative has fostered some public discussion around the relationship of confidentiality between practitioners and patients. It has been noted that patients rely on this relationship of trust and confidentiality and can therefore feel comfortable providing full and frank information to their doctor. At the same time, existing ‘public interest’ exceptions to confidentiality have also been noted. These include mandatory notification of suspected child abuse and certain diseases, and access to clinical records by police, courts and medical boards in some situations

37. It is notable that the public interest in several of these exceptions relates to individual or public safety. In the Office’s view, there are different imperatives between public safety and public revenue protection. Generally, the Office would suggest a more cautious approach to reducing existing privacy protections or compromising confidentiality on the sole basis of increased public revenue protection.

38. Proposals in relation to public revenue protection must be carefully considered on their individual merits and, taking a whole-of-government perspective, on their cumulative impact. Policy-makers should also consider the most privacy-friendly options or alternatives that satisfy project objectives. In the Office’s view, such rigorous consideration can avoid a general diminution of privacy protections, which could have unwarranted impacts on individual privacy and community confidence in governments’ protection of personal information.

39. The efficient use of public money and arguments for fraud reduction are important. Also important are the rights and interests of confidentiality and privacy of sensitive information, which are highly valued by those individuals and practitioners who correctly use and rely on the MBS. Both are legitimate public interests. Arguments for public savings and fraud reduction must therefore be proportionate to the problem, and should generally meet public expectations and good privacy practice.

40. A number of reasons are given as to why powers of compulsory collection of clinical information is considered appropriate under the initiative, including the large amount of public money involved in the MBS, the widely acknowledged value of MBS services, and its significant expansion over the past decade.[26]

41. While such arguments may be persuasive, it remains important to minimise impacts on privacy by design, legislation, and policy protections. This is particularly relevant to health and other sensitive information because of the special significance of that information in the eyes of the community.[27] Such an approach would reflect Medicare Australia’s service charter, which states, “We will: Respect the privacy and the confidentiality of your personal information”[28]. The Office would expect these service standards to inform the initiative’s development.

Ensuring collection isn’t unreasonably intrusive (IPP 3)

42. Information Privacy Principle 3 requires an agency to take reasonable steps to ensure that “the collection of the information does not intrude to an unreasonable extent upon the personal affairs of the individual concerned.” The Office’s Plain English Guidelines to IPPs 1 – 3 provide further advice on this requirement.[29]

43. For example, Guideline 24 advises:

Whether an intrusive method of collecting personal information is likely to be reasonable depends on things like:

  • whether the information is important to the agency’s purpose of collection
  • the importance of, and public interest in, the agency’s purpose of collection
  • the extent to which the agency intrudes on a person's privacy to collect the information
  • whether the law specifically authorises the agency to use that method of collecting information
  • whether people have a free choice in whether or not to provide the information – if they do it is much less likely to be unreasonably intrusive.

44. Some stakeholders have expressed a view that the initiative may be unreasonably intrusive of patient privacy.[30] Factors which may contribute to that view seem to fall into two categories:

  • the way the information is collected, for example:
    • the information is not solicited directly from the individual
    • specific notice is not given to individuals by Medicare Australia
    • Medicare Australia would be able to compel production of the information (which providers may currently supply voluntarily)
    • patients do not have a choice about the use of their information in an audit (as this could undermine the intent of the audit).
  • the type of information involved, for example:
    • the information is sensitive ‘health information’ under the Privacy Act, and may be of a particularly personal nature, and
    • the information is ordinarily subject to practitioners’ duty of confidentiality.

45. It is important for Medicare Australia to demonstrate that, having regard to the purpose of collection:

  • the collection is necessary for, or directly related to that purpose (IPP 1) and
  • the agency has taken any steps that are reasonable to ensure the collection of clinical information is not unreasonably intrusive (IPP 3).

46. It seems clear that efforts will be made to minimise the intrusiveness of information collection under the initiative. The Office believes it is important that such steps be binding and enforceable. For example:

  • access to clinical information will be sought only where other information won’t suffice[31] (further policy development may be needed on how this will be ensured in practice)
  • the legislation will clearly state that only information relating to specifically identified items can be requested and accepted[32]
  • Medicare Australia will request the minimum amount of personal information to validate the services claimed[33]
  • relevant excerpts of clinical information will be sought or required, and collection of whole records will not be authorised by the legislation[34] (however, the Bill does not appear to specifically prevent the collection of whole records[35])
  • Medicare Australia must have a reasonable concern that an MBS payment may not have been claimed correctly[36]
  • the handling of clinical information will be restricted to specifically trained and authorised Medicare Australia staff[37]
  • it is understood that Medicare Australia and DoHA intend to promote community awareness of the role and scope of MBS audits, such as an education campaign.

47. Taken together, these are important safeguards, and make the proposal less intrusive than it would otherwise be – subject to a clear demonstration of how they will be enforced and how they interoperate.

48. The Office believes that minimising requests and compulsory acquisition of clinical notes (by relying on other evidence) should remain a key privacy driver and benchmark for the initiative. This may also assist in ensuring Medicare Australia’s high privacy standards are maintained.

Specific comments and suggestions for further consideration

Tailored policies for handling clinical information

49. The following considerations may be useful in developing additional internal policies for Medicare Australia auditors, when requesting or requiring patient information under the proposed new powers (see ‘Limitations on collection of clinical information’ above).

50. It is understood that MBS audits will continue to target practitioners and services identified as being at medium to high risk of incorrect claiming. The Office welcomes this approach, and suggests that where there is a lower risk of non-compliance, there may be less imperative to require that clinical information be produced.

Particularly sensitive items and information

51. The Office suggests that a tailored approach be applied for Medicare items and information that may be considered particularly sensitive – for example, records dealing with HIV status, mental health, reproductive and sexual health issues. The Office recognises that sensitivities vary between individuals, and that practitioners may identify other highly-sensitive procedures or conditions in particular communities. Staff audit training could emphasise these tailored approaches. This would reflect the intent to limit the handling of clinical information and minimise intrusiveness of collection.

Medical practitioner oversight

52. The Office understands Medicare Australia auditors currently have access to medical advisers, who have a role in handling clinical information in seized records. Medicare Australia could weigh the cost and practicality of broadening medical advisers’ role in handling clinical information alongside any likely privacy benefits, particularly if such measures would be supported by consumers and health professions.

Degree of patient identification required

53. The Office understands that using de-identified information may be impractical for MBS audit purposes, as records could not be reconciled without considerable additional technical processes. However, methods for minimising Medicare Australia’s association of names and highly-sensitive medical details could be further investigated. For example, greater reliance on the Medicare number to match records (depending on practicalities for providers).

Reporting and review requirements

54. Reporting and review requirements can be a useful accountability mechanism, and can assist in assessing a policy’s effectiveness. The Office would support a requirement in the legislation or elsewhere that Medicare Australia report regularly on aspects of the initiative, such as in its annual report or to its Minister. For example:

  • the frequency of, and reasons for, reliance on powers conferred by the Bill
  • the proportion of audits in which collection of clinical notes or excerpts occurs, and the approximate number of medical records involved, and
  • the additional amount of public savings achieved as a result of the initiative (if practicable, with particular reference to ‘notices to produce’).

55. The Office would also support a post-implementation review of the changes, which could draw on the above data.

56. Both of these measures would help to allay concerns about the new powers, assess their use and effectiveness, and evaluate whether the public interest in ‘compulsory’ collection of clinical information outweighs the initiative’s privacy impacts on patients.

Secondary use restrictions

57. The Office understands that secondary uses of information collected to verify MBS claims, (including data-matching or other linking) will be prohibited, other than in the event of false or misleading statements pertaining to Medicare services or the Health Insurance Act.[38] However, it may be useful to affirm whether existing use or disclosure exceptions under the Privacy Act (IPPs) and the Health Insurance Act (secrecy provisions) will continue to apply, and provide examples of any foreseeable uses or disclosures.[39] For example, the Office understands that disclosures to Professional Services Review are envisaged (though limited[40]), as presently occurs.

Conclusion

58. In the Office’s view, the opportunity to consider and address these and other issues raised in the Senate Committee process will enhance the development of the increased MBS compliance audits initiative, building on the valuable privacy impact assessment and consultation processes to date. The Office looks forward to further engagement on this initiative with relevant agencies and stakeholders, to ensure privacy continues to be protected and respected while maintaining the integrity of the Medicare Benefits Schedule.



[1] The Office's PIA Guide is available at www.privacy.gov.au/publications/pia06/index.html. It includes working through some practical steps that:

  • identify and define the project scope and aims
  • describe and map the flows of personal information within the project
  • identify and analyse how the project may impact on privacy, and
  • consider options to improve privacy outcomes.

Once this analysis is complete a PIA report can be produced summarising the information and making recommendations about how the privacy impacts and project aims can be successfully managed.

[2] See, eg, Explanatory Material to the Exposure Draft (‘EM to Bill’) – Health Insurance Amendment (Compliance) Bill 2009, paras 2.5-2.7. See also The Increased MBS Compliance Audit Initiative – Your Questions Answered, February 2009 (‘MBS Infosheet B’) ‘How are providers selected for MBS compliance audits?’, p 3, www.medicare.gov.au/files/increased-mbs-compliance-audits-info-sheet-No2.pdf.

[3] Eg, DoHA/Medicare Australia, Increased MBS Compliance Audits Information Sheet, November 2008 (‘MBS Infosheet A’), ‘Why does Medicare Australia need this new authority?’, www.medicare.gov.au/provider/incentives/files/minister-approved-information-sheet.pdf.

[4] From 500 to 2500 audits each year, or from 0.7% to about 3.2% of Medicare providers, with a broader focus to include allied health providers and more specialists as well as GPs.

[5] EM to Bill, para 1.5. See also MBS Infosheet A.

[6] Respondents who trusted government agencies’ handling of personal information increased from 58% in 2001, 64% in 2004 to 73% in 2007. The Office of the Privacy Commissioner’s Community Attitudes Surveys are available at www.privacy.gov.au/business/research/index.html.

[7] See, eg, MBS Information Sheet A, ‘What power will Medicare Australia have to access information?’

[8] Health information and sensitive information are defined under section 6 of the Privacy Act.

[9] Eg, EM to Bill, para 2.34. See also MBS Infosheet A, ‘What power will Medicare Australia have to access information?’.

[10] MBS Infosheet B, ‘What records will a provider be required to produce?’, p 4.

[11] MBS Infosheet B, ‘What records will a provider be required to produce?’ Similarly, the EM to the Bill states: “the Bill does not require the notice to produce documents to specify the exact documents [needed]” (at para 2.28).

[12] EM to the Bill, paras 2.27-2.29.

[13]As an example, “A contact number will be included so that providers can discuss their individual situation with a Medicare Australia auditor.” MBS Infosheet B, ‘What will be in the legislation? – Notice to produce documents’

[14] MBS Infosheet B, ‘How does this apply to clinical information?’

[15] See, eg, Australian Medicine, “Increased MBS Compliance Audits: penalties for doctors, invasion of privacy for patients”, 16 February 2009.

[16] Clause 129AC(1C) of the Bill (‘Amount not properly substantiated...’).

[17] Such additional protection may be appropriate in relation to clause 129AC(1C).

[18] Clause @129AAD of the Bill (‘Notice to produce documents’).

[19] For example, is this intended to be equivalent to ‘reasonable suspicion’, or a higher threshold, such as ‘reasonable belief’?

[20] MBS Information Sheet B, ‘What records will a provider be required to produce?’ This presumably refers to subclauses @129AAD(1) and (6) of the Bill.

[21] National Privacy Principle 10 requires a business to get an individual’s consent to collect health and other sensitive information, unless another exception applies (eg, where collection is required by law or is necessary to prevent or lessen a serious and imminent threat where an individual is incapacitated). Under Information Privacy Principles (IPPs) 1-3, collection by an agency must be relevant, and necessary for (or directly related to) a lawful purpose, that is directly related to an agency function or activity. Collection must not unreasonably intrude on an individual’s personal affairs.

[22] MBS Infosheet B, p 4, ‘How does this apply to clinical information?’

[23] For example, as the Office’s Plain English Guidelines on IPPs 1-3 note (in relation to IPP 2, when information is sought from the individual): “It is unlikely that: the practical difficulty; or the cost; of giving the details required by IPP 2 are good enough reasons for not giving the details.”

[24] Private Sector Information Sheet 23 – Use and disclosure of health information for management, funding and monitoring of a health service (2008), www.privacy.gov.au/publications/IS23_08.html.

[26] See, eg, EM to the Bill, para 1.37.

[27] See, for example, the Hon Daryl Williams QC (then Attorney-General), Second Reading Speech for the Privacy Amendment (Private Sector) Bill 2000, http://gov.au/parlInfo/genpdf/chamber/hansardr/2000-11-08/0008/hansard_frag.pdf;fileType=application%2Fpdf, at p 2. Para 156 of the draft PIA also refers.

[28] Medicare Australia Service Charter, “How we measure our performance”, www.medicare.gov.au/about/service/measures/respect.jsp.

[30] See, eg, Australian Financial Review, “Doctors attack proposal to access medical records”, 16 April 2009. See also Australian Medicine, “Increased MBS Compliance Audits: penalties for doctors, invasion of privacy for patients”, 16 February 2009.

[31] MBS Infosheet A, ‘What power will Medicare Australia have to access information?’

[32] MBS Infosheet B, ‘What records will a provider be required to produce’. See subclause @129AAD(6) of the Bill.

[33] MBS Infosheet A, ‘What power will Medicare Australia have to access information?’

[34].MBS Infosheet B, ‘What records will a provider be required to produce’. See also MBS Infosheet A, ‘What power will Medicare Australia have to access information?’

[35] See, eg, subclauses @129AAD(4) and (6) of the Bill.

[36] Clause @129AAD(1) of the Bill.

[37] EM to the Bill, para 1.57.

[38] EM to the Bill, para 1.80.

[39] Eg, IPP 11 permits disclosure for secondary purposes with consent; to prevent a serious and imminent threat to life or health; where required or authorised by law; or where necessary for criminal enforcement or public revenue protection.

[40] EM to the Bill, para 1.80.