Inquiry into Compliance Audits on Medicare Benefits

INTRODUCTION

Terms of reference

1.1 On 19 March 2009, on the motion of Senator the Hon Joe Ludwig, Minister for Human Services, the Senate referred the matter of compliance audits on Medicare benefits to the Community Affairs Committee[1] for inquiry and report by 15 May 2009 (extended to 10 June 2009 and later to 17 June 2009). The terms of reference required the Committee to examine:

Any Government proposal to implement the Government's announced 2008-09 Budget measure to increase compliance audits on Medicare benefits by increasing the audit powers to Medicare Australia to access the patient records supporting Medicare billing and to apply sanctions on providers.

Conduct of the inquiry

1.2 The Committee advertised the inquiry in The Australian and on its website. It wrote to many organisations and individuals inviting submissions to the inquiry. The Committee received 25 public submissions which are listed at Appendix 1. The Committee held a public hearing in Canberra on 6 May 2009 and details of the hearing are referred to in Appendix 2. The submissions and Hansard transcript of evidence may be accessed through the Committee’s website at https://www.aph.gov.au/senate_ca.

1.3 On 9 April 2009 the Department of Health and Ageing released the Exposure Draft of the Health Insurance Amendment (Compliance) Bill 2009 (the Exposure Draft) and associated Explanatory Material. On 1 May 2009 the Privacy Impact Assessment Ensuing the Integrity of Medicare: Increased MBS Compliance Audits was also released. To allow sufficient time for submitters to provide additional comments regarding the Privacy Impact Assessment (PIA), the reporting date of the inquiry was extended. The Exposure Draft is attached at Appendix 3 and the PIA is attached at Appendix 4.

Acknowledgments

1.4 The Committee acknowledges and thanks all those who assisted with its inquiry, by making submissions, attending hearings and giving evidence, providing additional information and other forms of assistance.

Background

1.5 Compliance audits of Medicare services are checks conducted by administrative staff of Medicare Australia to confirm that a medical practitioner was eligible to provide a Medicare service, that the service was actually provided and that the service met the requirements of the Medicare item paid in respect of the service. The Explanatory Material to the Exposure Draft note that Medicare audits have been conducted since the program was introduced in 1984 and that there has been little change to Medicare Australia's compliance program in the past decade despite significant expansions of the Medicare scheme.[2]

1.6 As part of the Federal Budget 2008-09, the Commonwealth Government announced the Increased MBS Compliance Audit Initiative (the Initiative), a plan to enhance the compliance program of Medicare benefits by Medicare Australia. The Minister for Health and Ageing, the Hon Nicola Roxon MP and the Minister for Human Services, Senator the Hon Joe Ludwig indicated that under the Initiative Medicare Australia will increase the number of audits from 500 to 2500 each year on practitioners who provide Medicare-eligible services to ensure that doctors are fulfilling the requirements of relevant MBS item descriptors.[3] The Explanatory Material note that the increase in audits, which do not require legislative amendment, started on 1 January 2009 and are expected to cover around 3.2 per cent of the practitioner population.[4]

1.7 The other announced measures were 'increasing the powers of Medicare Australia to compel doctors to produce evidence when asked to substantiate their Medicare billing' and changes to 'impose sanctions on practitioners who are billing inappropriately, but whose practice does not warrant referral to the Professional Services Review or for criminal investigation'.[5] The Exposure Draft outlines the proposed legislative amendments to the Health Insurance Act 1973 in these two areas: provisions to enable the Chief Executive Officer (CEO) of Medicare Australia to give notices to a practitioner (or another person) to produce documents relating to Medicare benefit; and provisions to establish administrative penalties to be imposed on a practitioner in certain circumstances.

1.8 The implementation of the Initiative is estimated to provide savings of $147.2 million over four years and will cost $76.9 million to administer, leading to net savings of $70.3 million over four years.[6]

Key Provisions of the Exposure Draft

Notice to produce documents

1.9 If the CEO of Medicare Australia has a reasonable concern that an amount paid in respect of a professional service exceeds the amount that should have been paid, he or she may give a notice to produce documents to the practitioner who rendered the service. If the CEO believes on reasonable grounds that another person has custody, control or possession of documents relevant to ascertaining whether the amount paid in respect of the professional service should have been paid, a notice may be given to that person.

1.10 The notice to produce documents must include: the item number of each service specified in the notice; the date each service was rendered; the Medicare number of the patient for each service; the reason(s) for the CEO’s concern; how the documents can be produced; and the period within which and the place at which the documents can be produced. The period within which the document can be produced must be at least 21 days after the day the notice is given.[7]

1.11 The Medicare Australia CEO may inspect, copy and retain documents produced under a notice 'for such a reasonable period as he or she thinks fit'. The Explanatory Material note that the authority to require a person to produce documents includes the power to require the production of documents containing health information about an individual. In some circumstances, practitioners will be required to produce documents, or extracts of documents, which contain clinical information about a patient to substantiate a Medicare benefit paid in respect of a professional service. However the Explanatory Material also note that clinical information will only need to be provided if that information is necessary to verify that a payment was properly made.[8]

1.12 If the practitioner who rendered the service fails to comply with the notice within the set period the amount paid is recoverable as a debt due to the Commonwealth from that person. If the practitioner complies with a notice to produce a document in respect of a service but the information in the document does not substantiate the Medicare benefit amount paid in respect of the service, the amount which cannot be substantiated is recoverable as a debt due to the Commonwealth from the practitioner.[9]

Administrative penalty

1.13 Under the proposed changes a person may be liable for an administrative penalty of 20 per cent if the Medicare Australia CEO serves a notice on the person for an amount as debt due to the Commonwealth and the total amount is $2,500 or higher.

1.14 The proposed changes provide that this base penalty amount may be reduced in certain circumstances. If a practitioner voluntarily admits that an incorrect amount has been paid in respect of a professional service prior to being contacted by Medicare Australia, there is a 100 per cent reduction in the penalty. If a practitioner admits that an incorrect amount has been paid in respect of the service before a notice to produce documents is issued, the penalty is reduced by 50 per cent. If a practitioner admits that an incorrect amount has been paid in respect of the service after they have received a notice to produce but before the audit is completed, the base penalty amount is reduced by 25 per cent.[10]

1.15 The proposed changes provide that the base penalty amount may also be increased in certain circumstances. If a practitioner does not produce any documents relating to any of the services specified in a notice to produce, the full amount of the services identified in the notice become repayable and the base penalty amount is increased by 25 per cent. If a practitioner in the previous 24 months has been unable to substantiate an amount paid in respect of services specified in a notice to produce documents under the proposed changes and the total they repaid was more than $30,000, the penalty which is being recovered is increased by 50 per cent.[11]

Privacy Impact Assessment

1.16 A PIA is an analysis of the personal information flows and potential privacy risks and impacts of a project. The flow of personal information is evaluated against the Information Privacy Principles (IPPs) in section 14 of the Privacy Act 1988 which governs the manner in which personal information is handled within government agencies.

1.17 The PIA released by the Department of Health and Ageing focused on the proposed changes allowing Medicare Australia to give a notice to produce documents to persons to substantiate a Medicare benefit and made a number of recommendations. Medicare Australia has subsequently advised the Committee that it accepts and will adopt each of the recommendations made in the PIA.[12] The recommendations were:

Recommendation 1

The PIA should continue to be updated throughout the implementation and ongoing management of the IMCA [Increased Medicare Compliance Audits] initiative.

Recommendation 2

An information campaign for the public on the need for Medicare compliance audits and the potential for their clinical information to be accessed to confirm payment accuracy should be considered. Alternatively Medicare Australia should explore what information it can make available to patients (on new or existing forms, or through new or existing channels) on the potential for excerpts from their medical records to be provided to Medicare Australia during compliance audits.

Recommendation 3

Audits of internal Medicare Australia staff accessing information collected during a compliance audit should be undertaken by Medicare Australia on a regular basis, to ensure early detection of inappropriate access and potential misuse of data.

Recommendation 4

The notice to produce documents given by Medicare Australia to the practitioner should clearly state that the information being collected may only be used for the purposes of the compliance audit. The notice should also note any secondary purpose the information may be used for as required or authorised by or under law, such as in relation to offences under the HIA [Health Insurance Act 1973] or Criminal Code Act 1995 relating to false and misleading statements made in respect of Medicare services (IPP 10.1(c) ‘use of the information for that other purpose is required or authorised by or under law’).

Recommendation 5

Details on what constitutes an authorised disclosure of health information collected as part of a compliance audit should be made clear and accessible to the public.

Recommendation 6

To increase compliance with the openness and transparency requirements of privacy best practice, Medicare Australia should review the information available on its website about the type of personal information held by Medicare Australia and the purpose for which that information is held.

Recommendation 7

Medicare Australia and the Department of Health and Ageing should use existing relationships with peak practitioner groups, health consumer and privacy groups to review and, if appropriate, change their accreditation requirements and Privacy Policies in relation to notices displayed in practices.

Recommendation 8

To provide clarity and transparency, Medicare Australia should establish and publish a clear set of guidelines covering the relevant retention and destruction policies relating to documents collected through the proposed legislation.

Recommendation 9

Audits of the records management of health information should be undertaken, to ensure compliance with retention and destruction guidelines and policies.

Recommendation 10

Consideration should be given to reporting on the frequency and nature of Medicare Australia’s access to clinical notes and reviewing the initiative after implementation, including a privacy audit to assess the privacy impacts, once the new procedures have been operational for a period of time.[13]

ISSUES

Privacy and the doctor/ patient relationship

1.18 Many medical and other groups noted their concern that because of the proposed changes patients will withhold information from doctors if there is a possibility their personal health information could be provided to third parties other than for medical care.[14] For example the Australian Medical Association stated:

If patients’ know their personal health information could be viewed by Medicare Australia officers this could well be a barrier to patients telling doctors everything they need to know in order to provide the best quality care. This will have profound consequences for individuals and for health across the country.[15]

1.19 A number of submitters highlighted that patient clinical records often contained personal information of a highly sensitive nature, sometimes relating to other persons.[16] The Australian Society for HIV Medicine stressed the importance of confidentiality in the doctor/patient relationship, and noted that the consultations doctors have with patients '...often contain information that is extremely intimate and personal concerning sexual behaviour, emotional feelings and sexuality'. They stated:

Patients may not disclose sensitive or confidential information about their sexual life if that information can be released to a third party without their permission. Many patients insist on checking first that their information will remain confidential...Does this mean that we must warn patients that anything they say may be read by a non-medical third party in the future to check that a doctor has claimed the appropriate Medicare benefit?[17]

1.20 In the area of mental health several professional and consumer groups emphasised the importance of the confidentiality of patient medical records.[18] In particular, they noted that the development of an ongoing trusting therapeutic relationship between the practitioner and the patient in the mental health sector made the confidentiality of clinical records vital. The Royal Australian and New Zealand College of Psychiatrists stated:

Breaches of this confidentiality produce particularly serious consequences for the psychiatrically impaired, due to the widespread and pernicious stigma accorded to mental illness, and the particular vulnerability of psychiatric patients due to their conditions. Under these circumstances, a breach of confidentiality can be extremely traumatising, and potentially devastating.[19]

1.21 The Office of the Privacy Commissioner suggested further clarification was needed to the proposed changes to give providers a clearer understanding of whether they were required to produce clinical records and to prevent requests for clinical records when other information is sufficient.[20] The Office of the Privacy Commissioner made a number of suggestions to improve the protection of patient privacy. These included:

a tailored approach to Medicare items and information considered particularly sensitive, such as, records dealing with HIV status, mental health, reproductive and sexual health issues;
that Medicare Australia consider the cost and practicality of broadening of role of the medical advisors in handling clinical information obtained during audits;
further investigation be made into using de-identified information to minimise the association of names and medical details;
reporting and review requirements for Medicare Australia on aspects of the initiative, such as the proportion of audits which collect clinical records and the additional amount of public saving achieved. [21]

1.22 Similarly the Public Interest Advocacy Centre recommended that: accessing patient records should not become a routine part of every compliance audit; the process should be multi-stage to ensure a separate decision is made in order to access clinical information; personal information should be de-identified if possible; patients should be notified regarding access to their records as early as possible; and if a patient objects to access to their records, the decision to access records should be subject to an internal review.[22]

1.23 Medicare Australia responded that their audits were multi-step processes and highlighted a diagram setting out the stages of the proposed compliance audit process.[23] However the audit process as outlined by Medicare Australia does not create separate steps for access to patient clinical records as opposed to other administrative records. It is left to providers to decide which records will substantiate a Medicare claim.[24]

1.24 Medicare Australia also highlighted problems with the efficacy of de-identifying patient records. They noted:

Medicare Australia needs to confirm a specific service that a specific patient has received... a provider already identifies the patient and the MBS service they have received as part of the claiming process... In conducting an audit Medicare Australia therefore does not generally divulge any more information than has already been provided through the MBS claim.[25]

Access to clinical records and substantiation of claims

1.25 Some submitters and witnesses were concerned that there was little clarity regarding the threshold circumstances for the CEO of Medicare Australia to issue notices to produce documents under the proposed legislation.[26] Under the Exposure Draft the Medicare Australia CEO must have a 'reasonable concern' that an amount paid, in respect of a professional service may exceed the amount that should have been paid before a notice may be issued. The Department of Health and Ageing indicated that the term 'reasonable concern' had been used in designing the proposed legislation in order to provide a degree of flexibility. Ms Samantha Robertson of the Department of Health and Ageing stated:

I think it is very hard for us to be able to define what is a reasonable concern. The reasonable concern is actually going to be very different depending on the type of audit that is undertaken... The more you get into defining what is a reasonable concern, the more you might lock things down to have unintended consequences and a concern that is quite genuine but outside the definition.[27]

1.26 Many groups were concerned about what information would be considered sufficient to substantiate a claim and how this would affect the confidentiality of patient clinical records. For example the Australian Psychological Society questioned the 'lack of clear guidelines outlining what constitutes substantiating information...'. The Society highlighted that the proposed scheme places the onus of proof wholly on providers to demonstrate they have not defrauded and the judgement as to what is a substantiated claim rests entirely with Medicare Australia. They noted that practitioners, concerned about under-substantiating claims, may be driven 'to produce excessive information, including sensitive, private and confidential information'.[28] Furthermore they argued that the changes treated practitioners as a homogenous group when there was 'variation and complexity between provider groups' and '...subsequent variations in clinical records produced by this diversity'.[29]

1.27 The Medical Indemnity Industry Association of Australia (MIIAA) was also concerned with the lack of any requirement that Medicare Australia specify the documents or the classes of documents sought in the notice. They submitted that '...the exercise of coercive powers in such a vague and unspecified manner is unfair to the recipient of the notice...'.[30]

1.28 The Department of Health and Ageing stressed there was no power to compel the release of clinical records to Medicare Australia in the proposed changes and emphasised it was left to the person given the notice to determine what sort of information was available to substantiate a Medicare claim. They noted that documents have not been specified in order to make it as easy as possible for providers to comply with notices. The Department also stated that specifying the different kinds of information and documents that a practitioner might use to substantiate a Medicare benefit paid in respect of a service, would create additional red tape for practitioners.[31]

1.29 The Australian Medical Association argued that in the majority of cases compliance audits will require the production of patient clinical records in order to substantiate a Medicare claim, rather than other administrative records held by a practitioner. In particular, Dr Rosanna Capolingua, President of the Australian Medical Association highlighted that some administrative records, such as the appointment book or diary of a medical practice, would not reflect the patients actually seen by a practitioner as these records are not amended retrospectively.[32]

1.30 The Royal Australian and New Zealand College of Psychiatrists noted there needed to be a balance between Medicare requirements, practitioners' requirements for medical records, and the patient's need for confidentiality. They were concerned that there is no consensus as to what are considered appropriate clinical notes and recommended clearer guidelines should be developed on how to meet record making requirements.[33]

1.31 Medicare Australia stated that the proposal does not introduce any new record making or retention requirement but that providers are already under 'legal, professional and other obligations to keep and retain records relating to the treatment of patients...'. They argued that the proposed changes would 'bring the Medicare program more closely into line with other Government programs which involve the collection or payment of public monies, such as those in the areas of taxation, child support and social welfare'. It noted that Medicare Australia's ability to access documents will still be less comprehensive than Centrelink or the Australian Tax Office because they 'will not have the power to access documents or files, and will only be able to receive documents that a provider chooses to submit in response to a substantiation request'.[34]

1.32 Medicare Australia highlighted that the proposed changes did not provide any additional power to seize documents. Ms Philippa Godwin, Acting Chief Executive Officer of Medicare Australia, stated:

The measure before us would give us an additional power such that, if during that process of voluntary engagement there has still not been adequate substantiation—and that is effectively what we are talking about: a substantiation power—then the proposed legislation would enable us to issue a notice asking for documents that go to substantiation. If the practitioner refuses to supply those documents, there is no further power in the legislation that enables us to go in and seize documents.[35]

1.33 However, should a practitioner choose not to comply with a notice to produce documents substantiating a claim, the claim is disallowed and becomes a debt to the Commonwealth, and may attract an administrative penalty if it is over the threshold of $2,500.[36]

Patient notification and consent

1.34 A number of medical organisations raised their concerns that the proposed changes would alter existing guidelines that medical practitioners were not permitted to disclose patient records without seeking the patient's approval. The Royal Australian College of General Practitioners noted that current guidelines required medical practitioners dealing with patient health information to treat the consent of the patient as the guiding principle.[37] The Royal College of Pathologists of Australia also noted:

...[the change proposed] represents a significant departure from the way patient information has been managed to date and would be a cause for alarm for many patients.[38]

1.35 Others argued that patient consent should be required before clinical records are released for the purposes of a compliance audit. The Australian Medical Association argued that Medicare Australia should be responsible for obtaining patient consent for medical records to be provided and that this should be 'both broadly through public information campaigns that also explain why it is necessary to see medical records as well as contemporaneously from individual patients whose doctors are the subject of audits'.[39]

1.36 Some witnesses and submitters argued that patients had a right to be notified that some or all of their clinical records were being provided to Medicare Australia as part of a compliance audit. The Royal Australian and New Zealand College of Psychiatrists, while recognising that notification may risk the special relationship between patients and psychiatrists, believed that on balance 'patients have a right to know that their file is being accessed'. However they recommended that precautions be put in place to limit the release of sensitive confidential information and that guidelines be developed on how to inform patients of psychiatrists when their records are accessed.[40]

1.37 Similarly the Private Mental Health Consumer Carer Network also was of the view 'that all Australians have the right to be informed of any access of their clinical records'. It recommended that Medicare Australia and peak mental health groups should 'develop clear protocols around the best way of conveying this information to patients in a manner which continues to the retention of the therapeutic relationship'.[41]

1.38 The Public Interest Advocacy Centre recognised that there were situations where it would be problematic to advise patients that their records had been accessed for audit purposes, but submitted that, in the normal course of events, all patients should be notified. However they did not support the proposition that patient consent should be required before access was allowed for an audit. The Centre noted there would be practical difficulties with contacting patients and requests for consent could cause distress to patients, particularly those with disabilities or the elderly. They also stated:

...there is a real danger that if unscrupulous health professionals were aware that an audit could not go ahead if there was not consent to patient access, then they may well apply pressure on patients not to consent.[42]

1.39 Medicare Australia advised that careful consideration had been given to the issue of patient notification. From their experience with the seizure of clinical records in criminal investigations they believed that proposed legislation should not contain a patient notification requirement. They stated:

Medicare Australia’s experience is that this causes considerable angst amongst patients who do not understand the process or reasons why the records are being examined. Some patients erroneously assume that it is the quality of clinical care that is under review and become concerned about having a continued relationship with the provider.

Patient notification therefore has the potential to compromise the privacy of the provider, and may lead patients to worry that their provider has behaved inappropriately or illegally in circumstances where no problem is ultimately identified. A number of provider groups have indicated that patient notification would be unreasonable and would have potentially adverse and inappropriate impacts on their reputation and ability to serve their patients.[43]

1.40 The Department of Health and Ageing acknowledged that the issue of patient notification and consent was complex but they had taken into account the significant potential risks to patient privacy of notification and undermining the doctor/patient relationship. However the Department also noted there were mixed views on this issue and the proposed changes did not prevent a practitioner from informing individual patients that information from their medical record has been provided to Medicare Australia during a compliance audit.[44]

Medicare Australia staff and processes

1.41 A number of witnesses and submitters considered that Medicare Australia staff were not suitably qualified to interpret clinical records provided during a compliance audit. For example the Medical Indemnity Industry Association of Australia believed that administrators without medical qualifications would be called to make determinations which 'clearly require medical expertise and experience'. They did not agree with the statement in the Explanatory Material that the question of whether the service the practitioner provided met the requirements of the Medicare item was 'a question of fact which does not require any clinical assessment of the service'. The Association submitted that:

...the interpretation of medical records or other records of clinical care should be performed by persons with professional qualifications and experience in the relevant discipline.[45]

1.42 Similarly Dr Roger Clarke of the Australian Privacy Foundation argued a major problem with the proposed scheme was access by people without appropriate qualifications to clinical data which was 'extraordinarily easy to misinterpret'. He stated that when 'there are sufficient grounds for access as part of an audit process then the individual who inspects the record should be a person with appropriate medical qualifications'.[46] The Australian Medical Association also stated that Medicare Australia administrative auditors would not have the insight of a doctor in understanding clinical notes in order to determine whether the requirements of an MBS item had been claimed appropriately.[47]

1.43 However the Department of Health and Ageing reaffirmed the purpose of the initiative was to seek evidence of compliance with the administrative requirements of the MBS in order to claim a particular item, such as preconditions, time and tests. Mr Learmonth of the Department of Health and Ageing stated:

We are not looking at making professional judgements or clinical judgements; this is about administrative requirements for claiming payments.[48]

1.44 Medicare Australia did not accept the argument that compliance audit staff required medical qualifications. It emphasised that the compliance audits were assessing the facts of a Medicare service and did not involve making clinical judgements. However Medicare Australia also indicated that it employs a range of health professionals who may be accessed by audit staff.[49]

1.45 The capacity of Medicare Australia to protect the confidentiality of patient clinical records was also raised during the inquiry. For example the Australian Privacy Foundation raised concerns regarding how gathered audit information will be stored and secured. They highlighted research which indicated that many staff in organisations are not adequately trained in handling secure information and can avoid security measures if they interfere with productivity.[50]

1.46 Medicare Australia noted that staff involved in compliance audits are subject to provisions of the Health Insurance Act 1973 which provides increased protection for information collected by Medicare Australia and includes criminal penalties for those who misuse this information. Medicare Australia also emphasised the expertise and training of staff in relation to Medicare issues, audit techniques and privacy issues.[51]

1.47 The Committee also received information from the Australian Public Service Commissioner, Ms Lynelle Briggs about the privacy protections of the Public Service Act 1999 which would also apply to Medicare Australia staff. She advised that all Australian Public Service (APS) employees were obliged to follow the APS Values and Code of Conduct. A failure to comply with the Privacy Act 1988 could be considered a breach of the Code and could result in sanctions including termination of employment, reduction in classification, transfer, reduction in salary or a fine. Ms Briggs also noted that Public Service Regulation 2.1 prohibits APS employees from disclosing information that was received in confidence by the government from a person or persons outside the government. A suspected breach of this regulation could be also investigated under s.70 of the Crimes Act 1914.[52]

1.48 Medicare Australia also addressed concerns raised regarding the storage and security of compliance data. It noted that the case management system used is only accessible by compliance officers, that all access is logged and monitored and the system is not connected to the internet. Furthermore it noted that a planned new case management system 'will be specifically designed to meet Commonwealth security and privacy requirements for compliance activities'.[53]

Compliance audits, professional services review and fraud

1.49 Some witnesses and submitters suggested that the proposed compliance audits to be conducted by Medicare Australia unnecessarily duplicated or extended into the jurisdiction of the Professional Services Review (the PSR). The PSR has authority to investigate whether health practitioners have engaged in inappropriate practice when providing Medicare services or when prescribing medication. The PSR Committee consists of medical practitioners and other health practitioners appointed by the Minister for Health after consultation with appropriate professional organisations.

1.50 Civil Liberties Australia questioned the need to duplicate the role of the PSR and highlighted that reviewing medical services is best done by medical practitioners rather than others.[54] Mr William Rowlings of Civil Liberties Australia stated that Medicare Australia was seeking to extend jurisdiction over a compliance area which was the responsibility of the PSR. He suggested the PSR was the appropriate agency to receive additional resources to undertake compliance auditing.[55] The Australian Psychological Society also noted that the most serious concern it had with the Exposure Draft was the blurring of the lines between the proposed compliance audit process and the existing PSR process.[56]

1.51 The Medical Indemnity Industry Association of Australia emphasised that a range of accountability mechanisms already exist for medical professionals. They stated:

The present mechanisms can and do result in the repayment of incorrectly claimed benefits, findings of inappropriate practice, the reprimand of practitioners and partial or full disqualification of practitioners from the Medicare system for periods of up to 5 years...

Practitioner Review Program and Professional Services Review already operate to provide a comprehensive system to investigate anomalous Medicare billing - including by the examination of patients’ medical records. However, such examination of patients’ private medical information in these processes is appropriately confined to the professional peers of the person under review.[57]

1.52 The Department of Health and Ageing clarified the differences between the three main areas of risk in relation to Medicare (fraud, inappropriate practice and incorrect Medicare payments) and the relevant compliance approaches to each of these risks.[58] In the case of fraud, where a person seeks to obtain a Medicare benefit by intentionally falsifying facts and/or documents, Medicare Australia has broad powers to investigate. In the case of inappropriate practice, Medicare Australia can refer suspected cases to the PSR.

1.53 The proposed changes are directed to incorrect Medicare payments, when a practitioner makes an unintentional false or misleading statement that results in a Medicare benefit payment being paid incorrectly. The Department emphasised that under the current arrangements Medicare Australia has no power to require a practitioner to cooperate with an audit request. They noted:

If a practitioner refuses to respond or cooperate voluntarily, Medicare Australia is not able to proceed with the audit and is unable to verify the Medicare benefit amount paid in respect of the service.

1.54 Medicare Australia suggested that several submissions to the inquiry had confused the function of the PSR with the role of compliance audits in identifying incorrect claims. They highlighted that compliance audits were administrative checks and did not relate to clinical appropriateness or professional adequacy.[59]

Complexity and simplification

1.55 The complexity of both the Medicare Benefits Schedule and the Pharmaceutical Benefits Scheme was raised by a number of witnesses. The Royal Australian College of General Practitioners was concerned the complexity of the MBS increased the likelihood that practitioners will make unavoidable errors when submitting to audits.[60] The Medical Indemnity Industry Association of Australia argued that the Medicare system was highly regulated and had become 'increasingly complex at an alarming rate'. They stated:

The expanding administrative demands on practitioners and medical practices caused by that complexity have left the individual practitioners increasingly vulnerable to personal liability for any administrative errors in claims made under the practitioner’s Medicare provider number.[61]

1.56 Some witnesses and submitters also suggested that the simplification of the MBS and additional investment in the education of practitioners was a better approach to non-compliance than the changes proposed in the Exposure Draft.[62] The Department of Health and Ageing noted that a review looking at simplifying the MBS was under way and their engagement with the medical profession through the Medicare Benefits Consultative Committee. Medicare Australia also referred to a range of education programs it provides in relation to the MBS that are designed to assist practitioners including reference guides and an administrative practice statement.[63]

Impact on practitioners

1.57 The Explanatory Material to the Exposure Draft note that the compliance cost for the new measures was assessed as medium as any Medicare service provided by a health practitioner could be audited.[64] Medicare Australia acknowledged that any form of audit is an impost on the party being audited, but stated efforts were made to ensure the impact on practitioners was as low as possible.[65] They suggested the impact on providers would be marginal with the majority of their compliance activities continuing to be focused on information services, education and training to support providers to complete accurate claims. They stated:

Prior to the budget measure more than 99 per cent of providers were not subject to audit. Despite the increased audit levels approximately 96 per cent of providers will still not be subject to a compliance audit.[66]

1.58 The Department of Health and Ageing also argued there was a targeted approach to auditing the administrative requirements of Medicare items. Mr Learmonth stated:

We have a very sophisticated way of saying, ‘Here we think is significant risk; here are some particular items that we think are a concern’—and we will narrow and limit our scope of attention to those particular items and thus minimise the footprint, if you like, or the impact on the provider... this is really crunched down to the absolute minimum of what is required to substantiate a payment, in a targeted way.[67]

1.59 However some witnesses and submitters suggested the additional administrative burden on practitioners may negatively affect patient outcomes and access to a suitable number of qualified clinicians.[68] Civil Liberties Australia suggested the estimated financial impact of the proposed measures was incorrect as it did not correctly take into account the 'extra costs to be borne by doctors and society' resulting in a 'sub-optimal outcome for Australia'.[69]

1.60 The Australian Medical Association highlighted an example of where a compliance audit was a considerable burden on the time of a practitioner with only minor incorrect claims being discovered. Dr Rosanna Capolingua, President of the Association, questioned the projected savings of the measures:

The only certainty is that it will cost $76.9 million.... The real net gain is likely to be far less. The projected savings of $147.2 million over four years are, by their own admission, a best guess. The total cost of each audit is $9,600 and each must recoup on average $18,400 to achieve this level of savings.[70]

1.61 The role of practitioners in de-identifying patient information from records provided to Medicare Australia was also discussed during the inquiry. The Royal Australian College of General Practitioners argued that de-identification of clinical records would be additional burden on practitioners.[71] However Mr Peter Dodd of the Public Interest Advocacy Centre suggested this was a question of balance and noted the additional cost of the process would reduce the potential for patient information being inappropriately disclosed.[72]

Integrity of Medicare

1.62 Medicare Australia and the Department of Health and Ageing highlighted that the size and scope of the Medicare program has undergone significant growth and expansion in the last decade. In 2007-08 expenditure was over $13 billion with 81,224 providers generating nearly 280 million MBS services.[73] New groups of practitioners such as allied health practitioners may now provide Medicare-eligible services.[74]

1.63 The Health Insurance Act 1973 currently does not provide Medicare Australia with the authority to require practitioners to provide verifying documents during a compliance audit. When a practitioner does not respond or refuses to cooperate with a compliance audit, the process is effectively halted as no further action is able to be taken. Medicare Australia advised that:

Medicare Australia’s experience has been that in a range of cases, including those involving significant compliance risks, providers refuse to make the necessary substantiating information available. On average this occurs in 20% of compliance activities. As a consequence Medicare Australia cannot confirm the accuracy of Medicare claims or ensure that Medicare payments were made in accordance with legislative requirements.[75]

1.64 In the absence of a requirement for providers to give information to substantiate Medicare payments, Medicare Australia's compliance activities rely on providers volunteering information to demonstrate claims have been made correctly. Medicare Australia noted that the Australian National Audit Office in 1996-97 found that non-compliant MBS payments equated to around 1.3 to 2.3 per cent of expenditure. They argued this suggested at current levels 'annual non-compliant payments could be around at least $170-300m per annum'.[76] Medicare Australia argued that requiring providers to verify their claims, when there are specific concerns about the claims, is a reasonable and responsible way of protecting the public revenue. They stated:

The consequence of not having a penalty system for ‘non-criminal’ acts resulting in incorrect claims is that providers can repeatedly make incorrect claims with little or no adverse outcome, other than possibly having to repay monies that are specifically identified as being incorrectly received.[77]

1.65 Similarly the Department of Health and Ageing argued that the proposed changes were 'concerned with the minority of practitioners who do not take appropriate care when billing Medicare-eligible services and/or do not voluntarily comply with compliance audit requests'. They stated:

This draft Bill addresses the current weakness in activities designed to address key risks to the integrity of the Medicare scheme by establishing a simple, cost effective administrative mechanism to deal with incorrect Medicare payments which constitute a substantial risk to Medicare expenditure.[78]

1.66 The Australian Health Insurance Association also supported the proposed changes as important to ensuring the integrity of the Medicare system and indicated they would like to see further measures to address inappropriate billing and fraudulent activity within the broader health system. They noted that the detection of inappropriate claiming within the public system can also assist in preventing inappropriate practices in the private sector, enhancing the integrity and affordability of private health cover.[79]

1.67 The Public Interest Advocacy Centre suggested that the proposed changes raise two potentially competing public interest principles. These were the public interest of Medicare consumers in the maintenance and integrity of Australia's universal health scheme and the public interest in the confidentiality of communications in the doctor/patient relationship recorded in the medical records of patients. The Centre concluded that, with some amendments, the proposed changes and the existing privacy protections, 'appropriately balances the public interest in the integrity of Medicare and the public interest in the maintenance of patient confidentiality and privacy of health records'. The Centre stated that the proposed amendment:

...does not represent a significant change from the long-existing practice that health records can be accessed, in the public interest, in certain controlled circumstances by bodies exercising investigative powers.[80]

1.68 However medical and privacy groups argued that the proposed changes were unnecessarily intrusive of patient privacy and disproportionate to the perceived problem of incorrect Medicare claims. For example the Australian Medical Association argued that the costs of the changes proposed were not proportionate with the 'low level concerns Medicare Australia has with the use of the MBS'. The AMA asserted that:

The cost that this legislation incurs in undermining the trust that patients have in their doctors to maintain the confidentiality of their medical record will result in a fundamental alteration of the community’s confidence in the security of their private and personal information and is too high a price to pay....

Public probity concerns to protect government expenditure are important, but in a scale of importance, they rank lower than the protection of personal health information that risks undermining the ongoing health care of individuals.[81]

1.69 Dr Roger Clarke of the Australian Privacy Foundation stated the proposed amendments did not reflect the value that the Australian people place on privacy. He commented:

It is quite extreme of the agency to be suggesting that all forms of infringement and all forms of suspicions about even accidental overservicing are sufficient to justify substantial invasions of privacy in relation to sensitive data...[82]

1.70 However the Consumers Health Forum of Australia stated that it understood that privacy will not be compromised under the proposed changes and supported the measure. They argued:

Consumers are fully aware of the need to ensure a sustainable health system that has checks and balances in place. It is entirely in the public interest for the new MBS compliance procedures to be implemented.[83]

Administrative penalty and appeals

1.71 A number of separate issues were raised by submitters and witnesses in relation to the scheme of administrative penalties proposed and the opportunity to appeal decisions.

1.72 The Medical Indemnity Industry Association of Australia argued that the scheme lacked an opportunity for practitioners to dispute decisions by Medicare Australia compliance auditors. Furthermore they argued that any decision 'must be amenable to external merits review' and that the Administrative Appeals Tribunal was the appropriate body to conduct such a review.[84] They also suggested that there should be a further opportunity for practitioners to respond where Medicare Australia proposes to decide there has been non-compliance with a notice to produce. This would be an opportunity for the person who would be adversely affected by such a decision to ‘show cause’ why such a decision should not be made.[85]

1.73 The Commonwealth Ombudsman, Professor John McMillan also notified the Committee regarding his Office's recent investigation of a case relating to the interpretation of the MBS. He noted that changes in medical practice and terminology will always result in a certain level of uncertainty over what is or is not covered by a particular MBS item and that the compliance process should accommodate the possibilities of genuine confusion, dispute or honest mistake. He recommended the inclusion of an initial written warning to practitioners before any penalty can be imposed and a mechanism by which merits review could be sought regarding the meaning of MBS items and whether a claim has been properly substantiated.[86]

1.74 The Commonwealth Ombudsman also raised concerns with the proposed automatic penalty regime, with reductions which vary depending on when a practitioner advises Medicare Australia an amount has been incorrectly claimed. He suggested this limited 'the resolution of genuine disputes about the meaning of items' and created a disincentive to seeking review of decisions.[87]

1.75 The issue of procedural fairness was also raised by the Australian Medical Association. The Association stated:

There do not appear to be any provisions in the Bill for a doctor to argue mitigating circumstances before the decision is made, or to seek administrative review of the decision after it is made. As we understand it, the only avenue of recourse the doctor will have is through the Federal Court under the Administrative Decisions (Judicial Review) Act 1977. This is a time consuming and expensive process...[88]

1.76 The Office of the Privacy Commissioner emphasised it was important that the administrative penalty for amounts not properly substantiated does not result in practitioners providing additional and unnecessary patient information 'to avoid the possibility of a fine'. They suggested it may be appropriate to include protection for providers who in good faith give Medicare insufficient information and are subsequently required to provide further information to substantiate a claim.[89]

1.77 The Australian Psychological Society was concerned that practitioners could be made liable for administrative errors made by Medicare under the proposed scheme. They highlighted the situation of overpayments to practitioners and stated they believed 'administrative errors by Medicare Australia should be rectified by Medicare Australia'.[90] Similarly the Australian Physiotherapy Association stated that minor claims errors were just as likely to favour Medicare Australia as they were the individual practitioner and recommended that a mechanism be included to reimburse practitioners where Medicare Australia has been the beneficiary of an error.

1.78 Medicare Australia did not agree that providers would, or could be held liable for administrative errors and argued that compliance audits were intended to ensure payments were correct. It also noted that a process exists whereby providers can re-submit claims if they find they have under-claimed, which will then be adjusted and paid by Medicare Australia.[91]

1.79 The Department of Health and Ageing has previously indicated that the introduction of administrative penalties may be accompanied by additional formal appeal rights for providers.[92] The Department noted that there are a number of avenues of appeal under existing arrangements including independent internal review by Medicare Australia and formal judicial review of administrative decisions or review under legislation such as the Freedom of Information Act 1982 or the Ombudsman Act 1976. They noted that once the proposed legislation is passed Medicare Australia will include information on how practitioners may make complaints about a compliance audit when a notice to produce documents is issued. They also noted:

Under the HIA, review by the Administrative Appeals Tribunal is generally restricted to those decisions which impact on a practitioner’s ability to provide Medicare services. That is, where the sanction imposed may involve disqualification from participation in Medicare and /or the Pharmaceutical Benefits Scheme for a period of time.[93]

1.80 The size of the administrative penalty and the threshold was also discussed in submissions. One submission argued that the administrative penalties in the Exposure Draft were 'inadequate in relation to the seriousness of the illegal activities' and that a 'more appropriate penalty regime would be based on recent Australian Taxation Office convictions for fraud'.[94] The Australian Physiotherapy Association agreed the $2,500 threshold was appropriate but sought reassurance that this amount would be indexed annually.[95]

1.81 The Department of Health and Ageing commented that the proposed administrative penalties would provide an incentive for practitioners 'to ensure that the Medicare services they provide comply with the relevant legislative requirements'. The Department noted that the penalties are structured to encourage compliant behaviour, for example, if a practitioner admits to causing an incorrect Medicare payment to be made prior to any Medicare Australia compliance contact, no additional penalty amount is payable.[96] The Department also noted that the $2,500 threshold will mean that practitioners who owe a small amount of money will not be subject to a financial sanction. They stated:

The $2,500 threshold is based on an analysis of Medicare Australia data which indicates that this is the point at which mistaken claims may become routine, or reflective of poor administration or decision making. In 2007-08 only 36% of practitioners who were required to repay money, repaid an amount of more than $2,500.[97]

1.82 Medicare Australia argued that the threshold will ensure that providers who make 'one-off minor inadvertent errors' are not penalised and that the 20 per cent penalty was proportionate and fair. They stated:

The proposed penalty amount of 20 per cent should have sufficient weight to deter incorrect billing and claiming and compensate the Commonwealth for the loss of use of public funds, whilst remaining both proportional and appropriate to the circumstance... Medicare Australia feels that any penalty amount less than 20 per cent would lose the deterrent impact on the wider health provider community.[98]

Privacy Impact Assessment

1.83 On the whole those medical and privacy groups which provided supplementary submissions did not consider that the PIA addressed their concerns in relation to the proposed changes.[99] However, there were differing levels of support for the PIA recommendations in relation to ongoing assessment of the Medicare Australia compliance program, consultation with peak groups, and providing information to medical practitioners and patients about the measures.

1.84 A number of practitioner groups highlighted that the PIA had not dealt with criticisms of the measures outlined in their original submissions. For example the Australian Medical Association stated the PIA maintained the incorrect premise that administrative documents will satisfy compliance concerns. They argued that the privacy impact of the proposed measure could not be properly assessed until the information that will be required to substantiate Medicare benefits is listed by Medicare Australia. The Association also objected to the assertion that 'practitioners would attempt to convince patients to withhold their consent to the release of the personal information to Medicare Australia'.[100]

1.85 The Australian Privacy Foundation argued that because the PIA 'was conducted behind closed doors... far better balanced design features and amelioration measures could have been devised' to achieve the aims without substantial privacy breaches.[101] The Royal Australian College of General Practitioners submitted that some of the recommendations in the PIA relating to ongoing quality assurance of the privacy aspects of compliance program were 'a clear admission that it is not possible for Medicare Australia to create a safe and reliable system for managing sensitive patient information'.[102]

1.86 Medicare Australia also made a supplementary submission which noted that it accepted and would adopt all recommendations made in the PIA. However they also restated their support for the measures in the Exposure Draft and argued that 'the proposed legislation is essential in order to improve its ability to manage the integrity of the Medicare program'.[103]

Conclusion

1.87 The issues dealt with in this inquiry represent an area where two public interests overlap. On one hand there is the interest of patients to have their clinical records kept confidential by medical practitioners. On the other, there is the interest of tax-payers, who fund Medicare and are entitled to expect reasonable checks are made to ensure those public funds are being expended appropriately. While the Committee appreciates the issues and concerns raised by medical, privacy and other organisations regarding the treatment of patient clinical records, it considers that the proposed changes, as outlined in the Exposure Draft, represent a good balance between these overlapping public interests.

1.88 However there was one area of the proposed compliance audit process which concerned the Committee. The Committee is sympathetic to the suggestion made in some submissions, such as the Office of the Privacy Commissioner, that a more tailored approach be applied to accessing sensitive health information during the compliance audit process. Proposals to include a multi-stage audit process to enhance the privacy protection of patient clinical records were also persuasive. This would mean that an additional step or decision would be required before patient clinical records would be accepted by Medicare Australia as part of a compliance audit. This would assist in limiting the accessing of patient clinical records to situations where other administrative records held by providers are not sufficient to substantiate a claim.

1.89 The Committee understands that these suggested changes to the compliance audit process may not be practically convenient to include in the draft legislation and may be more appropriate as part of the regulations and as an administrative practice of Medicare Australia. Nonetheless, the Committee considers they would provide an additional privacy protection for patient clinical records and should be clearly stated.

1.90 The Committee notes that Medicare Australia and the Department of Health and Ageing have undertaken considerable consultation with relevant stakeholders in developing the initiative, including working closely with the Office of the Privacy Commissioner. The Department's statement that the Privacy Impact Assessment will be updated throughout the implementation and ongoing management of the Initiative is an encouraging sign that important patient privacy issues will not be forgotten as the compliance audit program continues.[104] The Committee is also gratified that Medicare Australia has accepted and will adopt all the recommendations made in the PIA.

1.91 The Committee also notes that Medicare Australia has been receptive to the recommendation made by the Australian Medical Association for clarification regarding what constitutes 'reasonable record keeping and information arrangements' for providers.[105] The Committee believes clarification in this area will assist to limit the impact on practitioners of compliance audits and protect patient privacy by restricting the need for Medicare Australia to access clinical records in order to substantiate claims.

Recommendation

1.92 The Committee recommends that the Department of Health and Ageing and Medicare Australia ensure that as part of the Medicare compliance audit process specific measures are detailed in the regulations to ensure that patient clinical records are only required to be accessed where necessary.

Senator Claire Moore
Chair

June 2009

Navigation: Previous Page | Contents | Next Page