Sometimes, the audits will be confined to reviewing administrative records. But where they also involve review of documents containing patient information, that is, records that identify your patient, you need to consider two things:

1. whether the people doing the audit are in fact entitled to get that information from you, and whether you are required or permitted by law to share it with them with or without first seeking permission from your patient
2. if so, how much and how little you should share in order to comply with your obligations.

The records you create about your patients are confidential records between you and your patient.

Not only do you have confidentiality obligations, but you have a broad range of extra responsibilities under privacy law, the Commonwealth Privacy Act and the Australian Privacy Principles (APPs) created under it govern the ‘cradle to grave’ responsibilities about the way you manage personal information about your patient.

Because you deal with patient health information, the privacy law imposes extra responsibilities on the way you need to manage this ‘sensitive’ information (by law, all health information is sensitive and therefore requires extra protection). This legislation covers all physiotherapists in private practice (the ACT, Victoria and New South Wales have similar legislation covering the private sector as well).

The relevant state and territory health information statutes are ie, Health Records Act 2001 Victoria, Health Records and Information Privacy Act 2002 New South Wales, and Health Records (Privacy and Access) Act 1997 Act.

The starting proposition is that you cannot share confidential health information with third parties except:

1. with the consent of your patient, or
2. by operation of law (which can be a very broad concept). The OAIC has prepared guidance on situations where it is lawful to share information even without the consent of a patient. See for instance its Guide to Health Privacy

The answer depends on:

1. whether they are relying on a legislative right to get the information from you, or
2. whether they are simply relying on the terms of an agreement or contract.

The basic position is this:

1. in situation 1, you should comply with the request
2. in situation 2, it’s a little more complex and you might need to do more before agreeing to share the information.

Let’s deal with each one in turn.

Medicare, and its legislated right to get information

A Medicare audit is relying on specific legislation which gives it powers to do the audit. Privacy law recognises this as a legitimate situation where you can, and must share information, regardless of whether the patient is aware of the request and regardless of whether they give their consent.

That privacy law talks about situations where you are ‘required or authorised by or under an Australian law or a court/tribunals order’ (‘Australian law’ is defined to include: an Act of the Commonwealth, or of a State or Territory; regulation or any other instrument made under such an Act, or a rule of common law or equity — see section 6 (1) for details about the law).

So that means that privacy concerns are not an issue when Medicare writes to you seeking information or documents to help it determine whether it properly paid a Medicare benefit to you for a professional service. If the requested information or documents contains health information about an individual, you will be protected under the Privacy Act; the patient cannot claim that you unlawfully breached their privacy.

Seek advice when you are unsure

Where you are not certain of your responsibilities and whether you should be sharing information about your patients in response to a request, or where you feel that the audit is signalling that you soon might be involved in a complex dispute about your billing practices, you should seek advice from your liability insurer.

PHIs, and the paperwork (and consent) they rely on

Unlike Medicare and other government authorities, PHIs are not relying and cannot rely on any specific legislation or Australian law giving them powers to access information about your patients.

Instead, they are relying on:

1. contract terms agreed to between you and them
2. contract terms agreed to between them and the patient, and occasionally
3. some form of paperwork they had earlier shared with the patient which they say shows that the patient has given their consent.

A contract does not fall in the privacy law’s definition of Australian law.

Contract terms are important to understanding rights, roles and responsibilities between you and the PHI.

And it is absolutely true that every PHI is entitled to take steps to satisfy itself that the payments required of them are being properly made.

No contract can require you to break the law, including the laws around privacy and confidentiality. (Some, but importantly not all, PHIs specifically acknowledge this in their rules and therefore focus on requiring that health professional to seek and obtain the necessary consent).

In other words, although you should meet the obligations that your agreement with the PHI imposes on you, you need to do so in a way that complies with the requirements of privacy law.

How do PHIs usually seek to persuade you that you should share with them patient information for the purposes of their audit?

Generally, they can, and do, make their access request in several ways; usually, those requests refer to:

1. the contractual rights of the PHI to seek access to information
2. your contractual responsibility to cooperate with their investigations and requests for information, and
3. the fact that the PHI had earlier shared with the patient information about the PHI’s proposed information collecting practices (and occasionally, they might argue that through this the patient has in effect consented to you complying with the audit request).

Rarely if ever dothe request letters come with a signed consent document from the patient consenting to the disclosure of information about them for the purposes of an audit (or for that matter any other purpose).

Is that good enough?

Probably not. You will need to do more to satisfy yourself that the patient has consented, and that that consent is real, informed and current.

What about the fact that the patient previously ‘signed up’ with the PHI and apparently did not object to the information-handling practices the PHI described in the paperwork it apparently shared with the patient?

Does that demonstrate that they have given their consent? Probably not. Many questions remain unanswered: did they ever read the document? If they read it, did they understand it? Even if they agreed back then, will that still be their position?

The Office of the Australian Information Commissioner made these relevant observations, in its Guide to Health Privacy:

‘... It should not be assumed that an individual has given consent on the basis alone that they did not object to a proposal to handle personal information in a particular way. [You) cannot infer consent simply [because the individual was given] notice of a proposed collection, use or disclosure of personal information. It will be difficult for an entity to establish that an individual’s silence can be taken as consent. Consent may not be implied if an individual’s intent is ambiguous or there is a reasonable doubt about the individual’s intention.’

You therefore need to do more. You need to either:

1. ask the insurer to demonstrate that they have obtained consent in the way described above, or
2. (if you doubt the insurer has any or adequate proof of consent) do it yourself (ie, contact the patient).

What happens if you just decide to rely on the written assurances from the PHI that the patient has previously agreed to this sharing, and that you are required under the rules to do that sharing? While that certainly was a common practice in the past, it is an increasingly unsustainable one from a ‘privacy best practice’ perspective.

The fact that the PHI routinely gives customers or patients a batch of paperwork does not mean that your patient has either read it, understood it or would remember it today, and they are free to revoke their consent if they change their mind (but if they do that, they need to understand the consequences of that revocation eg, potential loss of cover etc.).

Similarly, even if the various privacy documents you had (or may have) earlier created for your patients (privacy policy, collection notice, consent form, registration form, etc.) had specifically mentioned the possibility that you might share patient information with an insurer doing an audit, a ‘best practice’ approach would still encourage you to seek a current, a meaningful and an informed consent.

For all of these reasons, where the audit request involves a request for patient information (as opposed to non-identifying materials), you should seek the consent of the patient before you share those materials with the insurer.

Perhaps you have already mentioned to your patients — verbally or in writing — that on occasion you might need to share information about them with PHIs. For example, maybe refer to this in:

• your written privacy policy
• patient registration forms
• collection statements or notices
• general consent forms the patient completes at the start of their relationship with you.

That’s a good start. But you still need to do more; you need to seek consent.

These are the key elements of a legally effective consent:

• the patient is adequately informed before giving the consent
• they give that consent voluntarily
• the consent is current (12 months might be a rough guideline) and specific (does it clearly indicate to whom the records can be released and which records are covered by the consent?), and
• the patient has the capacity to understand and communicate their consent (situations where this might arise include where the patient is a child, or where the patient suffers from an intellectual disability or a cognitive impairment, but only where the disability or impairment compromises their ability to consent. When the patient is not able to give consent, you need to seek consent from the person authorised by law to provide consent in their place).

Whoever from your practice speaks with the patient, they will need to explain to them why the insurer has requested the information, and the implications of disclosing (or not disclosing) the requested details to the insurer. In most situations, this will require saying not much more than this:

‘We have received a request from your insurer to audit some of our paperwork relating to you. Do we have your consent to share that paperwork with them?’

If and when you obtain that consent, you should make a note in the patient’s record. If you have the discussion and the patient refuses to consent, you should clarify why they are objecting. You should explain to them the potential consequences of their refusal to consent (eg, potential loss of insurance cover). You should then make a note of the discussion, including any reasons the patient is given for refusing to consent. You will then need to explore with the PHI whether you can comply with the audit request in a way that respects the patient’s wishes.

If the patient consents but has concerns about the sharing of certain information, you need to explore those concerns and then determine whether you could share the records in the way preferred by the patient. Make a note of the discussion and any agreed limitations on sharing in the patient’s record. You will then need to explore with the PHI whether you can comply with the audit request in a way that respects the patient’s wishes.

If you believe or suspect the patient is unaware that disclosure of the requested records will also result in the sharing of particularly sensitive material (eg, mental health or sexual history issues), check that the patient is aware of that and confirm that they can be released. Make a note of the discussion in the patient’s record.

Even if you have received from the PHI or obtained by yourself a valid patient consent, you still need to handle that information in a way that respects the privacy interests of your patient. Simply giving the auditor a complete copy of the records, much of which is often completely irrelevant, does not respect the patient’s privacy.

That means you should give the minimum necessary to comply with the audit rather than giving the auditor more than they wanted or needed.

Medicare audits recognise this: its Guideline for Substantiating Valid Individual Allied Health Services recognise that:

‘In most cases, a patient's clinical information will be the only way to confirm that the patient attended the service, and to substantiate you received the correct Medicare benefit. If you need to use a patient's clinical information you can censor any details that aren't relevant. You can also choose to provide the information to one of our medical advisers.’

This situation is identical when any other government authority is relying on legislative powers which specifically entitle it to seek access to clinical materials from you.

And it’s a sensible approach to use with a PHI as well.

To do that, you need to identify and then reflect on the scope of the legitimate audit enquiry. That means you should provide the minimum amount of patient information that is necessary and appropriate to respond to the enquiry, but no more. In fact, if you shared way more than you were required to by law, the patient might be entitled to complain about that to the privacy regulator and to your professional regulator.

To help you work through the issues, we have provided this checklist.

As a first step: read the request carefully; is it clear from the request how much and what paperwork they want from you? If not, clarify with them.

Threshold Issue: Does the Audit Request Extend to Patient Information?

Does the request, at least in part, request patient information? If not, there is no privacy issue.

The issue of patient consent, therefore, is not relevant and you should comply with the request (unless you have other concerns) privacy law only covers information that falls in the definition of personal information. Information that is de-identified or that does not and cannot identify a patient is therefore not covered. Where the audit covers only the latter, the physiotherapist does not need to worry about consent issues.

The Consent Issue

Has the PHI given you any evidence to show that the patient is giving their consent to you sharing health information about them? If so, read it closely. Does it demonstrate the consent was voluntary, informed, specific and current? If not, you should seek a fresh consent.

Absent a proper consent from the patient given to you by the PHI, seek consent from the patient, and make a note of that discussion in the patient file.

If the patient provides only limited consent (see earlier text about situations where you or the patient might have concerns), explore with the PHI whether you can adequately address audit request while respecting the patient’s wishes.

Sharing Health Information with the PHA after Getting the Consent

Do the potentially relevant records contain entries which should not be shared because they are irrelevant or inappropriate (eg, records) that:

• identify other people (other patients or the patient’s family members etc.)
• contain information, the release of which would or might embarrass or cause discomfort for the patient, and which is irrelevant for the purposes of the audit (eg, psychiatric history, psychiatric medication, sexual orientation, history of sexual abuse or victim of crime etc.).

Further information on PHI audit practices.

In this resource, we have focused on a very specific issue: audit requests by PHIs or by government authorities seeking access to patient information.

But these are not the only situations in which persons other than your patient may sometimes seek access to patient records. How you need to respond to those access requests will largely depend on who is seeking access, and what, if any authority they are purporting to rely upon (and in particular, whether they are purporting to rely on a patient consent document).

When handling these sorts of requests, you need to be aware of your responsibilities under privacy law.

All physiotherapists in private practice must comply with the Commonwealth Privacy Act and the Australian Privacy Principles (APPs) contained within it (physiotherapists in some states and territories might also have to comply with state and territory legislation). The OAIC has provided lots of accessible information pitched at the health professions to help them through these issues, and we provide some useful links.

Once you’ve got a better feel for what the APPs say and require of you, consider how each of them is currently being handled within your practice. Are there any major gaps? Are you doing things wrong? You might need help to sort through some of these issues (eg. consulting with your liability insurer).

It’s always a good idea to check in with internal and external stakeholders to see what they think about your current practices. Internal stakeholders include staff and contractors. External ones include patients and other service providers. You might be surprised by what you find.