With an increasing amount of compliance activities being undertaken by the third-party organisations, the need to have an up to date and relevant privacy policy is paramount. The following guidance material has been developed to help update your privacy policies and also considerations to rights and obligations under third party audits.
Third Party Audit
So you’re being audited: a guide to you and your patients’ privacy rights and obligations.
Privacy Issues
Is your Privacy Policy up to scratch? How do privacy laws affect you and your patients?
Download PDF
Click here to download a pdf for your own reference or for printing.
Third Party Audit
Health professionals, including physiotherapists, will sometimes be notified that they are being audited by an outside organisation. That audit might be by:
- a government organisation, for example, Medicare
- a private health insurer (PHI)
- accreditation bodies, or
- compensation authorities (CTP insurer or workers compensation).
If the audit request seeks access to patient information or information identifying the patient, you should only give that information in these two situations:
- where the requesting organisation is relying on legislation that gives it the right to seek the information from you even without the patient’s consent
- in all other situations (including requests from private health insurers), with patient consent.
An audit: what is it? Audit means a systematic and independent examination of books, accounts, records and documents of an organisation to ascertain how far disclosures it made, present a true and fair view of the organisation’s activities.
An audit can, therefore, happen in different settings. In a physiotherapy setting, it can include audits by:
- Medicare and other government authorities
- a private health insurer
- your own practice
The focus here is on audits conducted by an external organisation where they want you to disclose information to them as part of that exercise, in particular, information about your patients.
Sometimes, the audits will be confined to reviewing administrative records. But where they also involve review of documents containing patient information, that is, records that identify your patient, you need to consider two things:
- whether the people doing the audit are in fact entitled to get that information from you, and whether you are required or permitted by law to share it with them with or without first seeking permission from your patient
- if so, how much and how little you should share in order to comply with your obligations.
The records you create about your patients are confidential records between you and your patient.
Not only do you have confidentiality obligations, but you have a broad range of extra responsibilities under privacy law, the Commonwealth Privacy Act and the Australian Privacy Principles (APPs) created under it govern the ‘cradle to grave’ responsibilities about the way you manage personal information about your patient.
Because you deal with patient health information, the privacy law imposes extra responsibilities on the way you need to manage this ‘sensitive’ information (by law, all health information is sensitive and therefore requires extra protection). This legislation covers all physiotherapists in private practice (the ACT, Victoria and New South Wales have similar legislation covering the private sector as well).
The relevant state and territory health information statutes are ie, Health Records Act 2001 Victoria, Health Records and Information Privacy Act 2002 New South Wales, and Health Records (Privacy and Access) Act 1997 Act.
The starting proposition is that you cannot share confidential health information with third parties except:
- with the consent of your patient, or
- by operation of law (which can be a very broad concept). The OAIC has prepared guidance on situations where it is lawful to share information even without the consent of a patient. See for instance its Guide to Health Privacy
The answer depends on:
- whether they are relying on a legislative right to get the information from you, or
- whether they are simply relying on the terms of an agreement or contract.
The basic position is this:
- in situation 1, you should comply with the request
- in situation 2, it’s a little more complex and you might need to do more before agreeing to share the information.
Let’s deal with each one in turn.
Medicare, and its legislated right to get information
A Medicare audit is relying on specific legislation which gives it powers to do the audit. Privacy law recognises this as a legitimate situation where you can, and must share information, regardless of whether the patient is aware of the request and regardless of whether they give their consent.
That privacy law talks about situations where you are ‘required or authorised by or under an Australian law or a court/tribunals order’ (‘Australian law’ is defined to include: an Act of the Commonwealth, or of a State or Territory; regulation or any other instrument made under such an Act, or a rule of common law or equity — see section 6 (1) for details about the law).
So that means that privacy concerns are not an issue when Medicare writes to you seeking information or documents to help it determine whether it properly paid a Medicare benefit to you for a professional service. If the requested information or documents contains health information about an individual, you will be protected under the Privacy Act; the patient cannot claim that you unlawfully breached their privacy.
Seek advice when you are unsure
Where you are not certain of your responsibilities and whether you should be sharing information about your patients in response to a request, or where you feel that the audit is signalling that you soon might be involved in a complex dispute about your billing practices, you should seek advice from your liability insurer.
PHIs, and the paperwork (and consent) they rely on
Unlike Medicare and other government authorities, PHIs are not relying and cannot rely on any specific legislation or Australian law giving them powers to access information about your patients.
Instead, they are relying on:
- contract terms agreed to between you and them
- contract terms agreed to between them and the patient, and occasionally
- some form of paperwork they had earlier shared with the patient which they say shows that the patient has given their consent.
A contract does not fall in the privacy law’s definition of Australian law.
Contract terms are important to understanding rights, roles and responsibilities between you and the PHI.
And it is absolutely true that every PHI is entitled to take steps to satisfy itself that the payments required of them are being properly made.
No contract can require you to break the law, including the laws around privacy and confidentiality. (Some, but importantly not all, PHIs specifically acknowledge this in their rules and therefore focus on requiring that health professional to seek and obtain the necessary consent).
In other words, although you should meet the obligations that your agreement with the PHI imposes on you, you need to do so in a way that complies with the requirements of privacy law.
How do PHIs usually seek to persuade you that you should share with them patient information for the purposes of their audit?
Generally, they can, and do, make their access request in several ways; usually, those requests refer to:
- the contractual rights of the PHI to seek access to information
- your contractual responsibility to cooperate with their investigations and requests for information, and
- the fact that the PHI had earlier shared with the patient information about the PHI’s proposed information collecting practices (and occasionally, they might argue that through this the patient has in effect consented to you complying with the audit request).
Rarely if ever dothe request letters come with a signed consent document from the patient consenting to the disclosure of information about them for the purposes of an audit (or for that matter any other purpose).
Is that good enough?
Probably not. You will need to do more to satisfy yourself that the patient has consented, and that that consent is real, informed and current.
What about the fact that the patient previously ‘signed up’ with the PHI and apparently did not object to the information-handling practices the PHI described in the paperwork it apparently shared with the patient?
Does that demonstrate that they have given their consent? Probably not. Many questions remain unanswered: did they ever read the document? If they read it, did they understand it? Even if they agreed back then, will that still be their position?
The Office of the Australian Information Commissioner made these relevant observations, in its Guide to Health Privacy:
‘... It should not be assumed that an individual has given consent on the basis alone that they did not object to a proposal to handle personal information in a particular way. [You) cannot infer consent simply [because the individual was given] notice of a proposed collection, use or disclosure of personal information. It will be difficult for an entity to establish that an individual’s silence can be taken as consent. Consent may not be implied if an individual’s intent is ambiguous or there is a reasonable doubt about the individual’s intention.’
You therefore need to do more. You need to either:
- ask the insurer to demonstrate that they have obtained consent in the way described above, or
- (if you doubt the insurer has any or adequate proof of consent) do it yourself (ie, contact the patient).
What happens if you just decide to rely on the written assurances from the PHI that the patient has previously agreed to this sharing, and that you are required under the rules to do that sharing? While that certainly was a common practice in the past, it is an increasingly unsustainable one from a ‘privacy best practice’ perspective.
The fact that the PHI routinely gives customers or patients a batch of paperwork does not mean that your patient has either read it, understood it or would remember it today, and they are free to revoke their consent if they change their mind (but if they do that, they need to understand the consequences of that revocation eg, potential loss of cover etc.).
Similarly, even if the various privacy documents you had (or may have) earlier created for your patients (privacy policy, collection notice, consent form, registration form, etc.) had specifically mentioned the possibility that you might share patient information with an insurer doing an audit, a ‘best practice’ approach would still encourage you to seek a current, a meaningful and an informed consent.
For all of these reasons, where the audit request involves a request for patient information (as opposed to non-identifying materials), you should seek the consent of the patient before you share those materials with the insurer.
Perhaps you have already mentioned to your patients — verbally or in writing — that on occasion you might need to share information about them with PHIs. For example, maybe refer to this in:
- your written privacy policy
- patient registration forms
- collection statements or notices
- general consent forms the patient completes at the start of their relationship with you.
That’s a good start. But you still need to do more; you need to seek consent.
These are the key elements of a legally effective consent:
- the patient is adequately informed before giving the consent
- they give that consent voluntarily
- the consent is current (12 months might be a rough guideline) and specific (does it clearly indicate to whom the records can be released and which records are covered by the consent?), and
- the patient has the capacity to understand and communicate their consent (situations where this might arise include where the patient is a child, or where the patient suffers from an intellectual disability or a cognitive impairment, but only where the disability or impairment compromises their ability to consent. When the patient is not able to give consent, you need to seek consent from the person authorised by law to provide consent in their place).
Whoever from your practice speaks with the patient, they will need to explain to them why the insurer has requested the information, and the implications of disclosing (or not disclosing) the requested details to the insurer. In most situations, this will require saying not much more than this:
‘We have received a request from your insurer to audit some of our paperwork relating to you. Do we have your consent to share that paperwork with them?’
If and when you obtain that consent, you should make a note in the patient’s record. If you have the discussion and the patient refuses to consent, you should clarify why they are objecting. You should explain to them the potential consequences of their refusal to consent (eg, potential loss of insurance cover). You should then make a note of the discussion, including any reasons the patient is given for refusing to consent. You will then need to explore with the PHI whether you can comply with the audit request in a way that respects the patient’s wishes.
If the patient consents but has concerns about the sharing of certain information, you need to explore those concerns and then determine whether you could share the records in the way preferred by the patient. Make a note of the discussion and any agreed limitations on sharing in the patient’s record. You will then need to explore with the PHI whether you can comply with the audit request in a way that respects the patient’s wishes.
If you believe or suspect the patient is unaware that disclosure of the requested records will also result in the sharing of particularly sensitive material (eg, mental health or sexual history issues), check that the patient is aware of that and confirm that they can be released. Make a note of the discussion in the patient’s record.
Even if you have received from the PHI or obtained by yourself a valid patient consent, you still need to handle that information in a way that respects the privacy interests of your patient. Simply giving the auditor a complete copy of the records, much of which is often completely irrelevant, does not respect the patient’s privacy.
That means you should give the minimum necessary to comply with the audit rather than giving the auditor more than they wanted or needed.
Medicare audits recognise this: its Guideline for Substantiating Valid Individual Allied Health Services recognise that:
‘In most cases, a patient's clinical information will be the only way to confirm that the patient attended the service, and to substantiate you received the correct Medicare benefit. If you need to use a patient's clinical information you can censor any details that aren't relevant. You can also choose to provide the information to one of our medical advisers.’
This situation is identical when any other government authority is relying on legislative powers which specifically entitle it to seek access to clinical materials from you.
And it’s a sensible approach to use with a PHI as well.
To do that, you need to identify and then reflect on the scope of the legitimate audit enquiry. That means you should provide the minimum amount of patient information that is necessary and appropriate to respond to the enquiry, but no more. In fact, if you shared way more than you were required to by law, the patient might be entitled to complain about that to the privacy regulator and to your professional regulator.
To help you work through the issues, we have provided this checklist.
As a first step: read the request carefully; is it clear from the request how much and what paperwork they want from you? If not, clarify with them.
Threshold Issue: Does the Audit Request Extend to Patient Information?
Does the request, at least in part, request patient information? If not, there is no privacy issue.
The issue of patient consent, therefore, is not relevant and you should comply with the request (unless you have other concerns) privacy law only covers information that falls in the definition of personal information. Information that is de-identified or that does not and cannot identify a patient is therefore not covered. Where the audit covers only the latter, the physiotherapist does not need to worry about consent issues.
The Consent Issue
Has the PHI given you any evidence to show that the patient is giving their consent to you sharing health information about them? If so, read it closely. Does it demonstrate the consent was voluntary, informed, specific and current? If not, you should seek a fresh consent.
Absent a proper consent from the patient given to you by the PHI, seek consent from the patient, and make a note of that discussion in the patient file.
If the patient provides only limited consent (see earlier text about situations where you or the patient might have concerns), explore with the PHI whether you can adequately address audit request while respecting the patient’s wishes.
Sharing Health Information with the PHA after Getting the Consent
Do the potentially relevant records contain entries which should not be shared because they are irrelevant or inappropriate (eg, records) that:
- identify other people (other patients or the patient’s family members etc.)
- contain information, the release of which would or might embarrass or cause discomfort for the patient, and which is irrelevant for the purposes of the audit (eg, psychiatric history, psychiatric medication, sexual orientation, history of sexual abuse or victim of crime etc.).
Further information on PHI audit practices.
In this resource, we have focused on a very specific issue: audit requests by PHIs or by government authorities seeking access to patient information.
But these are not the only situations in which persons other than your patient may sometimes seek access to patient records. How you need to respond to those access requests will largely depend on who is seeking access, and what, if any authority they are purporting to rely upon (and in particular, whether they are purporting to rely on a patient consent document).
When handling these sorts of requests, you need to be aware of your responsibilities under privacy law.
Privacy issues
Maintaining the privacy of your patients’ personal information, including their health information, is not just a professional and ethical responsibility; it is a legal one as well.
Privacy laws impose a range of responsibilities on you, many of which are quite demanding because of the sensitive nature of the information that you collect, use and sometimes disclose about your patients (the law says that ALL health information is by definition ‘sensitive’).
There are several different types of information-handling disclosure documents you might also routinely provide to your patients at, during or shortly after your first interaction with them.
This document, focuses on the written privacy policy which every health professional in private practice, even a sole practitioner, is required to have. In it, we set out:
- a template (with commentaries) which you might want to use to check against your current policy (if you have one) in order to see whether you need to update or change it in any way
- links to resources to help you develop or update your written privacy policy.
The minimum information that a Privacy Policy must contain includes telling your patient:
- what information you collect about them, how you collect it and why you collect it
- how, and when you propose to use (internally) and share or disclose (externally) that information
- what right they have to seek access to information you hold about them, and to seek correction of that information
- what right they have to complain about your information-handling practices, and to whom
- whether you are likely to disclose information about them to overseas recipients, and if so, more detail about when and why you do that, and where the recipients are based.
But the level of detail in your policy will really depend on the size of your practice, how much and what type of information you collect, use and disclose, how you store and secure the information and whether you transfer information overseas.
For that reason, it’s important to modify this resource to make sure it properly records your (lawful) information-handling practices and does not either over or understate them.
Once you are satisfied that your privacy policy is up to scratch, you must then make it freely available to patients so that they know that you have one, and they know how and where to find it. You might want to display it at practice receptions, refer to it in key documents (eg, registration forms and other notices) or, if you have a website, on your website.
Remember though: complying with the law means more than creating the right paperwork. Every physiotherapist has an independent obligation to identify how the law requires them to behave, and to then comply with those requirements. Fortunately, privacy regulators have provided a lot of helpful material on the topic. We set out links to some of that material later.
A disclaimer from the APA — and a warning
This resource is intended for you to use as a guide only. It might not be relevant to your particular practices or your particular circumstances. If the resource describes a practice which you do not actually do, you either need to:
- modify the document or (and maybe more importantly)
- modify your practice to make sure it complies with the laws paraphrased in the resource.
In any event, you will need to exercise your own skill and judgement when seeking to adopt or adapt this resource. And you may want to seek appropriate professional advice as well.
Because this is a general resource only, the APA disclaims any and all liability (including liability for negligence) to any users of this resource. That disclaimer extends to any loss or damage, cost or expense incurred or that arises by reason of relying on this resource in any manner.
Preliminary thinking and planning
Creating a privacy policy requires more than simply generating a nice-looking document; it needs to reflect the realities of your information handling practices, and to reflect what the law requires and permits you to do with information about your patients.
It is also part of a broader set of responsibilities you have to be proactive in establishing, implementing and maintaining privacy processes in your practice.
Recently, the Office of the Australian Information Commission (OAIC) released its ‘Guide to Health Privacy’, which describes the key practical steps you might want to take to embed privacy into your practice:
- develop and implement a privacy management plan
- develop clear lines of accountability for privacy management
- create a documented record of the types of personal information you handle
- understand your privacy obligations and implement processes to meet those obligations
- hold staff training sessions on privacy obligations
- create a privacy policy
- protect the information you hold and
- develop a data breach response plan.
That’s quite a lot of ground to cover. But at a minimum, and before finalising or updating your own privacy policy, you might want to think about doing the following things:
All physiotherapists in private practice must comply with the Commonwealth Privacy Act and the Australian Privacy Principles (APPs) contained within it (physiotherapists in some states and territories might also have to comply with state and territory legislation). The OAIC has provided lots of accessible information pitched at the health professions to help them through these issues, and we provide some useful links.
Once you’ve got a better feel for what the APPs say and require of you, consider how each of them is currently being handled within your practice. Are there any major gaps? Are you doing things wrong? You might need help to sort through some of these issues (eg. consulting with your liability insurer).
It’s always a good idea to check in with internal and external stakeholders to see what they think about your current practices. Internal stakeholders include staff and contractors. External ones include patients and other service providers. You might be surprised by what you find.
Useful links
From the Office of the Australian Information Commissioner
Privacy: What is a Privacy Policy?
APP guidelines: Open and transparent management of personal information
Guidance and advice:
From Allied Health Professions Australia: