Navigating the auditing process made easy


Typically, the fear around being audited  is worse than the process itself. Being audited comes with many roles and responsibilities for clinicians—and it is important to know what they are, particularly when it comes to safeguarding confidential patient information.

According to APA audit and privacy information, an audit is ‘a systematic and independent examination of books, accounts, records and documents of an organisation to ascertain and be presented a true and fair view of the organisation’s activities.’ Audits can be carried out by Medicare, private health insurers (PHIs) or internally within a practice or franchise.

So what information does an auditor have the right to request? What are the laws around patient consent and the distribution of patient information? And, by extension, what is a physiotherapist’s responsibility when it comes to patient confidentiality? How do you effectively communicate with a PHI conducting an audit without hindering future relationships? And what is involved in the auditing process?

One vital point to consider when being audited is consent. It is up to the clinic to ensure that their client is aware of their rights when PHIs request the client’s information during the auditing process. When a new client visits a clinic, they often fill out a new client form which may have a privacy clause included.

But does that give clinicians the right to hand out information without notifying the patient? In short, no, it does not. This is why it is imperative for a practice to have a privacy policy in place, and for staff within that practice to understand that privacy policy.

The APA advocacy team has been working on a document, which is adaptable to suit a variety of clinical settings, that details the handling of confidential patient information. A privacy policy template is also being designed to help physiotherapists ensure they are handling sensitive information correctly and legally. 

APA members have access to a helpful guide that can be used as a template for a privacy policy for their own clinic. This template enables appropriate changes and adaptions to be made so as to tailor it to different clinical settings. It is important to note that different clinics have different needs and expectations when it comes to privacy and being audited. Details can be  found on the APA website at

Just like the issue of consent, compliance with the many PHI codes is another tricky area for clinicians to navigate as part of the auditing process. The issue that many practitioners face is understanding what different PHIs deem appropriate for the different claim codes—and how to apply these seemingly varying definitions to ensure compliance. Some PHI are more hard-lined in their interpretation than others, and this can leave some business owners uncertain as to whether their interpretation matches that of the PHI.

The most recent example of this emerged in the wake of the federal government’s review of the rebate for natural therapies. In 2017, the federal government announced plans to make certain natural therapies ineligible for private health insurance rebates, among them was Pilates. The government’s original position was that Pilates would not be rebatable, regardless of who delivers it or how it is delivered.

In 2018 that was revised to allow a PHI to lawfully pay benefits if a physiotherapist, providing services to a patient within the accepted scope of clinical practice, uses exercises or techniques drawn from Pilates as part of that patient’s treatment, as long as the exercises or techniques are within the accepted scope of clinical practice.

In order to ensure they are meeting their legislative requirements, PHIs may audit physiotherapy clinics to ensure the clinics— and its physiotherapist staff—are complying with the particulars of their interpretation.
Here, two practice owners who have been through the auditing process with PHIs in regards to Pilates code compliance share their experiences with InMotion.

Sarah’s story

Sarah* is the owner of a physiotherapy practice in NSW, and she says she has always endeavoured to have all of her sessions categorised according to her best knowledge of the legislation and definitions.

After a recent audit, a PHI found Sarah’s practice was in breach of their definitions  of codes being claimed. The decision to block Sarah and her clients from claiming group consultations left her feeling ‘confused and frustrated’.

She explains that her next steps after receiving this notice included ‘a lot of emails back and forth between myself and the PHI representative, with me even inviting them to come to the studio to view how we run our sessions—maximum three clients per physiotherapist. Each with an individualised program, regular re-assessment, and definitely not doing the same exercise as each other.’

At Sarah’s practice, one physiotherapist had the notes of three patients audited. All three patients had seen the same practitioner between November 2018 and July 2019.

Before being audited, Sarah wholeheartedly believed that she was complying with the legislative changes and had nothing to fear from an audit.

Sarah and her staff continue to have a relationship with the PHI, but she implores fellow business owners to keep ‘clients informed about what is going on and the measures you are taking throughout the process. And make sure you always keep comprehensive clinical notes.’

She advises to ‘write group session notes in the same way as you would a 505 physiotherapy session.’

(*Sarah is a pseudonym used at the practice owner’s request.)

Trish’s story

Trish Edwards, the owner of Physio Spot in Melbourne, Victoria, had her practice audited by the same PHI as Sarah. Trish says she recalls feeling ‘concerned that they [PHI] felt they had the right to see clinical records.’ This, she says, put her in the uncomfortable position of having to seek permission from some of her clients to send their records to the PHI. 

During the audit, Trish says a discrepancy was found where three audited patients were not charged the initial 500 code through private health. These patients had enhanced primary care (EPC) plans from their GPs. The EPC entitles them to five physiotherapy sessions to be subsidised by Medicare.
The PHI was concerned the clients had been ‘attending group exercises without the initial assessment and planning as they hadn’t received a claim for item number 500.’

Trish says she felt conflicted about the issue of sharing clinical notes, and that she felt that it was not enough for her to provide records of dates, invoices and confirmation of the EPC claim through Medicare. She says the PHI was adamant that they see the clinical notes for the three patients in question, and that proof of attendance would not be sufficient for the audit.

‘We felt we had a duty to our patients to ask their permission first before sending records to PHI—and one patient refused. The PHI wrote a letter stating she [the patient] and my clinic would have to reimburse them for the cost of those consultations. This patient became quite stressed and decided to give
her permission to have her clinical record sent to the PHI.’

Trish’s advice to other practitioners is that ‘if the PHI has their mind set on seeing the clinical record, it’s best to comply with their request.’ However, she says it is vital to make clients aware of the request for their clinical record immediately, get their consent in writing and keep them involved in the process.

The handling and transmission of personal information is a delicate balance of knowing clinicians are doing the right thing within a business, and doing right by their clients. Naming the classes and meeting the new legislative changes, as well as charging the correct item codes for sessions is one thing, but ensuring transparency between clinicians, PHI and patients is an incredibly important, and complex, process.

The document ‘Third-party audits and privacy issues’ on the APA advocacy page states that ‘unlike Medicare and other government authorities, PHIs are not relying and cannot rely on any specific legislation of Australian law giving them powers to access information about your patients.’

Find help here

If you need assistance with being audited, there is information available on the APA advocacy page at, and through the APA member services team on 1300 306 622.



© Copyright 2018 by Australian Physiotherapy Association. All rights reserved.