The Australian Medical Association Limited and state AMA entities comply with the Privacy Act 1988. Please refer to the AMA Privacy Policy to understand our commitment to you and information on how we store and protect your data.



15 Nov 2018


The Department of Health regularly conducts compliance audits of practitioners to ensure that the amounts claimed under the Medicare Benefits Schedule (MBS) are correct. I thought it might be beneficial to provide you with some information about the Department’s processes, your obligations and options when responding to an audit. The AMA’s Legal Counsel has assisted me in this to ensure you understand the process and are equipped to respond to any compliance concerns that may arise while still protecting patient privacy.

When conducting an audit, the Department’s general approach is to:

(1)       identify the practitioners to be targeted in the audit. This could be through tip offs or data analysis;

(2)       send the identified practitioners a letter asking them to verify their compliance; and

(3)       depending on the audit target’s response, issue a Notice to Produce under section 129AAD of the Health Insurance Act 1973.

The following looks at the privacy and other issues that GPs and general practice managers need to be aware of at each stage of the process. 

Initial letter

The initial letter will usually advise the practitioner of the concern that has given rise to the compliance action; and ask them to provide evidence that they have met the requirements of the items being audited. This evidence is usually in the form of some documentation.

Practitioners should note that this letter is asking practitioners to voluntarily: 

  • provide documentation to support their claims; or
  • acknowledge where they have not fully met the requirement of the item claimed and thus have been overpaid.

Practitioners need to be mindful of protecting patient privacy when voluntarily providing documentation to support their claims. The sections below have more information on why and how.

Practitioners who think they may have claimed inappropriately may avoid an administrative penalty if they voluntarily acknowledge their error and the overpayment of benefits. Where the Department has already sent an initial letter, the maximum reduction of the administrative penalty is 50 per cent. Any overpayments plus any applicable penalty will then be raised as debt owing for repayment.

Notice to Produce

Depending on the outcome of the initial letter, the Department may issue a Notice to Produce.

A practitioner can still receive a reduction in the administrative penalty after a Notice to Produce is issued, if they voluntarily acknowledge the overpayment before the time to respond to the Notice to Produce expires. However, the maximum reduction is lower (25 per cent) than if the practitioner had acknowledged the error prior to receiving the Notice to Produce.

Practitioners will have at least 21 days to respond before the Notice to Produce expires and a debt for the claims in question is raised.

Privacy issues

Australian Privacy Principle 6 prohibits practitioners from disclosing their patient’s records unless an exception applies. A key exception is where disclosure is ‘required or authorised by law’ (APP 6.2).

A practitioner is legally required to comply with a Notice to Produce. This means that a practitioner will not be breaching the Privacy Act if they provide patient information in response to a Notice to Produce. However: 

  • practitioners should only provide patient information to the extent necessary to comply with the Notice to Produce; and
  • the AMA recommends that practitioners exercise their statutory right to only provide documentation containing ‘clinical details relating to an individual’ to a departmental medical adviser.

By contrast, a practitioner may breach the Privacy Act if they provide any documentation containing health information prior to the Department issuing a Notice to Produce. This is because practitioners are not legally required to respond to the initial letter. This means that practitioners:

  • should not volunteer any patient information at the initial letter stage; and
  • if they do choose to respond, must redact enough personal information to protect the privacy of the patient.

So why does the Department send initial letters?

Part of the reason why the Department sends initial letters is that voluntary compliance avoids more expensive and difficult compliance processes. 

The other reason is that section 129AAD of the Health Insurance Act provides that the CEO Medicare must give practitioners an opportunity to respond to a request for documents before they issue a Notice to Produce. In other words, they must ask you to provide supporting documentation even though it is not mandatory for you to do so, and if you do and that documentation contains patient information you will be breaching the Privacy Act, before they can issue a binding Notice to Produce, which then protects you under the Privacy Act for providing the information.

Other consequences of voluntary repayments

The AMA appreciates that practitioners may choose to voluntarily acknowledge an overpayment to avoid the administrative costs of locating records to prove their claims were legitimate. However, practitioners should be aware that if they voluntarily acknowledge an overpayment, any associated incentive payments claimed in conjunction with the payments for services that have been voluntarily acknowledged will also be recoverable.

The Department of Health also discourages practitioners from voluntarily acknowledging “no service” when a service was provided because of the flow on impacts on the patient’s My Health Record and MBS claim history.

Accordingly, it is recommended that practitioners consult with their medical defence organisation before responding or submitting any documentation to the Department to ensure they are aware and understand the financial and legal consequences. 

Published: 15 Nov 2018