Serious privacy concerns have been raised with proposed laws that would see Medicare data matching activities expanded to better detect fraudulent or incorrect claims.
The legislation, which was first unveiled in September, will introduce a new data matching scheme for the Department of Health to access and share health information for Medicare compliance purposes.
The proposed changes would give the department unrestricted freedom to access sensitive Medicare Benefits Schedule (MBS) and Pharmaceutical Benefits Scheme (PBS) data currently accessible in only “narrow circumstances”.
Under the legislation, at least some of this information could be disclosed to other federal government agencies for both Medicare compliance purposes and to “assist them in performing their functions”.
Private Health Insurers could also provide data to the Department of Health on a “voluntary basis” for Medicare compliance activities, though Medicare data will not be shared with those insurers.
But a number of the organisations have raised concerns with the draft legislation, which has since been altered and introduced to Parliament – just two weeks after the consultation period closed – as the Health Legislation Amendment (Data-Matching and Other Matters) Bill 2019.
While supporting the end goal of improved accountability around the MBS, the Australian Medical Association (AMA) said [pdf] the draft bill “did not strike the right balance between using matched data for MBS/PBS compliance and the patient’s right to privacy”.
Of particular concern to the peak body representing doctors is the department’s ability to access MBS and PBS data currently accessible only in “narrow circumstances”, and therefore bypass the National Health (Privacy) Rules 2018.
And while the AMA appreciates the addition of new privacy provisions in the bill to counterbalance the changes and that the Australian Office of the Information Commissioner may conduct assessments, it believes they don’t go far enough.
“The department will no longer have to comply with the Privacy Rules – including the specific protocols for data matching – established by the Information Commissioner under section 135AA of the National Health Act," the peak body said.
The AMA also has “major concerns” with the provision that allows private health insurers to provide the department with information for compliance activity “is not limited to situations where the private health insurer reasonably believes there has been some non-compliance”.
“Private health insurers could legally send their entire database to the department in the hope that the department will identify and query outlier,” the AMA hypothesises.
A number of other concerns raised by the AMA, including loose drafting around data disclosure, appear to have been addressed in the final legislation introduced to Parliament.
Introducing the bill in late October, Health Minister Greg Hunt stressed the legislation “will not expand [the department’s] existing compliance powers” or change the approach it currently takes.
"I consider that this bill strikes the right balance by facilitating the important public policy
objective of protecting the integrity of our taxpayer funded health system, while enshrining strong principles to protect the privacy and security of personal health data,” he said.
“As Minister for Health, I will be required to put in place governance arrangements for data matching for Medicare compliance purposes through a legislative instrument that prescribes how information for data matching will be handled.
"The legislative instrument will ensure that the use, storage, access and handling of data protects privacy.”
This appears to go some way towards addressing privacy concerns raised by Sydney-based data consultancy Vanteum, which used its submission to argue the privacy protections prescribed in the draft bill were old hat.
“Without a more comprehensive set of provisions for privacy assurance, every Australian citizen will have their privacy put at serious risk in order to achieve the public good that the bill aims to achieve,” it said.
“However, this risk can be mitigated through appropriate design and implementation of privacy-prescribing data sharing capabilities that are based on more contemporary methods.”
A heavily modified section 132F in the bill requires that the Health Minister now "make principles in relation to the matching of information [by the Medicare CEO]".
The Royal Australian College of General Practitioners (RACGP) also holds concerns with the scheme, particularly around when and how MBS and PBS data will be used.
"Data matching is a complex exercise and there are numerous risks associated with it. Without propersafeguards, there is potential for the reforms to go beyond their purpose of strengthening Medicare compliance," it said [pdf].