Six steps to protect your practice based on common MLAS queries


Our Avant Medico-Legal Advisory Service (MLAS) handled over 20,000 calls last year, advising members and practices on how to prevent or respond to adverse incidents. Available 24/7 in emergencies, our MLAS provides expert advice to help minimise the chance of a complaint or claim occurring. Based on common queries our MLAS have received, here are six steps to take to protect your practice.

1. Know your mandatory data breach requirements

This year, new legislation came into effect on 22 February, placing a legal obligation on doctors and practices within the private sector to notify individuals – and the Office of the Information Commissioner (OAIC) – if their information has been affected by a ‘notifiable data breach.’

A breach will need to be notified if a data breach is likely to result in serious harm and remedial action cannot be taken to prevent the likelihood of serious harm.

To reduce the risk of a privacy breach in the first place, it’s important to take the following steps in your practice:

  • ensure you and your staff are aware of your privacy obligations
  • review and update your practice’s privacy policy outlining how information is collected, used and disclosed in your practice
  • review and update privacy and security procedures, including processes for managing staff authorisation, authentication and access to records
  • create a process for proactively detecting data breaches
  • create a detailed data breach response plan if a privacy or security breach is discovered
  • create a business continuity plan and disaster recovery plan, so that if there is a disruption to your systems you can continue to operate your practice.

If you aren’t already familiar with the new privacy laws, read our article or visit our website for more resources.  

2. Understand Medicare requirements

Medicare is paying closer attention to doctors’ activities. The Department of Health is increasing its Medicare and Professional Services Review compliance activity. Medicare audits have recently been conducted in relation to the billing of initial and subsequent consultation items by specialists and the use of overnight sleep study items by sleep physicians.

Doctors are legally responsible for services billed to Medicare under their Medicare provider number or in their name. Doctors are also responsible for incorrect claims regardless of who does the billing or receives the benefit.

To ensure services are billed correctly under Medicare, practices are advised to:

  • make sure the doctor under whose provider number services are to be billed, reviews and authorises the items claimed
  • use the full online version of the Medicare Benefits Schedule (MBS) to determine what services are billed and always refer to any explanatory notes. This is better than relying on abbreviated summaries of the MBS
  • review The Department of Health’s range of online resources which assist practices and doctors in understanding the MBS and billing services accurately. For example, item numbers for skin excision items and Chronic Disease Management plans
  • be especially careful to ensure chronic disease management plans are billed appropriately – particularly in relation to the need to consult with contributing providers about the care they will provide in a Team Care Arrangement and the review of those arrangements.

For more information on specialist referrals and initial consultations, refer to our article and decision-making flowchart.

3. Know what is, and isn’t, advertising

Many practices are unintentionally breaching national advertising laws through the use of testimonials and social media.

In April 2017, the Australian Health Practitioner Regulation Agency (AHPRA) outlined its approach to enforcing compliance with advertising standards. With a renewed focus on advertising compliance, and significant penalties for breaches, it is important to understand how you can promote your practice while staying within the law. Review AHPRA’s Guidelines for Advertising Regulated Health Services to understand your responsibilities.

Some key tips include:

  • avoid using language or images which may mislead or cause a patient to have an unreasonable expectation of beneficial treatment
  • don’t use testimonials or repost positive comments from other social media platforms
  • set your website and other social media platform settings so that users are unable to leave comments.

For more information on what you can and can’t advertise, read our article.

4. Use electronic communication appropriately

Practices are increasingly embracing technology such as SMS or email to communicate with your patients. While this certainly has benefits, it’s important to keep in mind that electronic communications may be subject to cyber threats, privacy obligations and the Spam Act 2003 (Cth).

If you are communicating with your patients via SMS, refer to our factsheet for tips when using this channel and developing a SMS messaging policy.

Patients and organisations are increasingly requesting that information be sent to them via email. Your practice has an obligation to take reasonable steps to protect the privacy and security of information it holds including when it is transmitted or disclosed outside the organisation.

The use of passwords or encryption can reduce the risk of a data breach, although there is no legal requirement that emails be encrypted or password protected. The Royal Australasian College of General Practitioners provides guidance on using email for practices to reduce the risk of interception of data and sending emails to incorrect addresses, including:

  • use of passwords
  • use of encryption
  • verification of the recipient’s email address
  • obtaining consent
  • use of secure messaging facilities between practices.

You should have a policy and procedure in place to manage the electronic transmission of personal information, including the steps the practice will take to ensure the privacy and security of information transferred outside your practice is protected.

5. Know what patient information can be disclosed to third parties

Practices and doctors can share a patient’s medical information with a third party if they have authority from the patient to do so or are required to by law.

Carefully read the information request and the patient’s authority to ensure the correct documentation is shared and that it’s within the scope of the patient’s authority.

Examples where legislation requires you to share health information without the patient’s express permission include:

  • public health requirements to report infectious diseases
  • summons or subpoenas to produce medical records to a court or tribunal
  • a police search warrant.

Read our article to find out the requirements for consent, your legal obligations and when you can refuse to provide medical records. You can also watch our video, Managing requests for medical records.

6. Update policies and processes for transition to the RACGP’s new practice standards

In October 2017, the RACGP released the Standards for general practices (5th edition) (the Standards).

In order to align with the Standards, GP practices will need to update their policies, procedures and processes. It is also important these changes have been communicated with the practice team to ensure the changes are understood and implemented in a timely manner. Read our article for more information on the new modules and indicators covered in the Standards.

If you have a PracticeHub subscription, you will notice that the updated policies and procedures were added to your site from 1 December, 2017.

It is important that all practices:

  1. review the new Standards for general practices (5th edition)
  2. review the new content and ensure they have procedures in place to ensure staff know how to comply with these changes
  3. allocate the changes to the relevant roles inyour practice for compliance sign-off.

Practices undertaking accreditation over the next 12 months should check with their accreditation provider about the changeover date for assessment. Accreditation providers are also conducting webinars and workshops on the requirements for practices to meet the new Standards.

By: Avant media

May 10, 2018