Six steps to protect your practice based on common queries

May 10, 2018

Our Medico-Legal Advisory Service (MLAS) handled over 20,000 calls last year, advising members and practices on how to prevent or respond to adverse incidents. Available 24/7 in emergencies, our MLAS provides expert advice to help minimise the chance of a complaint or claim occurring. Based on common queries our MLAS have received, here are six steps to take to protect your practice.

1. Know your mandatory data breach requirements

This year, new legislation came into effect on 22 February, placing a legal obligation on doctors and practices within the private sector to notify individuals – and the Office of the Information Commissioner (OAIC) – if their information has been affected by a ‘notifiable data breach.’

A breach will need to be notified if a data breach is likely to result in serious harm and remedial action cannot be taken to prevent the likelihood of serious harm.

To reduce the risk of a privacy breach in the first place, it’s important to take the following steps in your practice:

  • ensure you and your staff are aware of your privacy obligations
  • review and update your practice’s privacy policy outlining how information is collected, used and disclosed in your practice
  • review and update privacy and security procedures, including processes for managing staff authorisation, authentication and access to records
  • create a process for proactively detecting data breaches
  • create a detailed data breach response plan if a privacy or security breach is discovered
  • create a business continuity plan and disaster recovery plan, so that if there is a disruption to your systems you can continue to operate your practice.

If you aren’t already familiar with the new privacy laws, read our article or visit our website for more resources.  

2. Understand Medicare requirements

Medicare is paying closer attention to doctors’ activities. The Department of Health is increasing its Medicare and Professional Services Review compliance activity. Medicare audits have recently been conducted in relation to the billing of initial and subsequent consultation items by specialists and the use of overnight sleep study items by sleep physicians.

Doctors are legally responsible for services billed to Medicare under their Medicare provider number or in their name. Doctors are also responsible for incorrect claims regardless of who does the billing or receives the benefit.

To ensure services are billed correctly under Medicare, practices are advised to:

  • make sure the doctor under whose provider number services are to be billed, reviews and authorises the items claimed
  • use the full online version of the Medicare Benefits Schedule (MBS) to determine what services are billed and always refer to any explanatory notes. This is better than relying on abbreviated summaries of the MBS
  • review The Department of Health’s range of online resources which assist practices and doctors in understanding the MBS and billing services accurately. For example, item numbers for skin excision items and Chronic Disease Management plans
  • be especially careful to ensure chronic disease management plans are billed appropriately – particularly in relation to the need to consult with contributing providers about the care they will provide in a Team Care Arrangement and the review of those arrangements.

For more information on specialist referrals and initial consultations, refer to our article and decision-making flowchart.

3. Know what is, and isn’t, advertising

Many practices are unintentionally breaching national advertising laws through the use of testimonials and social media.

In April 2017, the Australian Health Practitioner Regulation Agency (AHPRA) outlined its approach to enforcing compliance with advertising standards. With a renewed focus on advertising compliance, and significant penalties for breaches, it is important to understand how you can promote your practice while staying within the law. Review AHPRA’s Guidelines for Advertising Regulated Health Services to understand your responsibilities.

Some key tips include:

  • avoid using language or images which may mislead or cause a patient to have an unreasonable expectation of beneficial treatment
  • don’t use testimonials or repost positive comments from other social media platforms
  • set your website and other social media platform settings so that users are unable to leave comments.

For more information on what you can and can’t advertise, read our article.

4. Use electronic communication appropriately

Practices are increasingly embracing technology such as SMS or email to communicate with your patients. While this certainly has benefits, it’s important to keep in mind that electronic communications may be subject to cyber threats, privacy obligations and the Spam Act 2003 (Cth).

If you are communicating with your patients via SMS, refer to our factsheet for tips when using this channel and developing a SMS messaging policy.

Patients and organisations are increasingly requesting that information be sent to them via email. Your practice has an obligation to take reasonable steps to protect the privacy and security of information it holds including when it is transmitted or disclosed outside the organisation.

The use of passwords or encryption can reduce the risk of a data breach, although there is no legal requirement that emails be encrypted or password protected. The Royal Australasian College of General Practitioners provides guidance on using email for practices to reduce the risk of interception of data and sending emails to incorrect addresses, including:

  • use of passwords
  • use of encryption
  • verification of the recipient’s email address
  • obtaining consent
  • use of secure messaging facilities between practices.

You should have a policy and procedure in place to manage the electronic transmission of personal information, including the steps the practice will take to ensure the privacy and security of information transferred outside your practice is protected.

5. Know what patient information can be disclosed to third parties

Practices and doctors can share a patient’s medical information with a third party if they have authority from the patient to do so or are required to by law.

Carefully read the information request and the patient’s authority to ensure the correct documentation is shared and that it’s within the scope of the patient’s authority.

Examples where legislation requires you to share health information without the patient’s express permission include:

  • public health requirements to report infectious diseases
  • summons or subpoenas to produce medical records to a court or tribunal
  • a police search warrant.

Read our article to find out the requirements for consent, your legal obligations and when you can refuse to provide medical records. You can also watch our video, Managing requests for medical records.

6. Update policies and processes for transition to the RACGP’s new practice standards

In October 2017, the RACGP released the Standards for general practices (5th edition) (the Standards).

In order to align with the Standards, GP practices will need to update their policies, procedures and processes. It is also important these changes have been communicated with the practice team to ensure the changes are understood and implemented in a timely manner. Read our article for more information on the new modules and indicators covered in the Standards.

If you have a PracticeHub subscription, you will notice that the updated policies and procedures were added to your site from 1 December, 2017.

It is important that all practices:

  1. review the new Standards for general practices (5th edition)
  2. review the new content and ensure they have procedures in place to ensure staff know how to comply with these changes
  3. allocate the changes to the relevant roles inyour practice for compliance sign-off.

Practices undertaking accreditation over the next 12 months should check with their accreditation provider about the changeover date for assessment. Accreditation providers are also conducting webinars and workshops on the requirements for practices to meet the new Standards.

More information

If your practice is notified of a Medicare audit or experiences a data breach, or any other medico-legal issue, contact our MLAS on 1800 128 268 for expert advice on how to respond.

Does your practice have the protection it needs?

Many practice owners assume their practitioner indemnity also covers their practice entity and their staff, which is sometimes not the case. To protect practice owners, our practice insurance offers your practice comprehensive protection and works hand in hand with your Avant Practitioner Indemnity Insurance Policy.

Avant’s Practice Medical Indemnity Insurance* covers the legal costs of defending your practice against allegations and complaints, and compensation for patient loss or injury. For added peace of mind, your policy also offers you and your staff unlimited access to our MLAS, which provides expert advice, 24/7 in emergencies, to help minimise the chance of a complaint or claim occurring. Find out more about our comprehensive suite of practice insurances which are designed to work together to make running a practice easier, safer and more efficient – click here or call us today on 1800 128 268 to organise a quote.

Practicehub – Simplifying practice management

If you would like to find out how Avant’s online practice management platform, PracticeHub, can make managing your practice simpler, safer and more efficient, please contact us on 1300 96 86 36 or

*IMPORTANT: The Practice Medical Indemnity Policy is issued by Avant Insurance Limited, ABN 82 003 707 471, AFSL 238 765. This policy is available at or by contacting us on 1800 128 268. Practices need to consider other forms of insurance including directors’ and officers’ liability, public and products liability, property and business interruption insurance, and workers compensation.


Share your view

We welcome your feedback on this article – email the Editor at: