Background
The Australian Health Service Alliance Ltd. (AHSA) meets the requirements of a “permitted health situation” for the purposes of the Privacy Act 1988 (as amended), as it collects health information about an individual for the management, funding or monitoring of a health service.
AHSA cannot do this with de-identified information as the information could not then be matched to individuals within a health fund membership. This enables collection, collation and reporting of information to the Commonwealth Department of Health and Aged Care as required by the Health Insurance Act 2007.
AHSA also adopts the National Health and Medical Research Council Section 95 Guidelines for the conduct of research and the compilation or analysis of statistics relevant to public health or public safety.
General Policy
AHSA was formed by more than 20 registered private health insurance funds (participating funds [1]) in Australia, for the purposes of and on behalf of these private health insurance funds to:
- Negotiate hospital contracts
- Negotiate medical agreements (with doctors and medical companies)
- Develop and Managing Gap Cover initiatives
- Provide advice and support to funds; and
- Manage funds statutory data reporting requirements, including Hospital Casemix Protocol.
In order for AHSA to provide these business functions to our participating health funds, we collect, use and disclose information. AHSA does this in accordance with the Australian Privacy Principles (APP), contained within the Privacy Act 1988, as amended.
If you are a doctor and would like to know about privacy and the collection, use and disclosure of your information please refer to the Appendix at the end of this policy.
The Privacy Amendment (Enhancing Privacy Protection) Act 2012 amended the Privacy Act 1988 to adopt a set of thirteen harmonised privacy principles (APPs). AHSA’s privacy management program aims to meet the compliance requirements of these principles.
Consideration of personal information privacy
APP1 – Open & Transparent Management of Personal Information
AHSA has a comprehensive privacy policy, detailing the nature of personal information collected, the purpose of collecting such information, and how it is collected, and how it is used and disclosed to other organisations. This policy is available on the AHSA website www.ahsa.com.au and is freely accessible to interested parties.
Any individual who is a fund member [2] of a participating fund has the right to seek corrections to any of their personal information held by AHSA.
APP2 – Anonymity & Pseudonymity
In circumstances where AHSA collects personal information, it is not practicable for anonymity or pseudonymity to occur due to compliance requirements.
Collection of personal information
APP3 – Collection of solicited personal information
AHSA collects personal information from hospitals for each fund member’s period of hospitalisation. This information is collected for each person who is discharged from hospital and is a fund member.
The type of information AHSA collects about a fund member admitted to hospital includes:
- Name and member number (to enable matching to membership)
- Postcode
- Hospital and medical charges for the admission to hospital
- Admission and discharge information (dates and times, referral information, and discharge type, i.e. home or transferred); and
- Diagnoses and procedures (in coded form, to ensure appropriate claims payment, and to enable review of utilisation and activity).
On an ad-hoc basis, AHSA also collects information relating to an individual claim where the hospital or the fund member, via their insurer, has asked ASHA to provide clinical advice and assistance with the interpretation, understanding and payment of claim details.
APP4 – Dealing with unsolicited personal information
AHSA does not currently deal with unsolicited personal information. If AHSA were to receive such information, staff would notify the AHSA Privacy Officer and it would be immediately destroyed.
APP5 – Notification of the collection of personal information
As a third party, it is not practicable for AHSA to notify individuals of the information collected by AHSA on behalf of participating funds.
It is AHSA’s preference that health providers and participating funds submitting personal information to AHSA have adopted privacy policies, programs and consents that specifically note AHSA’s role in the collection and analysis of data related to any fund member.
Dealing with personal information
APP6 – Use or disclosure of personal information
AHSA uses information in its identified form for the purpose of facilitating participating funds to meet there regulatory reporting requirements by matching claims information to their membership database after each fund member has been discharged from hospital.
From time to time, participating funds contact AHSA for assistance in facilitating payments to hospitals or in understanding individual claims information. So that claims may be paid expeditiously, AHSA may collect and discuss a fund member’s personal information with their participating fund in order to assist the fund member in resolving any problem.
AHSA may also use personal information collected to assist participating funds (but not other non-member clients) in the provision of further health services where the fund member has provided consent to their fund or would reasonably expect AHSA to use such information on behalf of the fund (for example, identifying which members would benefit from risk management or disease management programs).
AHSA only discloses the personal information it collects on each fund member to their participating fund. This enables the participating fund to match the hospital and claims information to their records. This is the only circumstance where AHSA discloses sensitive and identifying personal information collected from hospitals and medical providers to another organisation.
AHSA’s use of all other personal information takes place once it has been de-identified by AHSA. These uses include:
- Analysis of hospital charges and benefits, to facilitate utilisation review and enable negotiation of competitive and cost-efficient contracts with hospitals
- Disclosure of information to research organisations for research or statistical analysis relevant to public health and public safety
- Analysis of doctor charges and benefits, to determine charging patterns and out-of-pocket expenses, and develop gap cover schemes to meet the needs of fund members, member funds and doctors
- Further analysis of doctor charges and benefits, so that it can develop cost-efficient contracts with medical companies and groups of doctors
- Meeting statutory reporting requirements for Hospital Casemix Protocol for reporting to the Commonwealth Department of Health; and
- Meeting participating fund statutory reporting obligations on health insurer data for reporting to the Commonwealth Department of Health and Aged Care.
With the exception of doctor banking details for Access Gap Cover payments, all other data exchange between AHSA and participating funds uses de-identified information.
APP7 – Direct marketing
AHSA may disclose information to participating funds or their agents to identify their own appropriate fund members as candidates for health management programs e.g. chronic disease management. AHSA does not send direct marketing materials for these programs to fund members as prospective program candidates.
AHSA may market to individual doctors to register for Access Gap Cover if specifically requested to do so by a participating fund.
APP8 – Cross border disclosure of personal information
AHSA does not disclose any personal information overseas through any data management or transmission platform.
APP9 – Adoption, use or disclosure of government related identifiers
AHSA does not currently use government related identifiers.
Integrity of Personal information
APP10 – Quality of personal information
AHSA undertakes a series of edits on the data it collects from hospitals and discloses fund member data to each participating fund to ensure that it is accurate, up-to-date and complete. In addition, AHSA, on behalf of its participating funds, ensures that it meets the data quality reporting threshold set by the Commonwealth Department of Health.
APP11 – Security of personal information
AHSA ensures that the information it discloses to participating funds is transmitted in a secure state via AHSA’s dedicated participating fund web portal using 2048 bit SSL registered data encryption.
AHSA ensures that internal access security protocols are effectively implemented and monitored torestrict internal access to the personal information of a fund member to authorised staff only. Where access is provided to any other AHSA employee or contractor, it is only provided in a de-identified form.
AHSA assigns a unique identifier to a fund member record to enable re-identification, if required, at a future time. This re-identification key is accessed and controlled by authorised staff only.
Any information that is collected in paper form that identifies an individual fund member is to be stored securely by the authorised staff member. Any information printed or transmitted in paper form (mail or fax) is to be collected and stored securely. When no longer required, any documents that identify an individual fund member will be disposed of securely.
Access to, and correction of, personal information
APP12 – Access to personal information
As AHSA is a third party organisation collecting information on behalf of participating funds, it is suggested that in the first instance, any request for access should be made to the member’s fund. However, if you would like to pursue a request for access, please write to:
The Privacy Officer
Australian Health Service Alliance Limited
Level 1A 35 Cotham Road
Kew VIC 3101
E: privacy@ahsa.com.au
APP13 – Correction of personal information
AHSA undertakes rigorous processes to cleanse data collected and check for inaccuracies. Any errors detected are followed up with the hospital or participating fund.
Accountability
All management, staff and contractors accessing AHSA systems, processes or data are ultimately accountable for ensuring compliance with the privacy principles.
All employees and contractors requiring access to AHSA systems, processes or data are required to acknowledge that they have read and understood their privacy and confidentiality obligations by signing a Privacy and Confidentiality Acknowledgement.
Notifiable Data Breaches
AHSA will ensure compliance with data breach notification legislation [3] through implementing a Data Breach Response Plan. The Plan will assess whether ‘serious harm’ has occurred from a breach of sensitive health data or personal information and the consequential data governance and communication responses.
Compliance Reporting
The Privacy Officer is responsible for responding to privacy requests or complaints made to AHSA by participating funds or their fund members. The Privacy Officer will ensure that the application of this Privacy Policy is subject to continuous monitoring, communication and education to minimise the risk of non-compliance with privacy principles.
Complaints
If you have a complaint, or wish to make a complaint in relation to the application of these privacy principles, please write to:
The Privacy Officer
Australian Health Service Alliance Limited
Level 1A 35 Cotham Road
Kew VIC 3101
E: privacy@ahsa.com.au
Enquiries
If you have any further questions, please phone the AHSA Privacy Officer on (03) 9813 4088.
Appendix
Privacy for Doctors
Access Gap Cover (AGC)
AHSA collects personal information from doctors participating in Access Gap Cover, such as name, address and bank account details (for Direct Credit payments into a nominated bank account), as outlined in the AHSA Provider Details and Direct Credit Authority Form. AHSA collects this information on behalf of its participating health funds (see Disclosure section below).
Collection, disclosure and use of information provided
As a condition of Access Gap Cover registration and of making a claim under the Access Gap Cover scheme, doctors agree that AHSA and AHSA participating funds may in their discretion:
- Collect information from the doctor registration form and other doctor communications with AHSA and AHSA participating funds (including, without limitation, forms and communications received before this condition came into effect and information from claims that submitted). This includes personal information (such as name, practice address, and other contact details); field of practice and additional qualifications or specialties, and information (including past claims data) relating to the charges rendered, the services provided (including where a doctor operates and their surgical partners) and doctor participation in the Access Gap Cover scheme (together, “the information”);
- Disclose the information and other information about a doctor to the public, including members of AHSA participating funds and referring doctors, including for the purposes of identifying Access Gap Cover providers, and setting out information relating to the charges rendered, quality of service and statistical information relating to their participation in the Access Gap Cover scheme; and
- Use the information for internal statistical analysis.
Medical Purchaser Provider Agreements (MPPAs) and Hospital Purchaser Provider Agreements with Practitioner Agreements (HPPA/PAs)
AHSA collects medical provider numbers of individual doctors that are part of an agreement with a company / group of doctors (MPPA) or specific hospital (HPPA /PA). Where doctors are paid individually, AHSA also collects bank account details; otherwise AHSA only collects bank account details of the company / hospital.
By being part of the agreement, MPPA and HPPA/PA doctors’ consent to having their name, specialty and postcode made available to the general public.
Please note that “made available to general public” means the doctors name, practice location and/or billing contact details as well as specialty(s):
- Will appear on a web search.
- Will be included on General software
- May be provided over the telephone or printed out and supplied to health fund members upon request.
Hospital-Substitute Treatment (H-ST)
Once AHSA has entered into an agreement with a doctor to perform a substitute service, AHSA will collect information in a similar manner as MPPAs and HPPA/PAs in order to manage the agreement, including electronic payment into bank accounts.
National Provider File
AHSA receives periodic updates of provider numbers in the National Provider File from Medicare Australia. This allows AHSA to keep abreast of provider changes which assists us to meet Australian Privacy Principles (APP) relating to the accuracy and completeness of information.
Data
AHSA collects medical claims data of member health funds for all doctors, regardless of whether the claim was paid under Access Gap Cover, MPPA, HPPA/PA or where there is no agreement. This data includes provider number, member (patient) number, agreement type, charge and benefit for each MBS item number.
AHSA also collects de-identified medical claim data linked to episodes, as part of the Hospital Casemix Protocol (HCP), to meet statutory reporting obligations.
Use
AHSA uses this information to:
- Maintain a comprehensive database of AGC, HPPA/PA, H-ST and MPPA doctors, to ensure these doctors receive important information, such as new schedules or new agreements;
- Enable AHSA to administer gap cover arrangements on behalf of member funds; and
- Ensure that funds are able to pay claims directly into doctor’s bank accounts, where relevant.
Disclosure
As AHSA co-ordinates all forms of medical agreements and/or arrangements for doctors, we disclose your personal information (bank details, name and type of agreement and provider number) to ALL participating AHSA funds, even if doctors bill only some of these AHSA funds.
The medical claim data is not disclosed to any outside organisation, and is used internally by AHSA for statistical analysis.
AHSA discloses de-identified medical claim data to the Commonwealth Department of Health, as part of HCP, to meet statutory reporting obligations. Provider numbers are NOT part of this collection, so it is de-identified for doctors as well as members (patients).
Accuracy
To ensure that information about participating doctors is kept accurate and up-to-date, doctors must notify the AHSA as soon as possible if:
- Bank account details are changed; or
- It is discovered that bank account details have been provided or entered incorrectly; or
- Address, e-mail or telephone numbers have changed.
Please note that sometimes, doctors only notify the fund that they are dealing with at the time, of any changes or corrections to their personal information. As AHSA manages the process centrally, doctors must notify AHSA of these changes as well, to ensure that all funds have access to the correct information. This will avoid a situation where doctors may have to repeatedly inform different AHSA funds of these changes.
Doctors on the doctor listing/search should attempt to search for themselves on the web, and notify AHSA immediately if there are any problems. Alternatively, call the Access Gap Cover hotline on 1800 664 277.
References
[1] The term ‘participating fund’ includes all funds or organisations with whom AHSA has contracted to provide member or claimant services even if the fund or organisation is not included in the Register of Members.
[2] The term ‘fund member’ includes any member of any fund or a claimant of a client for whom AHSA has contracted to provide member or claimant services.
[3] Privacy Amendment (Notifiable Data Breaches) Act 2017