Pause for a moment and ask yourself where your health data is right now.
The answer is probably: in a variety of locations all over the world.
For those of us who handle health data every day, managing privacy and security is central to everything we do, and the key to survival. Data breaches are the stuff of nightmares, so companies that handle large volumes of health data mitigate their risks by going to extraordinary lengths to protect data security.
There is usually an array of physical, technical, and administrative safeguards in place, as well as ISO accreditations, regular penetration tests and of course cyber insurance, now essential for all MedTech companies.
Keeping health data secure, while also allowing it to exit bricks and mortar buildings, is an international challenge that always requires a regulatory response. Most countries have data security and/or privacy legislation, which typically does not seek to prevent health data crossing borders, but rather, seeks to govern that process.
The reality is that health data always leaves its country of origin, and short of turning the internet off, that will never change. It is in fact very difficult for modern health systems to function effectively without some degree of cross-border data flow.
In a recent meeting, I politely pointed out to a government official of another country that the data we would be sending to Australia could not identify any person, and was much less than the data they were already sending to the WHO in Geneva every quarter.
Many similar meetings apparently led to data residency exemptions being implemented. To its credit, that government listened to stakeholder concerns and recognised that international investment in their health system was being hampered by being too rigid about data sovereignty. If organisations are required to move expensive infrastructure or set up local servers, they won’t come.
In addition to countries already being required to send health data offshore when they report to the WHO, x-rays sit on servers all over the world, free EMR and PMS systems are hosted in various countries, and third-party platforms like Apple and Google Play are integral to every app.
When it comes to medical billing data, there is no question that it contains sensitive information, and is therefore rightly subject to health privacy laws. But at a micro level, when you actually examine what the law is protecting, legitimate questions arise around the quality of Australian medical billing data. This is largely due to the fact that Medicare is an honour system, which is heavily reliant on the integrity of doctors to allocate MBS items correctly. For admitted patients, there are more checks and balances, but in the outpatient setting, our government pays blind, having no option other than to trust that services billed were provided.
This is not how medical billing works in other parts of the world.
In countries that have adopted the US system of codes, we commence the billing process with an ICD code, which provides information about why the patient was there, such as a diagnosis or symptoms. Then the second part of the billing process is to add MBS equivalent codes, which describe the service delivered.
Having worked in both systems, I am not suggesting the US system of codes be implemented here because it has its own problems. But the concept of using additional codes to improve visibility over billing is critically important in managing the integrity of fee-for-service payment environments. My research concluded that if we don’t do something similar soon, Medicare will be gone.
When activity-based funding was introduced into Australian public hospitals, privacy concerns were debated. Yet here we are over a decade later, comfortable that every admitted patient encounter in this country, in both public and private hospitals, is coded, and we are managing data security effectively. There will always be security risks so we must remain vigilant, but there is absolutely no reason to think we cannot achieve the same in the outpatient setting. We have the technology and governance arrangements in place to manage medical billing privacy, and adding additional codes to MBS claims will not change that.
I saw a comment recently that opposed the introduction of outpatient coding, using the example of a famous politician being treated for an STD. But we already code that scenario if the politician is an admitted patient, so why should it be different in the outpatient setting? It makes no sense. We already code the embarrassing, unfortunate, and sensitive health issues of famous people, in Australian hospitals and in other countries, all the time. The reason Australia doesn’t do the same in the outpatient setting is nothing more than a historic legacy, which we now have the tools to address.
My research found that SNOMED is the right code set for this purpose for a number of reasons, including the fact that there is no additional work required by doctors, no additional cost for the government, and 90% of Australians have already consented to have their records coded to SNOMED by virtue of having a My Health Record.
Whatever the solution, we cannot continue to use the privacy debate to prevent necessary digital reform and improve visibility over health service delivery. Greater transparency in the outpatient setting is urgently required.
Dr Margaret Faux is a health system administrator, lawyer and registered nurse with a PhD in Medicare compliance, and is the CEO of AIMAC, which offers courses and explainers on legally correct Medicare billing.
If you’re interested in the topics of health funding, reform and standards Wild Health’s summit on 18 October in Melbourne will tackle all issues and more. Register now to be part of the conversation.