Introduction

1. Medicare is Australia’s universal healthcare system, which provides people with access to free or subsidised health and hospital care, with options to also choose private health services. Medicare is one of a range of Australian Government health programs administered through the Department of Human Services (Human Services).¹

2. In its 2012–13 Annual Report, Human Services reported that as at 30 June 2013, there were 23.4 million people enrolled in Medicare, including 618 533 new enrolments. For an individual to enrol in Medicare, they need to reside in Australia and be either an Australian or New Zealand citizen²; a permanent resident visa holder; or an applicant for a permanent resident visa (excluding a parent visa). Australia has Reciprocal Health Care Agreements with 10 countries and visitors from these countries may also be eligible to enrol.³ Some eligibility types, for example, visitors from Reciprocal Health Care Agreement countries, are only eligible to use Medicare for a limited period of time.

3. In 2012–13, Human Services processed payments totalling $18.6 billion for over 344 million Medicare services. Expenditure under Medicare is expected to continue to grow, with payments estimated to reach $23.7 billion by 2016–17.⁴

4. In administering Medicare, Human Services collects personal information from customers at the time of their enrolment and amends this information to reflect changes in their circumstances.⁵ The main repository for this data is the Medicare customer record database, the Consumer Directory.

5. Maintaining the integrity of customer data assists to mitigate key risks associated with Medicare including access to benefits by ineligible people who are enrolled without an entitlement or who are enrolled for a period beyond their entitlement. There is also a risk that ineligible people may obtain an active Medicare card and use it fraudulently to access services and/or make fraudulent claims. In addition, the fraudulent use of Medicare cards as a form of identification is a risk to Medicare and the broader community.⁶

6. Customer data integrity assists in mitigating these risks and contributes to the effective and efficient administration of Medicare. To maintain data integrity, Human Services has implemented both ‘upstream’ controls at the enrolment stage, and post‑enrolment measures to manage updates to its records arising from changed customer circumstances. The department has also implemented measures to protect the privacy and security of customer data.

Audit objective, criteria and scope

7. The objective of the audit was to examine the effectiveness of the Department of Human Services’ management of Medicare customer data and the integrity of this data.

8. To assist in evaluating the department’s performance in terms of the audit objective, the ANAO developed the following high level criteria:

• Human Services has adequate controls and procedures for the collection and recording of high quality customer data;
• Medicare customer data as recorded on Human Services systems is complete, accurate and reliable; and
• customer data recorded on Human Services systems is subject to an effective quality assurance program and meets relevant privacy and security requirements.

9. The audit scope focused on the integrity of Medicare customer data and included related testing of all Medicare customer records. It did not examine Healthcare Provider Information, the allocation or management of Individual Healthcare Identifiers (IHI) or the operation of Personally Controlled Electronic Health Records.

10. The audit also considered the extent to which Human Services had implemented the six recommendations from ANAO Performance Audit Report No.24 of 2004–05 Integrity of Medicare Enrolment Data.

Overall conclusion

11. Medicare has been in place for 30 years⁷ and is accessed by almost all Australians and some visa holders and visitors. In 2012­­–13, Human Services reported over 23 million people enrolled in Medicare, including 618 533 new enrolments.⁸

12. The department’s administration of Medicare is supported by a long‑established database, the Consumer Directory, which contains all Medicare customer records. As the repository of a large and evolving data set incorporating, on an ongoing basis, both new enrolments and changes to customer information, the Consumer Directory requires active management to maintain the integrity, security and privacy of customer data; essential prerequisites for the effective administration of Medicare.

13. Human Services’ framework for the management of Medicare customer data, including procedures and input controls for the entry of new enrolment information and changes to customer information, has not been fully effective in maintaining the integrity of data in the Consumer Directory. ANAO analysis of the department’s Medicare customer data holdings identified⁹:

• at least 18 000 possible duplicate enrolments—an ongoing data integrity issue in the Medicare customer database¹⁰;
• active records for customers without an entitlement as well as inactive records and some with unusual activity; and
• records which had customer information inconsistently, inaccurately and incompletely recorded.

14. In addition, the department advised the ANAO of instances where the records of two different customers are combined (‘intertwined records’)¹¹, giving rise to privacy and clinical safety¹² risks.

15. While the number of compromised records held in the database is not significant given the scale of the department’s data holdings, the data integrity issues referred to above indicate that departmental procedures and key elements of the data input control framework require management attention to improve operational efficiency, better protect customer privacy and clinical safety, and reduce the risk of fraudulent activity. The extent of the data integrity issues highlighted by the audit and the length of time these issues have been evident also indicate a need for the department to periodically assess the underlying causes of data integrity issues and implement necessary treatments.

16. The audit identified that additional attention should be given to: the tightening of data input controls, including the full and accurate completion of mandatory data fields in accordance with system and business rules; the adequacy and consistency of staff training and written guidance; addressing duplicate and ‘intertwined records’; and undertaking data integrity testing on a targeted risk basis. Further, Human Services’ procedures for managing the security of Medicare customer data do not comply fully with some mandatory requirements of the Australian Government’s Information Security Manual (ISM)¹³; significantly reducing the level of assurance of the relevant systems’ ability to withstand security threats from external and internal sources. The department should implement whole‑of‑government requirements in relation to system security.

17. Positive elements of Human Services’ approach to managing Medicare customer data include: unique customer reference numbers within the Consumer Directory, which have a high degree of integrity¹⁴; a well‑developed privacy framework which contributes to maintaining the confidentiality of sensitive Medicare customer records; and a Quality Framework comprising a daily program of random checks on completed transactions by customer service officers. As discussed however, a fully effective approach to managing the integrity of data holdings requires that attention be given to the development and consistent implementation of the full suite of procedures and controls.

18. The ANAO last examined the integrity of Medicare enrolment data in 2004–05, making six recommendations.¹⁵ Human Services could demonstrate implementation of two recommendations¹⁶ but could not demonstrate implementation of the remainder, which were aimed at addressing data integrity issues, including duplicate enrolments, prior to the migration of Medicare customer data to the Consumer Directory. As discussed, the ANAO’s analysis in this audit indicates that the issue of duplicate enrolments has persisted¹⁷; and, more broadly, the department has foregone an opportunity to enhance its performance by implementing a number of the earlier ANAO recommendations targeted at improving data integrity.¹⁸

19. The ANAO has made five recommendations in the current audit aimed at enhancing the management and integrity of Medicare customer data by Human Services. The recommendations relate to improving training and guidance for customer service officers, addressing data integrity issues and their causes, and complying with the mandatory requirements of the ISM.

Key findings by chapter

Data collection and recording (Chapter 2)

20. Medicare customer data, with the exception of claims, is captured mainly when customers enrol in Medicare and when they amend their details. Customer service officers are mostly responsible for entering and updating customer information in Medicare’s customer record database, the Consumer Directory. The collection of accurate, complete and reliable customer data supports the efficient and effective administration of Medicare.

21. Customers enrol in Medicare using one of three main forms. There is an opportunity for Human Services to improve the efficiency of the enrolment process by amending the Medicare Enrolment Application form to better specify the documentation that visitors are required to provide in support of their enrolment.

22. There are a range of channels for customers to amend their data, including over–the–phone, in–person, in–writing and through self–service options such as Medicare Online Services and the Medicare Express Plus mobile phone application. Customers would benefit from Human Services listing all of these channels on its webpage, Keeping up to date with Medicare.¹⁹

23. To assist customer service officers to enrol customers and amend their personal information, Human Services provides training and guidance on its intranet. While the online training covers the essentials of enrolling customers, it does not include complex enrolment examples. Further, there are inconsistent instructions in and between the training and guidance. For these reasons, Human Services should review its staff training and guidance, in respect to enrolling customers and amending their information, for completeness and consistency.

24. As a further means of collecting and amending customer information, Human Services conducts data matching with other Australian Government departments and state and territory agencies. Customer records are updated with dates of death using an automated process of matching a Fact of Death Data (FODD) file on a monthly basis, compiled from state and territory registries of births, deaths and marriages. This process was introduced by Human Services in 2005 in response to Recommendation No. 5 of the ANAO’s performance audit discussed at paragraph 18.

25. When customer information is recorded—at the time of enrolment and if subsequently amended—it is subject to system controls, including address matches with the Postal Address File²⁰; BSB validation checks; and field controls. These controls are intended to ensure that data is complete, accurate and reliable. The ANAO’s testing of mandatory customer data, which is discussed in paragraphs 33 to 36, indicate that some of these controls are not operating effectively.

26. To further support the collection and amendment of Medicare customer data, Human Services has a Quality Assurance Framework that includes a daily check of randomly selected completed transactions. In 2012–13, 26.8 per cent of these daily checks of Medicare transactions were of customer enrolments and information amendments. The results of these daily checks are reported to the Human Services Executive and stakeholders on a monthly basis and a sample are also reviewed annually for accuracy. For the enrolments and data amendments checked in 2012–13, Human Services reported a 96.3 per cent accuracy rate, which was slightly below the key performance indicator of 98 per cent.

Integrity of unique customer reference numbers (Chapter 3)

27. Unique customer reference numbers are used to identify individual customers and to protect their privacy and clinical safety. Customers enrolled in Medicare are assigned four unique reference numbers in Human Services’ records:

• Consumer IDs: record identifier;
• Personal Identification Numbers (PIN): Medicare enrolment identifier;
• Medicare Reference Numbers: card identifier; and
• IHI: identifier within the ‘eHealth’ environment.²¹

28. These numbers are used to identify customers and their records and link their information between Human Services’ various Medicare databases. The ANAO tested all 29.3 million Medicare customer records in the Consumer Directory. No duplicate unique reference numbers were identified apart from one Medicare Reference Number shared by two different records. Human Services investigated this duplicate Medicare Reference Number and found that it had been mistakenly issued by a customer service officer to two different family members sharing the same Medicare card in 1996, using the Medicare Enrolment File (the predecessor of the Consumer Directory).²² The testing indicates that unique customer reference numbers have a high degree of integrity.

29. Duplicate customer enrolments mean that customers have more than one of each of these unique customer reference numbers. Consequently, customer information is fragmented across more than one record, posing a risk to the accuracy, completeness and reliability of their personal and health information.

30. Duplicate customer records have been an ongoing data integrity issue in Medicare customer record databases. The ANAO’s 2004–05 performance audit recommended that Human Services address duplicate enrolments prior to migrating Medicare customer data to the Consumer Directory (Recommendation No. 3). Human Services advised that it implemented this recommendation but this could not be verified by the ANAO without supporting documentation.

31. The ANAO’s testing of all 29.3 million Medicare customer records²³ used varying matching criteria which identified at least 18 000 possible duplicate records.²⁴ Testing included matches based on names, name initials, dates of birth, addresses and gender as well as varying combinations of these criteria, for example, matches on name and address with a different birth day or month. As part of a continuous improvement approach to managing data in the Consumer Directory, Human Services should consider ways to: better identify duplicate enrolments which take into account these types of variances; investigate the underlying causes of duplicate enrolments; and apply appropriate treatments to address duplicate enrolments.

32. Data integrity can also be weakened by intertwined records, which are single records shared by more than one customer. Intertwined records are created when customer service officers incorrectly enable two customers to use the same PIN—customers’ unique Medicare enrolment identifiers. Human Services advised that it has recorded 34 intertwined records since 2011–12, when it commenced recording identified instances. These records pose a risk to the privacy and clinical safety of affected customers as their recorded health information does not accurately reflect their individual circumstances. Human Services has established a working group to address intertwined records. The department should also introduce guidelines to ensure risks are mitigated when these types of records are resolved—which could form part of the work of this group.

Integrity of customer data (Chapter 4)

33. To assist with recording accurate and complete customer data, there are controls in the Consumer Directory including mandatory fields and system rules. Mandatory personal data fields include family name, first name²⁵, date of birth and most address fields. Mandatory eligibility fields include eligibility document type, a document reference date or number, and an entitlement end date for relevant entitlement types. The ANAO tested these mandatory fields and identified not all mandatory fields had been completed. Further, the ANAO’s testing found Medicare customer data which was inconsistently and inaccurately recorded, and which contravened system and business rules.

34. One consequence of errors or omissions in customers’ personal data is that existing customer records may not be identified in the customer enrolment search which could result in duplicate enrolments.

35. Of greatest concern are the consequences of incomplete, inaccurate and unreliable eligibility data, which can include payments to ineligible persons. The ANAO identified some active customer records with invalid entitlement types which had recent associated claims. Further, some customer records did not:

• contain sufficient information to support customers’ eligibility for Medicare. For example, there were 34 129 records for permanent resident visa holders which did not have reference to at least one of the eligibility documents required to support enrolment recorded; and
• reflect an entitlement period consistent with the customer’s entitlement type, including not having an entitlement end date recorded despite the customer having a limited entitlement. For example, there were 2743 records for visitors which had no eligibility end date recorded.

36. Human Services should implement controls to ensure that: all mandatory data fields are completed; recorded data is consistent with business and system rules; and customer access to Medicare benefits is consistent with their entitlement. Human Services should also review all customers accessing benefits without a valid entitlement type, to confirm their eligibility.

37. The ANAO tested date of death data and found 40 541 records for customers over 85 years old which did not have an associated claim in the 12 months prior to testing.²⁶ The absence of claiming activity on these records suggests that these customers may be deceased. The ANAO also identified a customer aged approximately 143 years old who had made a claim in the six months prior to testing. Human Services’ investigation of this record showed that the affected customer’s date of birth had been incorrectly recorded and the department advised the ANAO that it has subsequently corrected the record. Human Services does not currently undertake data integrity testing. The department should undertake some risk–based, targeted data integrity testing to assist with the identification of records that require review.

38. The ANAO’s testing of customer data also provided some insight as to whether Human Services had implemented recommendations made in the ANAO’s 2004–05 performance audit discussed in paragraph 18. In particular, the ANAO’s testing indicated:

• Recommendation No. 1—to cleanse customer data prior to its migration to the Consumer Directory—was not implemented although some of the records relevant to this recommendation have been corrected by Human Services.
• Recommendation No. 2—to apply the Consumer Directory business rules to customer data prior to its migration—was not implemented.
• Recommendation No. 4—to review Human Services’ approach to consolidating and migrating customer data to the Consumer Directory—was not implemented.

39. Human Services could not demonstrate implementation of the ANAO’s recommendations aimed at improving the integrity of customer information prior to its migration to the Consumer Directory; foregoing an opportunity to address data integrity issues that persist to the present day.

Privacy of customer data (Chapter 5)

40. Human Services has legislative obligations to protect the privacy of customer data and has a well‑developed framework to meet its obligations. The central element of its framework is the ‘Operational Privacy Policy’ which sets out relevant privacy requirements for all staff in an accessible form and provides links to appropriate supporting documentation on protecting privacy. There are policies and processes in place as well as guidance to assist staff to understand their privacy responsibilities, including reporting privacy incidents and complaints, and completing privacy awareness training.

41. Human Services has adopted better practice in requiring Privacy Impact Assessments for new projects. There is an opportunity, however, for Human Services to more consistently apply this requirement to fully realise the benefits of this approach.

42. Human Services is required to comply with the Privacy Commissioner’s Privacy Guidelines for the Medicare Benefits and Pharmaceutical Benefits Programs, including the submission of a Technical Standards Report which outlines its management of Medicare customer databases. In 2009, Human Services implemented Recommendation No. 6 of the 2004–05 ANAO audit—to produce and submit a Technical Standards Report—approximately four years after the ANAO’s report was tabled. The guidelines also require that Human Services lodge variation reports to the Technical Standards Report. The current Technical Standards report does not reflect current arrangements and there is an opportunity for Human Services to implement a process to review and update this report and to lodge variation reports in a timely manner.

Security of customer data (Chapter 6)

43. Human Services is subject to the requirements of the Australian Government’s Information Security Manual (ISM), issued by the Australian Signals Directorate, which outlines standards to assist agencies in applying a risk–based approach to protecting their data and ICT systems.

44. Human Services undertakes security initiatives outlined in the ISM but falls short of complying fully with the standards outlined. In particular, Human Services is not compliant with two of the mandatory requirements of the ISM. The department has not completed all of the mandatory security documentation required by the ISM for the systems that record, process and store Medicare customer data. Further, it has not completed the certification and accreditation processes for these systems or most of the infrastructure that supports them, as required by the ISM. Fulfilling these requirements would assist Human Services to identify and mitigate risks to the security and confidentiality of Medicare customer data.

45. There is also scope for Human Services to improve its implementation of:

• risk management activities for ICT systems and services by ensuring that controls and treatments to mitigate risks are in place;
• active security monitoring by addressing identified vulnerabilities associated with new ICT systems and taking a risk‑based approach to monitoring potential threats to systems; and
• user access management by monitoring and reporting on access to the Medicare Data Warehouse which contains a copy of Medicare customer data.

46. Human Services has also identified areas for improvement in its self–assessment against the Australian Government’s Protective Security Policy Framework²⁷ and is taking action to meet its security awareness and training responsibilities. Further, the department is undergoing an organisation‑wide process to develop business continuity plans which address identified critical functions. There would also be benefit in Human Services completing disaster recovery plans in relation to its identified critical functions.

Summary of agency response

47. Human Services provided the following summary comment to the audit report:

The Department of Human Services welcomes this report and agrees with the five ANAO audit report recommendations. The department recognises that the audit highlights several opportunities to further strengthen and enhance the management and integrity of the Medicare customer data and is strongly committed to ensuring the ongoing completeness, accuracy and reliability of customer records.

The department also notes acknowledgement by the ANAO of its well-developed Privacy and Quality Assurance Frameworks, and the high degree of integrity in the unique customer reference numbers within the Consumer Directory.

48. Human Services’ full response is included at Appendix 1.

Recommendations

Footnotes

[1] Medicare is administered by Human Services on behalf of the Department of Health. Medicare was previously administered by Medicare Australia. Prior to 1 October 2005, Medicare Australia was known as the Health Insurance Commission. In this report, Medicare Australia and the Health Insurance Commission are referred to as Human Services. The Department of Health is responsible for Medicare policy.

[2] Residents of Norfolk Island are not entitled to enrol in Medicare. Norfolk Island, which is part of the Commonwealth of Australia, is the only self–governing Australian external territory.

[3] These are visitors who are residents of the United Kingdom, the Netherlands, Sweden, Slovenia, Norway, Finland and Belgium. Visitors from Italy and Malta who are both citizens and residents of those countries are eligible for a Medicare card for the six month period following their arrival in Australia. Visitors from the Republic of Ireland and New Zealand are not enrolled in Medicare but can access public hospital services as a public patient under the reciprocal agreements.

[4] Australian Government, Budget Paper No. 1: Statement 6: Expenses and Net Capital Investment [Internet], available from < http://www.budget.gov.au/2013‑14/content/bp1/html/bp1_bst6‑01.htm> [accessed February 2014].

[5] Enrolment information can be amended on the advice of a customer or their agent, or through data matching.

[6] For example, a range of businesses rely on Medicare cards to help satisfy personal identity requirements, including banks and telecommunications companies. Human Services advised the ANAO that it does not endorse this practice.

[7] Medicare came into effect in February 1984. Its predecessor, Medibank, commenced in July 1975.

[8] In the same year, Human Services processed $18.6 billion in payments for over 344 million services.

[9] There were a total of 29.3 million Medicare customer records as at 16 September 2013, when reviewed by the ANAO.

[10] Duplicate enrolments were also identified in the ANAO’s 2004–05 performance audit discussed in paragraphs 10 and 18.

[11] These are known as ‘intertwined’ records and occur when two customers are incorrectly enabled to use the same Medicare enrolment identifier. Human Services advised the ANAO that since 2011–12, 34 of these records have been brought to its attention.

[12] If one of the affected customers requested a Personally Controlled Electronic Health Record, the record would contain both customers’ health information and consequently, could not be relied on by a healthcare provider.

[13] The ISM is issued by the Australian Signals Directorate. In May 2013, the Defence Signals Directorate was renamed the Australian Signals Directorate.

[14] Only one duplicate Medicare Reference Number was identified by the ANAO. Human Services investigated this duplicate Medicare Reference Number and found that it had been mistakenly issued by a customer service officer to two different family members sharing the same Medicare card in 1996, using the Medicare Enrolment File (the predecessor of the Consumer Directory). Human Services advised the ANAO that duplicate Medicare Reference Numbers cannot be issued using the Consumer Directory.

[15] ANAO Audit Report No.24 2004–05 Integrity of Medicare Enrolment Data.

[16] Relating to improving its use of Fact of Death Data to automatically update Medicare customer records and preparing a Technical Standards Report as required by the Privacy Commissioner.

[17] Refer to paragraph 13.

[18] The ANAO recently examined the risks of delaying or not implementing audit recommendations in ANAO Audit Report No.25 2012–13 Defence’s Implementation of Audit Recommendations, p. 13 and 16 and ANAO Audit Report No.53 2012–13 Agencies’ Implementation of Performance Audit Recommendations, p. 16.

[19] Department of Human Services, Keeping up to date with Medicare [Internet], available from <http://www.humanservices.gov.au/customer/news/keeping–up–to–date–with–m…; [accessed January 2014].

[20] The Postal Address File is Australia Post’s delivery database which contains details on every delivery point in Australia.

[21] The Australian Government’s ‘eHealth’ initiative is the electronic collection, management, storage and sharing of healthcare data.

[22] Human Services advised the ANAO that duplicate Medicare Reference Numbers cannot be issued using the Consumer Directory.

[23] There are approximately 29.4 million records in the Consumer Directory, of which 29.3 million are Medicare customer enrolments. The Consumer Directory also includes Australian Organ Donor Register records. Customers who do not provide their consent to link their Australian Organ Donor Register enrolment to their Medicare enrolment will have two records and consequently, two Consumer IDs.

[24] These records matched on first name initial, family name, address and date of birth, or first name, family name, address but with a different birth day, month or year. Further, for each match (there are 8797 matches) one of the records appeared to be active while the other record appeared to be inactive suggesting that they were duplicate enrolments.

[25] If the customer has only one name and the ‘Only name’ indicator is selected on the customer’s record, the first name field is not mandatory.

[26] According to the Australian Bureau of Statistics, in 2012 the average life expectancy for a male and a female at birth was 79.9 years and 84.3 years, respectively. Source: Australian Bureau of Statistics, 1.1 DEATHS, Selected summary statistics — 2002, 2011 and 2012 [Internet], ABS, available from <http://www.abs.gov.au/ausstats/abs@.nsf/mf/3302.0&gt; [accessed November 2013].

[27] The Protective Security Policy Framework is issued by the Attorney–General’s Department. It requires that agencies undertake an annual self–assessment of 33 mandatory components.