28 April 2014

Audit of Medicare Data Integrity

The Australian National Audit Office has released a 106 page report on Integrity of Medicare Customer Data (ANAO Audit Report No.27 2013–14.

ANAO comments that
Medicare is Australia’s universal healthcare system, which provides people with access to free or subsidised health and hospital care, with options to also choose private health services. Medicare is one of a range of Australian Government health programs administered through the Department of Human Services (Human Services).
In its 2012–13 Annual Report, Human Services reported that as at 30 June 2013, there were 23.4 million people enrolled in Medicare, including 618,533 new enrolments. For an individual to enrol in Medicare, they need to reside in Australia and be either an Australian or New Zealand citizen; a permanent resident visa holder; or an applicant for a permanent resident visa (excluding a parent visa). Australia has Reciprocal Health Care Agreements with 10 countries and visitors from these countries may also be eligible to enrol. Some eligibility types, for example, visitors from Reciprocal Health Care Agreement countries, are only eligible to use Medicare for a limited period of time.
In 2012–13, Human Services processed payments totalling $18.6 billion for over 344 million Medicare services. Expenditure under Medicare is expected to continue to grow, with payments estimated to reach $23.7 billion by 2016–17.
In administering Medicare, Human Services collects personal information from customers at the time of their enrolment and amends this  information to reflect changes in their circumstances. The main repository for this data is the Medicare customer record database, the Consumer Directory.
Maintaining the integrity of customer data assists to mitigate key risks associated with Medicare including access to benefits by ineligible people who are enrolled without an entitlement or who are enrolled for a period beyond their entitlement. There is also a risk that ineligible people may obtain an active Medicare card and use it fraudulently to access services and/or make fraudulent claims. In addition,  fraudulent use of Medicare cards as a form of identification is a risk to Medicare and the broader community.
Customer data integrity assists in mitigating these risks and contributes to the effective and efficient administration of Medicare. To maintain data integrity, Human Services has implemented both ‘upstream’ controls at the enrolment stage, and post-enrolment measures to manage updates to its records arising from changed customer circumstances. The department has also implemented measures to protect the privacy and security of customer data.
The report notes that
a range of businesses rely on Medicare cards to help satisfy personal identity requirements, including banks and telecommunications companies. Human Services advised the ANAO that it does not endorse this practice.
The aim of the ANAO audit was 
to examine the effectiveness of Human Services’ management of Medicare customer data and the integrity of this data.
To assist in evaluating the department’s performance in terms of the audit objective, the ANAO developed the following high level criteria:
  • Human Services has adequate controls and procedures for the collection and recording of high quality customer data; 
  • Medicare customer data as recorded on Human Services systems is complete, accurate and reliable; and 
  • customer data recorded on Human Services systems is subject to an effective quality assurance program and meets relevant privacy and security requirements.
The audit scope focused on the integrity of Medicare customer data and included related testing of all Medicare customer records. It did not examine Healthcare Provider Information, the allocation or management of Individual Healthcare Identifiers (IHI) or the operation of Personally Controlled Electronic Health Records.
The audit also considered the extent to which Human Services had implemented the six recommendations from ANAO Performance Audit Report No. 24 of 2004–05 Integrity of Medicare Enrolment Data.
The report provides an "overall conclusion" - 
Medicare has been in place for 30 years and is accessed by almost all Australians and some visa holders and visitors. In 2012–13, Human Services reported over 23 million people enrolled in Medicare, including 618,533 new enrolments. The department’s administration of Medicare is supported by a long-established database, the Consumer Directory, which contains all Medicare customer records. As the repository of a large and evolving data set incorporating, on an ongoing basis, both new enrolments and changes to customer information, the Consumer Directory requires active management to maintain the integrity, security and privacy of customer data; essential prerequisites for the effective administration of Medicare.
Human Services’ framework for the management of Medicare customer data, including procedures and input controls for the entry of new enrolment information and changes to customer information, has not been fully effective in maintaining the integrity of data in the Consumer Directory.
ANAO analysis of the department’s Medicare customer data holdings identified:
  • at least 18,000 possible duplicate enrolments—an ongoing data integrity issue in the Medicare customer database; 
  • active records for customers without an entitlement as well as inactive records and some with unusual activity; and  
  • records which had customer information inconsistently, inaccurately and incompletely recorded.
In addition, the department advised the ANAO of instances where the records of two different customers are combined (‘intertwined records’), giving rise to privacy and clinical safety risks. 
While the number of compromised records held in the database is not significant given the scale of the department’s data holdings, the data integrity issues referred to above indicate that departmental procedures and key elements of the data input control framework require management attention to improve operational efficiency, better protect customer privacy and clinical safety, and reduce the risk of fraudulent activity. The extent of the data integrity issues highlighted by the audit and the length of time these issues have been evident also indicate a need for the department to periodically assess the underlying causes of data integrity issues and implement necessary treatments.
The audit identified that additional attention should be given to: the tightening of data input controls, including the full and accurate completion of mandatory data fields in accordance with system and business rules; the adequacy and consistency of staff training and written guidance; addressing duplicate and ‘intertwined records’; and undertaking data integrity testing on a targeted risk basis. Further, Human Services’ procedures for managing the security of Medicare customer data do not comply fully with some mandatory requirements of the Australian Government’s Information Security Manual (ISM); significantly reducing the level of assurance of the relevant systems’ ability to withstand security threats from external and internal sources. The department should implement whole‐of‐government requirements in relation to system security.
ANAO offered some positive comments - 
Positive elements of Human Services’ approach to managing Medicare customer data include: unique customer reference numbers within the Consumer Directory, which have a high degree of integrity; a well-developed privacy framework which contributes to maintaining the confidentiality of sensitive Medicare customer records; and a Quality Framework comprising a daily program of random checks on completed transactions by customer service officers. As discussed however, a fully effective approach to managing the integrity of data holdings requires that attention be given to the development and consistent implementation of the full suite of procedures and controls.
However, "the department has foregone an opportunity to enhance its performance by implementing a number of the earlier ANAO recommendations". ANAO therefore makes five recommendations,to improve training and guidance for customer service officers, address  data integrity issues and their causes, and comply with the mandatory requirements of the ISM.

The Key findings are
  • Medicare customer data, with the exception of claims, is captured mainly when customers enrol in Medicare and when they amend their details. Customer service officers are mostly responsible for entering and updating customer information in Medicare’s customer record database, the Consumer Directory. The collection of accurate, complete and reliable customer data supports the efficient and effective administration of Medicare. 
  • Customers enrol in Medicare using one of three main forms. There is an opportunity for Human Services to improve the efficiency of the enrolment process by amending the Medicare Enrolment Application form to better specify the documentation that visitors are required to provide in support of their enrolment. 
  • There are a range of channels for customers to amend their data, including over–the–phone, in–person, in–writing and through self–service options such as Medicare Online Services and the Medicare Express Plus mobile phone application. Customers would benefit from Human Services listing all of these channels on its webpage, Keeping up to date with Medicare.
  • To assist customer service officers to enrol customers and amend their personal information, Human Services provides training and guidance on its intranet. While the online training covers the essentials of enrolling customers, it does not include complex enrolment examples. Further, there are inconsistent instructions in and between the training and guidance. For these reasons, Human Services should review its staff training and guidance, in respect to enrolling customers and amending their information, for completeness and consistency. 
  • As a further means of collecting and amending customer information, Human Services conducts data matching with other Australian Government departments and state and territory agencies. Customer records are updated with dates of death using an automated process of matching a Fact of Death Data (FODD) file on a monthly basis, compiled from state and territory  registries of births, deaths and marriages. This process was introduced by Human Services in 2005 in response to Recommendation No. 5 of the ANAO’s performance audit ...
  • When customer information is recorded—at the time of enrolment and if subsequently amended—it is subject to system controls, including address matches with the Postal Address File; BSB validation checks; and field controls. These controls are intended to ensure that data is complete, accurate and reliable. The ANAO’s testing of mandatory customer data indicate that some of these controls are not operating effectively.
  • To further support the collection and amendment of Medicare customer data, Human Services has a Quality Assurance Framework that includes a daily check of randomly selected completed transactions. In 2012–13, 26.8% of these daily checks of Medicare transactions were of customer enrolments and information amendments. The results of these daily checks are reported to the Human Services Executive and stakeholders on a monthly basis and a sample are also reviewed annually for accuracy. For the enrolments and data amendments checked in 2012–13, Human Services reported a 96.3% accuracy rate, which was slightly below the key performance indicator of 98%. 
  •  Unique customer reference numbers are used to identify individual customers and to protect their privacy and clinical safety. Customers enrolled in Medicare are assigned four unique reference numbers in Human Services’ records: Consumer IDs: record identifier;  Personal Identification Numbers (PIN): Medicare enrolment identifier; Medicare Reference Numbers: card identifier; and  IHI: identifier within the ‘eHealth’ environment.
  • These numbers are used to identify customers and their records and link their information between Human Services’ various Medicare databases. The ANAO tested all 29.3 million Medicare customer records in the Consumer Directory. No duplicate unique reference numbers were identified apart from one Medicare Reference Number shared by two different records. Human Services investigated this duplicate Medicare Reference Number and found that it had been mistakenly issued by a customer service officer to two different family members sharing the same Medicare card in 1996, using the Medicare Enrolment File (the predecessor of the Consumer Directory). The testing indicates that unique customer reference numbers have a high degree of integrity. 
  • Duplicate customer enrolments mean that customers have more than one of each of these unique customer reference numbers. Consequently, customer information is fragmented across more than one record, posing a risk to the accuracy, completeness and reliability of their personal and health information. 
  • Duplicate customer records have been an ongoing data integrity issue in Medicare customer record databases. The ANAO’s 2004–05 performance audit recommended that Human Services address duplicate enrolments prior to migrating Medicare customer data to the Consumer Directory. Human Services advised that it implemented this recommendation but this could not be verified by the ANAO without supporting documentation. 
  • ANAO’s testing of all 29.3 million Medicare customer records used varying matching criteria which identified at least 18,000 possible duplicate records. Testing included matches based on names, name initials, dates of birth, addresses and gender as well as varying combinations of these criteria, for example, matches on name and address with a different birth day or month. As part of a continuous improvement approach to managing data in the Consumer Directory, Human Services should consider ways to: better identify duplicate enrolments which take into account these types of variances; investigate the underlying causes of duplicate enrolments; and apply appropriate treatments to address duplicate enrolments. 
  • Data integrity can also be weakened by intertwined records, which are single records shared by more than one customer. Intertwined records are created when customer service officers incorrectly enable two customers to use the same PIN—customers’ unique Medicare enrolment identifiers. Human Services advised that it has recorded 34 intertwined records since 2011–12, when it commenced recording identified instances. These records pose a risk to the privacy and clinical safety of affected customers as their recorded health information does not accurately reflect their individual circumstances. Human Services has established a working group to address intertwined records. The department should also introduce guidelines to ensure risks are mitigated when these types of records are resolved—which could form part of the work of this group. Integrity of customer data.
  • To assist with recording accurate and complete customer data, there are controls in the Consumer Directory including mandatory fields and system rules. Mandatory personal data fields include family name, first name, date of birth and most address fields. Mandatory eligibility fields include eligibility document type, a document reference date or number, and an entitlement end date for relevant entitlement types.  ANAO tested these mandatory fields and identified not all mandatory fields had been completed. Further,  ANAO’s testing found Medicare customer data which was inconsistently and inaccurately recorded, and which contravened system and business rules. 
  • One consequence of errors or omissions in customers’ personal data is that existing customer records may not be identified in the customer enrolment search which could result in duplicate enrolments. 
  • Of greatest concern are the consequences of incomplete, inaccurate and unreliable eligibility data, which can include payments to ineligible persons. ANAO identified some active customer records with invalid entitlement types which had recent associated claims. Further, some customer records did not: contain sufficient information to support customers’ eligibility for Medicare. For example, there were 34,129 records for permanent resident visa holders which did not have reference to at least one of the eligibility documents required to support enrolment recorded; and   reflect an entitlement period consistent with the customer’s entitlement type, including not having an entitlement end date recorded despite the customer having a limited entitlement. For example, there were 2,743 records for visitors which had no eligibility end date recorded. 
  • Human Services should implement controls to ensure that: all mandatory data fields are completed; recorded data is consistent with business and system rules; and customer access to Medicare benefits is consistent with their entitlement. Human Services should also review all customers accessing benefits without a valid entitlement type, to confirm their eligibility.
  • ANAO tested date of death data and found 40,541 records for customers over 85 years old which did not have an associated claim in the 12 months prior to testing The absence of claiming activity on these records suggests that these customers may be deceased.  ANAO also identified a customer aged approximately 143 years old who had made a claim in the six months prior to testing. Human Services’ investigation of this record showed that the affected customer’s date of birth had been incorrectly recorded and the department advised ANAO that it has subsequently corrected the record. Human Services does not currently undertake data integrity testing. The department should undertake some risk–based, targeted data integrity testing to assist with the identification of records that require review. 
In discussing privacy the report states that
Human Services has legislative obligations to protect the privacy of customer data and has a well developed framework to meet its obligations. The central element of its framework is the ‘Operational Privacy Policy’ which sets out relevant privacy requirements for all staff in an accessible form and provides links to appropriate supporting documentation on protecting privacy. There are policies and processes in place as well as guidance to assist staff to understand their privacy responsibilities, including reporting privacy incidents and complaints, and completing privacy awareness training. 
Human Services has adopted better practice in requiring Privacy Impact Assessments for new projects. There is an opportunity, however, for Human Services to more consistently apply this requirement to fully realise the benefits of this approach. 
Human Services is required to comply with the Privacy Commissioner’s Privacy Guidelines for the Medicare Benefits and Pharmaceutical Benefits Programs, including the submission of a Technical Standards Report which outlines its management of Medicare customer databases. In 2009, Human Services implemented Recommendation No. 6 of the 2004–05 ANAO audit—to produce and submit a Technical Standards Report—approximately four years after the ANAO’s report was tabled. The guidelines also require that Human Services lodge variation reports to the Technical Standards Report. The current Technical Standards report does not reflect current arrangements and  there is an opportunity for Human Services to implement a process to review and update this report and to lodge variation reports in a timely manner.
Security? The report notes that
Human Services is subject to the  ISM, issued by the Australian Signals Directorate, which outlines standards to assist agencies in applying a risk–based approach to protecting their data and ICT systems. 
Human Services undertakes security initiatives outlined in the ISM but falls short of complying fully with the standards outlined. In particular, Human Services is not compliant with two of the mandatory requirements of the ISM. The department has not completed all of the mandatory security documentation required by the ISM for the systems that record, process and store Medicare customer data. Further, it has not completed the certification and accreditation processes for these systems or most of the infrastructure that supports them, as required by the ISM. Fulfilling these requirements would assist Human Services to identify and mitigate risks to the security and confidentiality of Medicare customer data. 
There is also scope for Human Services to improve its implementation of:  risk management activities for ICT systems and services by ensuring that controls and treatments to mitigate risks are in place;  active security monitoring by addressing identified vulnerabilities associated with new ICT systems and taking a risk-based approach to monitoring potential threats to systems; and  user access management by monitoring and reporting on access to the Medicare Data Warehouse which contains a copy of Medicare customer data. 
Human Services has also identified areas for improvement in its self–assessment against the Australian Government’s Protective Security Policy Framework and is taking action to meet its security awareness and training  responsibilities. Further, the department is undergoing an organisation-wide process to develop business continuity plans which address identified critical functions. There would also be benefit in Human Services completing disaster recovery plans in relation to its identified critical functions.