Case study: Uber and audits

Case studyUber and auditsWhat do ride-hailing services such as Uber have in common with audits by third party payment entities such as private health insurance (PHI) funds and Medicare? Colm Harney, Dentolegal Consultant at Dental Protection, shares what he knows.Estimated read time: 8 minsNext time you ‘call’ an Uber and it meets you on the street within a few metres of where you are standing, take a moment to think about the astonishing technology at play.Amazingly, what occurs is that a global positioning system (GPS) device taps into a constellation of satellites that orbit approximately 17,000 kms above the Earth and transmit radio wave signals to receivers across the planet. ⁽¹⁾The US Department of Defence developed GPS satellites as a strategic system in 1978 – our phones, cars, trackers all now use data from these GPS satellites to locate a specific point on the Earth in a process called trilateration. A GPS receiver measures the distance from the receiver to three different orbiting satellites using radio signals, and from that data every point on Earth can be given its own unique address—its latitude, longitude, and height. ⁽²⁾Historically, this process of using three reference points has been used for many purposes, including surveying, navigation, meteorology, and astronomy. If you like to climb hills and mountains, as I do, you will still see trigonometrical stations (trig points) on the tops of mountains in Australia, New Zealand, the British Isles, and elsewhere – although no longer used for mapping and surveying purposes they remain useful to hikers as navigational aids. ⁽³⁾Nowadays this process for accurate mapping has been superseded by the GPS system, but the triangulation principle remains the same for determining the accurate location of a singular point using other known reference points.So, what does this have to do with audits? Just like the early mapping days, audits usually use a minimum of three reference points to determine whether the claim is acceptable to the payment entity:Overlaying all of this is the question or consideration of why a practitioner might be audited in the first place – it is worthwhile considering this first before we discuss how the triangulation process might be used by the entity to determine whether the claim is acceptable.In general, there are two broad reasons why a practitioner might become the subject of an audit – chance and selection/targeting.Yes, as inconvenient and concerning as it may be, you may just be the subject of a random audit by a third-party payment entity. For example, a PHI may decide to randomly audit a selection of practitioners receiving fees from the fund to ensure compliance and demonstrate to stakeholders that they carry out their due diligence to protect the pool of funds paid by members.More commonly though, is a targeted type of audit. There can be a number of triggers for a practitioner becoming subject of an audit such as:

Past history of being audited, especially if there were adverse findings – in Dental Protection’s experience, practitioners who have been subject of previous findings against them remain ‘on the radar’ of the entity. Many PHIs are explicit about this in their correspondence, so a previous finding should be seen as a non-negotiable opportunity to address any deficiencies identified in the audit, going forward.

Outlier billing practices – the third-party entities now have sophisticated tracking and analysis resources. Some use AI to find outliers on the ‘bell curve’ and others use dentally educated investigators to review data and identify unusual patterns of behaviour. That is not to say that outlier billing means non-compliance – there may be many valid reasons for this such as specific uncommon treatments you carry out or even just your patient demographic. For example, you may see elderly patients at care homes, and you do higher than average amounts of multi-surface glass ionomers to stabilise at risk teeth.

Working in a practice with a history of previous issues may draw a previously unaware practitioner into audit, just by virtue of past issues in the practice – for example a new associate.

A complaint to the entity – for example by a patient unhappy with a rebate or codes billed. Regrettably we sometimes hear of disgruntled staff members reporting on ‘questionable’ behaviour as part of a workplace dispute.

What does an audit look like?Most audit processes we see start off with some form of ‘desktop audit’ – the entity contacts the practitioner and requests comment on particular issues of concern (as I write this, Medicare are currently selectively reviewing claiming of 88114) and/or asks for a selection of specified records to be sent to them for review.This leads us into the three reference points, as first off, Dental Protection are often contacted by understandably indignant practitioners who want to know what right a PHI might have to access a copy of the full dental record of a patient.The rules of the entity – it will usually be specified in the rules what rights the entity has to access the information requested. The relevant rule(s) should be cited in the written request for the records (records should never be released based on a phone request due to privacy/ confidentiality/security considerations).Of surprise to many practitioners is that use of the ubiquitous HICAPs machine means that certain agreements are enacted, and it pays to read the HICAPS Private Health Insurance Provider Agreement, notably section 4, Handling transactions. ⁽⁶⁾Each entity will have their own rules, with individual variations – broadly speaking, the rules of relevance regarding audits are the rights of the entity to check compliance (such as by requesting records or carrying out practice visits) and possible consequences that can arise for non-compliance.One other factor that can be invoked from PHI fund rules is claiming for family members, staff, their families and how broad or narrow this extends. Again, each PHI has some interpretation of restrictions on claiming for family/staff so it pays to read the relevant fund rules as this can be a subject of audit.If you do treatment on CDBS, are you compliant with the administrative side such as consent forms?The descriptor of item codes used for claiming – there is much crossover with reference point 3.By way of simple example, if 022 is claimed, as well as the obvious assumption that the image can be evidenced, there must be some recording of the interpretation of that image – as outlined in the descriptor. If not, the claim may not be compliant.When 114 is claimed, somewhere in the records there should be evidence of removal of calculus – the easiest means of evidence is noting it in the contemporaneous record of the treatment delivered/claimed for. If not, the claim may not be compliant. There are other means, after-the-fact, when an audit comes in that may satisfy the entity – such as showing intra-oral photos or radiographs with calculus or a periodontal screening score that demonstrates presence of calculus – however the simplest way is to describe the procedure done in the record made at the time.Similarly, a 071 should be as described in the Glossary if a claim is to be made – there should be a physical model that can be produced, and it should not be a working model.This list is by no means exhaustive but acts as a simple demonstration of the more common issues where non-compliance can arise.It pays to read the Glossary and pedantically review the wording of each code you use, especially if using ‘outlier’/uncommon codes.The ADA is the arbiter of appropriate use of these codes and the Glossary states that “any dentist or third-party requiring clarification or interpretation of the Schedule & Glossary should contact the ADA”.Dental Board of Australia policies, codes, and guidelines - the old mantra “say it, do it, write it down” applies.These rules are not set by Dental Protection or even PHIs. We sign up to the shared Code of Conduct every year in November and part of that is Principle 8, Professional behaviour - to “display a standard of professional behaviour that warrants the trust and respect of the community”.Embedded in Principle 8 is ‘Health records’ and this can be cross-referenced in the ‘Dental records’ section with a fact sheet and self-reflective tool to self-audit. ⁽⁷⁾A key guiding principle here is 8.3(d) – to “ensure that records are sufficient to facilitate continuity of care”.Your records should tell a story of each patient’s journey with you that is logical, consistent with accepted practice, and adequately documented so that anyone taking over the treatment would be able to do so without difficulty. There needs to be an inherent transparency in what has been done and why.As part of audit the third party can leverage our obligations to practice to a certain standard (including record keeping) and if it can be demonstrated that a practitioner doesn’t meet the standard and this can be identified in audit, it may be used to enact consequences such as claiming fees back.The concept of ‘professional behaviour’ can also be invoked with certain adverse regulatory or criminal matters where a PHI may claim the practitioner has behaved in an unprofessional manner or might bring the reputation of the fund into disrepute by continued association.SummaryIn summary, when the third-party payment entities audit practitioners, they triangulate off the three reference points mentioned above and use this to determine where on the ‘landscape’ the claiming of the practitioner lies.Regrettably, when the auditing party correlates the data from the three sources, despite the sophistication of tools we know they have, they often don’t have to look very hard and at first pass they will often pick the ‘low hanging fruit’. For example, anomalies with 022, (88)114, 071, claiming for immediate family and the like.The practitioner will of course be given right of reply, and it is very deflating for us at Dental Protection when we want to help but our hands are tied by inarguable non-compliance, referencing against the metrics above.What to do? We know that prevention is better than cure and fortunately there is plenty that can be done right now.Simply review the information freely available on PHI websites (especially if you are in any type of ‘preferred provider’ arrangement, as you will be held to a higher standard and often more onerous rules) and Services Australia – PHI fund rules, HICAPs agreements, CDBS rules etc.As a minimum, be aware of their existence and understand what you have knowingly (or unknowingly) signed up to comply with by engaging with these entities. As a registered practitioner, interfacing with these entities, it is solely your responsibility.Read the Code of Conduct/records standard. We sign up to comply with this every November when we re-register, so it never does any harm to brush up on what the regulator expects of us.Then self-audit or ask a colleague. Pick five to ten sets of records at random and ‘run the ruler’ over them with the triangulating eyes of an auditor to check compliance.Ultimately, when it comes to avoiding audits, knowledge is power. Once you have a handle on this information and are satisfied that your systems and protocols are compliant, then you can relax and go back to practising like you are catching an Uber – as simple as going from ‘A to B’ in the knowledge that all the sophisticated systems are running in synchronisation in the background.References

https://oceanservice.noaa.gov/education/tutorial_geodesy/geo09_gps.html

https://education.nationalgeographic.org/resource/triangulation-sized/

https://en.wikipedia.org/wiki/Triangulation_station

https://www.health.gov.au/resources/publications/cdbs-guide-to-the-child-dental-benefits-schedule

https://www.dentalboard.gov.au/Codes-Guidelines/Policies-Codes-Guidelines/Code-of-conduct.aspx

https://www.hicaps.com.au/support/hicaps-agreements/provider-agreement-terms-and-conditions#

https://www.dentalboard.gov.au/Codes-Guidelines/Dental-records.aspx

Prefer to listen to this?Riskwise Australia - Issue 50 - May 2025Ready In Your Corner AdvertEditorialBack to the futureArtificial intelligenceIn conversation with... Thrive at workCase study: Behind the veneer of patient trustCase study: When your number is upCase study: Uber and auditsCase study: Can't you just put it back inAn update from Adrian Jackson on the MPS FoundationMPS Foundation: Prevention is better than cureMPS Foundation: Avoiding the ‘off switch’ for AIAdvert - Secure your placeClosing page