Health provider compliance audits and reviews

This page includes information to assist health professionals understand the audit and review process.

Page last updated: 29 August 2018

Health provider compliance audits and reviews

Audits and reviews

Health provider compliance audits and reviews are conducted in accordance with legislation, to protect public funds and make sure benefits are correctly paid.

An audit is an evidence-based assessment of a provider’s compliance with relevant requirements in relation to the payment of a benefit. A review of decision is where an independent decision maker reviews the result of a compliance audit and reconsiders the evidence (or considers new evidence) and confirms, varies or revokes the original decision.

The Department conducts compliance audits and reviews for:

  • Medicare Benefits Schedule (MBS)
  • Pharmaceutical Benefits Scheme (PBS)
  • Child Dental Benefits Schedule (CDBS)
  • Incentives Programs.


The Department conducts compliance audits and reviews under the following legislation:

  • the Health Insurance Act 1973 which applies to all health providers claiming Medicare benefits
  • the Dental Benefits Act 2008 which applies to all dental practitioners claiming under the Child Dental Benefit Schedule (CDBS)
  • the National Health Act 1953 which applies to the provision of pharmaceutical, sickness and hospital benefits and of medical and dental services.

Under these Acts:

  • You may be issued with a Notice to Produce documents that legally binds you to submit evidence to the Department to substantiate professional services or claims. A notice is issued where a concern has arisen regarding an incorrectly claimed or paid benefit. A Notice to Produce can be issued to a person or corporation who has your records.
  • A debt will be raised if a health provider does not comply with a Notice to Produce or if the evidence provided does not substantiate the professional services or claims.
  • Civil penalties may be applied to any person who has control of a health provider’s records and who does not comply with the Notice to Produce.
  • If you need to provide documents that contain clinical information, they can be provided to one of our professional advisors such as a medical or dental advisor.
  • You can apply to have a review of a decision on compliance audit findings.
  • An administrative penalty applies for debts that exceed $2,500. This penalty decreases when a health provider voluntarily tells us about incorrectly claimed amounts. However, it can be increased if a health provider does not respond to a Notice to Produce.
  • We can request the Director of Professional Services Review to review suspected cases of inappropriate practice for health practitioners and for CDBS services billed after 4 November 2014.
  • For Pharmacists we can refer suspected cases of inappropriate practice to the Pharmaceutical Services Federal Committee of Inquiry,

For CDBS compliance audits and reviews only:

  • Provisions of the Professional Services Review can be applied to any CDBS service billed on or after 4 November 2014. This means we can request the Director of Professional Services Review to review suspected cases of inappropriate practice.

Health Legislation Amendment (Improved Medicare Compliance and Other Measures) Bill 2018

The Health Legislation Amendment (Improved Medicare Compliance and Other Measures) Bill 2018 came into effect on 1 July 2018 and amends the:

The key changes from the Bill include:

  • Aligned record keeping requirements across all relevant Acts all health professional are required to keep records for a minimum of two years;
  • Improved debt recovery mechanisms with the introduction of offsetting and garnishee provisions;
  • Notice to Produce requirements aligned across the Acts that require health professionals to produce requested documents to the department for when they are subject to compliance activities;
  • Aligned administrative penalties for debts of more than $2,500 if a health professional fails to provide substantiating documents within the required timeframe;
  • Additional information will be required about a health professionals employer when applying for Medicare provider number; and
  • From 1 July 2019, the Shared Debt Recovery Scheme will be introduced to address organisational billing practices that will enable the Department to hold an employing or contracting organisation responsible for a portion of any debts incurred as a result of incorrect Medicare claiming.

Record Keeping

It is important to maintain good administrative record keeping standards. For more information review the:

  • relevant legislation
  • Administrative record keeping guidelines for health professionals
  • Health professional guidelines.

Good record keeping can help you:

  • ensure accurate and secure patient information
  • reduce the risk of incorrect claims and fraud
  • provide transparent reporting
  • substantiate your claims if you are asked to participate in an audit.

All health professionals are now required to keep records for a minimum of 2 years, which includes any referrals, or any document created as a requirement of the benefit.

Once a provider has been notified of an audit (under section 129AAD (3) of the Health Insurance Act 1973) the records of the notified period cannot be destroyed even if the 2-year record keeping period expires.

Substantiating documents will be required to be maintained until the audit period ends, which is when the outcome of the audit (and any subsequent reviews) are notified to the provider.

Notice to Produce

A Notice to Produce is a written notice requiring a health professional, or person in possession or control of records, to produce documents that can substantiate the services being looked at as part of a compliance audit.

Read more about a Notice to produce

Providing clinical records

You only need to provide documents with clinical details of a patient where the information is needed to substantiate a service. The type of information we need will depend on the claims that need to be substantiated. You can provide an excerpt with only the relevant details to a compliance officer or you can choose to provide any documents with clinical information to one of our Health Professionals such as a medical adviser.

We can issue a notice to produce documents to any person in possession or in control of your documents. If this person does not comply with a request, they can be subject to a civil penalty. We cannot issue a notice to a patient or their parent or legal guardian.


We take privacy seriously and have infrastructure and security arrangements in place to safeguard your information and the information of your patients. Personal information collected and held for health compliance audits is protected by:

Information will be kept for 10 years after a health compliance audit is completed. If the audit is subject to a review of decision or establishes a legal precedent disposal of information is not authorised and the information is retained as National Archives.

Personal information collected during a health compliance audit is protected by strictly enforced security safeguards. These safeguards prevent and detect unauthorised access to personal information. Penalties, including fines and up to 2 years imprisonment, may apply to an employee who breaches their legal obligations.

Your privacy

If you are required to participate in a compliance audit undertaken by the Department, we will ask you to provide documents that can substantiate claimed services. The Australian Privacy Principles in the Privacy Act 1988 (particularly Australian Privacy Principle 6) gives you the authority to disclose clinical information to us as required or authorised by law.

Patient privacy

You’re not expected to produce clinical information about a patient unless it’s needed to substantiate a claim. You may censor any information that isn’t needed in all documents you provide.

You don’t have to tell a patient that their clinical information has been disclosed for the purposes of a Medicare compliance audit, or as required or authorised by law. The only time we notify a patient about the disclosure of their clinical information is when their clinical records are seized under a search warrant during a criminal investigation.

Disclosure of information

Information we collect may be disclosed, as authorised or required by law to protect:

  • the health, safety or welfare of an individual
  • public funds including the investigation of Medicare fraud.

Exceptional circumstances

An exceptional circumstance is an unavoidable situation that stops you substantiating services provided or fulfilling requests we make to produce documents, even after you have taken all possible and reasonable precautions. Should you be facing circumstances beyond your control, tell us as soon as you can by:

If an audit is in progress and we’re not satisfied with the reasons set out in your submissions, you will still need to either:

  • substantiate any services subject to the audit
  • repay any incorrect payments including any penalties that may apply.

If we are satisfied, we will send you a Notice of Decision.

Compliance audit outcome

You will be advised in writing of the outcome of the compliance audit before a debt is raised.

If you disagree with the outcome of a compliance audit you can lodge an Application to Review Compliance Audit Decision form. You need to submit your application within 28 days of receiving the notice of decision that amounts are recoverable. Any additional information and substantiating documents should be provided with the form. We will respond to your application within 28 days after receiving your application.


Administrative penalties

Financial administrative penalties can be applied to a debt of more than $2,500 if a health professional fails to provide substantiating documents within the required timeframe. Compulsory administrative penalties on unpaid debts now apply to all health professionals including dentists and pharmacists.

Read more about Administrative penalties

Civil penalties

A civil penalty is similar to a fine and can be imposed by the Federal Court under 4AA in the Crimes Act 1914 on an individual or a corporation who:

  • is responsible for documents relating to claimed services
  • did not provide the service themselves
  • has not complied with a Notice to Produce documents.

Penalties are designed to encourage voluntary compliance with the legislative requirements for the payment of benefits.

civil penalty does not apply to patients who received services or incurred the expenses associated with a service.

Support Resources

Audit and review forms

Forms to help you to meet your obligations for Medicare compliance audits and reviews:

More Information