Key theory and concepts

Clinical governance guidelines

The RACGP serves as the cornerstone for guiding clinical practice within General Practitioner (GP) practices. While Medmate operates as a platform and market creator rather than a physical practice, it is important to recognize that its service delivery ecosystem functions similarly to a practice. Therefore, adopting comparable standards and a culture of safety and performance measurement, including clinical indicators, is essential to ensure the provision of safe, quality, and timely services.

Medmate is subject to the same laws, clinical governance, and compliance expectations as any GP practice or business, albeit with a limited scope of service tailored to a specific risk profile. However, there is a direct correlation between these indicators and reputational exposures. Therefore, Healthylife may consider expanding its performance and service delivery policies to encompass other qualitative measures to manage brand reputation and service guarantees for its customer base, particularly as it expands its scope of services in the future

Throughout our report, we have used the RACGP governance guidelines for General Practices.

According to RACGP, practices should consider the following in establishing its clinical and practice governance:

Organisational culture
Human behaviour and determinant of safety
Skilful identification and investigation of safety issues
Prevention and safeguards
Patient safety monitoring

Clinical indicators suggested by the RACGP include:

Quality and safety infrastructure
Clinical policy
Organisation of service
Preventative health and screening
Clinical documentation
Clinical assessment
Clinical management
Prescribing safety
Clinical practice review
Population for intervention

With this in mind, our report covers:

Role and Responsibilities (RR)
Cascade of RR to Policy, contracts, performance measurement
Use of data insights to measure safety, compliance and performance (clinical indictors)
Clinical governance and investigation / peer review
Monitoring and performance regimes
Culture and workforce
Information security and access

With a view to:

Embed a strong culture of safety and compliance, with clear service definition and scope of practice that is measurable.

Framework for clinical and practice governance

A structured framework to implementing clinical and practice governance (as part of a clinical and practice management strategy) is critical. There needs to be an overall framework and strategy for how this works together, and this needs to be assessed against the corporate risk register to ensure that is address and mitigates this appropriately.

A strong clinical and practice governance framework must include three types of measures:

Preventative measures: aims to prevent events from occurring or making people aware of their obligation and responsibilities. Players in the system understand the consequence of breach and aim to meet their obligations to prevent events from happening.
Managed measures: aims to have the right management processes and check in place to reduce or eliminate risk. This reflect in IT system controls, policy and processes e.g. access and permission, but links to the use of clinical indicators and reporting to provide a view on compliance and performance. This is every day management practices and oversight of operations
Reactive measures: reacts when an incident occurs and how the organisations deals with the situations, undertakes reviews and the impact this may have on the patient, business and providers in the system. It also addresses areas where external assessment may occur in extreme cases such as malpractice or death. It links into the preventative and managed aspects of the framework as continuous improvement, but also support branding exposure and notification from the providers, to Medmate and Healthylife of critical incidents

Approach to assessing transfer of risk

It’s important we first discuss the key theory and concepts that inform how we assess who bares and manages risk within these frameworks.

Medmate operates its own ecosystem to deliver its services but exists within a broader sphere of influence—we will call this the “universe”. While we’re focussing on the former in this review, the latter provides crucial context in defining how Medmate operates, and most importantly, how it is (or should be) treating risk. Therefore, we feel it’s useful to develop a conceptual model of this universe.

This model helps us to comprehensively work through:

Whether all actors in the ecosystem and their roles/responsibilities are well understood and defined.

The various systems and processes—Medmate-controlled or otherwise—that contribute to the interactions between these actors within the universe.
How the regulatory and competitive environment overlay across the universe.

Importantly, by modelling this, we can clearly the paths that Healthylife can influence—and the paths where risk exposure could exist.

Concept of the Medmate Universe and Ecosystem.

Figure 1: Concept of the Medmate Universe and Ecosystem.

Medmate cannot control all actors in the universe—it cannot control regulatory bodies, for example. But Medmate’s role in running its marketplace means it can exert reasonably broad control over the key actors in its ecosystem (namely, Patient, Doctor, Pharmacy, Delivery Partner)—Medmate plays a crucial role in reducing risk within its ecosystem, to the best of its ability, given outside influences. The question at hand becomes, what should Medmate be controlling and how?

Best practice dictates there should be a clear continuity and line of sight between the decisions at the highest level of management (position setting) through to the lowest level (monitoring and contractual enforcement). This is true from any angle—commercial, strategic, or in this case, risk. While shown as a linear process here feedback mechanisms should exist to inform the management approach and address the question of “what should Medmate be controlling?”

Concept of clear line of sight downstream of the policy; essential for effective risk transfer.

Figure 2: Concept of clear line of sight downstream of the policy; essential for effective risk transfer.

Our review sees us focus on this continuity—where this continuity is broken, risk arises, and transfer of risk is contentious.

A break in this continuity can take many forms as outlined in the hypothetical examples below:

Software access control: Despite having adopted a position (policy) that a pharmacist shouldn’t be able to access the Medmate platform after termination, if there is no ongoing monitoring and contractual enforcement, then the adopted policy is likely ineffective and risk untreated.
Conflicting policy: If two policies conflict within the Medmate system, then it’s almost certain the downstream processes and monitoring cannot be effectively implemented to manage risk.
Clinical oversight: While doctors are considered independent contractors making independent decisions, it’s been recognised that Medmate still caries reputational risks on the decisions those doctors make, but there is no clear definition on how to define or manage poor decision making; reputational risk is recognised but untreated.
Commercials (pricing, terms, performance): With each actor in the system realising some sort of commercial benefit for the performance of their duties to a certain standard, these benefits should reflect the fair exchange of value. If contracts see doctors remunerated on another basis, then there is clearly a disconnect and so perverse behaviours may be incentivised.
Unclear implementation of policy: A well-defined policy can be adopted, but if this isn’t translated into effective processes to implement the policy, then the policy is ineffective and leaves the original risk effectively untreated.
Ineffective transfer of risk: In all the above examples, if a policy is adopted that intends to transfer risk but continuity is broken, there is a very high likelihood that this transfer of risk is ineffective, and Medmate remains exposed (and by extension, Healthylife is exposed via mostly reputational risk).

It’s also critical to understand where in the chain this continuity is broken. A break at the top introduces strategic risk and typically requires much more effort to resolve, while a break at the bottom (tactical risks) can typically be resolved with smaller tactical efforts. Our risk register classifies risks in this manner.

Whilst we’re focussed on risk for this discussion, many elements inform or make up this continuity: outside investment, business plan and strategic, commercial approach, risk appetite—and of course, outside influence from elsewhere in the universe (e.g. regulations).

For this discussion, Healthylife is one such key outside influence; while we are not reviewing the relationship between Healthylife and Medmate directly, we do make efforts to see if Healthylife’s exposure to risk forms part of the considerations of management when setting policy etc. Indeed, these theories would apply to Healthylife’s own structure, and therefore it would be prudent to repeat this risk review exercise with Healthylife directly to highlight any breaks in continuity—and exposure to undue risk.

Focussing on the review at hand, we will use this model to inform how we assess Medmate’s governance of themselves and the ecosystem they operate to form a view it’s risk exposure and the potential transfer of risk to Healthylife.

Abbreviations

Term	Refers To	Definition
ADHA	Australian Digital Health Agency	Australian Government statutory agency responsible for My Health Record, Australia's digital prescriptions and health referral system, and other e-health programs under the national digital health strategy
AI	Artificial intelligence	AI usually refers to the use of data and algorithms to mimic human intelligence and perform tasks that typically require human intelligence.
API	Application Programming Interface	API is a set of rules and protocols that allows one software application to interact with another.
BYOD	Bring Your Own Device	BYOD is a policy that allows employees to use their personal devices for work purposes.
eRx	Electronic prescription	eRx is a digital version of a paper prescription that is sent directly to a patient's chosen pharmacy.
eRx Script Exchange	National electronic prescription exchange service	eRx Script Exchange is a national electronic prescription exchange service that allows prescribers to send electronic prescriptions to a patient's chosen pharmacy.
GP	General Practitioner	A general practitioner is a doctor who is also qualified in general medical practice. GPs are often the first point of contact for someone, of any age, who feels sick or has a health concern. They treat a wide range of medical conditions and health issues.
HL	Healthylife	Healthylife pharmacy; the entity initiating this review and engaging Medmate for the delivery of services
IHI	Individual Healthcare Identifier	A unique number used to identify an individual for health care purposes
ISM	Information Security Management	ISM is a set of policies, procedures, and practices that are used to manage, monitor, and improve information security within an organisation.
MM	Medmate	The entity under review; operates the Medmate ecosystem to deliver remote, online healthcare services
OMS	Medmate’s Order Management System used by pharmacies	OMS is the system used by pharmacies to interact with Medmate, including accepting orders and pushing to their dispense systems
PCI-DSS	Payment Card Industry Data Security Standard	PCI-DSS is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.
PHI	Personal Health Information	PHI is any information related to an individual's health, medical history, or healthcare services received; extremely sensitive.
PIE	AHPRA’s Practitioner Information Exchange	PIE allows approved healthcare organisations to easily check the details and registration status of the health practitioners they employ
PII	Personally Identifiable Information	PII is any information that can be used to identify an individual, such as name, address, email, phone number, etc.; sensitive.
POS	Point of Sale [System]	POS is an encompassing refersTo used to describe systems used by pharmacies to process sales transactions, manage inventory, and track customer information.
SafeScript	Real-time prescription monitoring system	SafeScript is a real-time prescription monitoring system that allows healthcare professionals to access some of a patient's prescription history to help prevent harm from medicines.
SLA	Service Level Agreement	SLA is a contract between a service provider and a customer that specifies the level of service expected from the service provider.
TGA	Therapeutic Goods Administration	TGA is responsible for regulating therapeutic goods including prescription medicines, vaccines, and medical devices.
UI	User interface	UI is the point of human-computer interaction and communication in a device.

Relevant legislation and regulatory bodies

Relevant party	Process	Medmate Policy / Legislation / National Code of Conduct
Medical Practitioners & Medmate	Doctor onboarding	Source: Medmate (Unsighted) Employment contract (Unsighted) Fair work information Statement (Unsighted) Casual Employment Information Statement (Unsighted) Confidentiality agreement Medmate Patient Management Policy Source: AHPRA Good medical practice: a code of conduct for doctors in Australia Source: Federal Register of Legislation Health Practitioner Regulation National Law Act 2009
Medical Practitioners & Medmate	Doctor Maintenance: AHPRA Registration, Performance	Source: AHPRA Mandatory notifications about registered health practitioners (Guidelines) Source: Federal Register of Legislation Health Practitioner Regulation National Law Act 2009 – Part 8, Health, performance and conduct Health Ombudsman Act 2013 Source: Medmate Medmate Patient Management Policy
Medical Practitioners	Delivering telehealth services	Source: AHPRA Guidelines: Telehealth consultations with patients and telehealth guidance for practitioners Source: Federal Register of Legislation Health Insurance (Section 3C General Medical Services – Telehealth and Telephone Attendances) Determination 2021 (under the Health Insurance Act 1973) National Health Act 1953 Source: Medmate Medmate Patient Management Policy
Medical Practitioners	ePrescribing of medications	Source: AHPRA ePrescribing of Source: Federal Register of Legislation National Health Act 1953; Part VII – Pharmaceutical Benefits Therapeutic Goods Act 1989 Source: Department of Health and Aged Care National Medicines Policy - National Medicines Policy Source: Medmate Medmate Patient Management Policy
Pharmacies	Dispensing of medications (including S4D and S8)	Source: AHPRA Code of Conduct Guidelines for dispensing of medicines Source: Federal Register of Legislation National Health Act 1953; Part VII – Pharmaceutical Benefits Source: Department of Health and Aged Care National Medicines Policy Medicine shortage reports Regulation of listed medicines and registered complementary medicines Source: Medmate Service level agreement (SLA)
Medmate	Billing of Telehealth services	Source: Federal Register of Legislation Health and Other Services (Compensation) Act 1995 National Health Amendment (General Co-payment) Act 2022 Source: Medmate Telehealth – Website Workflow Telehealth – Pharmacy Referred
Medmate	Patient Management	Source: Medmate Medmate Patient Management Policy Code of Conduct Telehealth – Website Workflow
Medmate	Privacy	Source: OAIC Health Records and Information Privacy Act 2002 Source: Queensland Government Information security classification framework
Medmate	Information Security	Source: International Organization for Standardization Information security, cybersecurity and privacy protection (IS027001) Source: Medmate Acceptable Use of Information Technology Policy Data Privacy Policy Medmate Risk & Incident Response Plan and Policy Incident Management Policy
Medmate	Cyber Security	Source: Australian Cyber Security Centre Privacy Act 1988 Source: Medmate Medmate Risk & Incident Response Plan and Policy Disaster Recovery Policy

Generally speaking, there will also be state-based legislation that's in line with the national legislation; given Medmate operates across all states, we've only mapped national legislation for brevity.