Management of Medmate

How is Medmate structured?

Whilst this review isn’t centred on the management structures and methodologies of Medmate, we make the following observations.

The company has adopted a Functional Structure.

Figure 18: The organisational structure of Medmate, showing delineation between Managerial and Medical.

---

---

Close

The Medical Director and the Clinical Governance Team share responsibility for managing the clinical processes and treating associated risks. This team provides guidance to doctors (including setting the doctors guidelines) and overseeing protocols for programs like Quitmate. This team also reviews any adverse events and makes appropriate changes to policy and process.

The CEO, CTO and CFO oversee their relevant portfolios within the business. Subject Matter Experts and management staff oversee various verticals beneath these executive roles. These staff have no say on clinical matters, which is appropriate.

The board comprises of four directors:

• Ganesh Naidoo

• Sudhir Rao

• Dilip Rao

• Dimitri Siapkis

Most operational staff are based in Australia, though we do offshore staff listing Medmate as their employer in a “Medical Receptionist” capacity; depending on the role that these staff play (if at all), this may only be a minor additional risk exposure, but asserting this was out-of-scope for this pharmacy and prescribing review. If health data is accessible overseas, then this would be a major breach

How does Medmate manage itself on an ongoing basis?

Senior management meets weekly to discuss operational issues, projects, and review risks. Clinical Governance meets at least monthly. In doing so, Medmate keeps itself across the near-term operational issues. The exact nature, structure and effectiveness of such meetings would require a detailed audit to establish and is beyond the scope of this report.

There is no externally recognised system to support this management process nor visible alignment to any such system. For example, ISO9001 (Quality Management System), which would see Medmate formalise their management approach, appropriately recognise the needs and interests of each of their interested parties (including Healthylife) and determine how they need to adjust their business to deliver quality to each party.

Importantly, this would happen in a manner that is verified by an independent third-party, whose attestation can be made available to suppliers and clients like Healthylife. Adoption of a ISO9001 or similar structure is in the best interests of protecting Healthylife and Medmate alike.

Medmate does have established and demonstrated review cycles for their policies and processes—but while they happen, this doesn’t necessarily guarantee the reviews are effective in addressing emerging risks. Again, establishing the effectiveness of such a control would require a detailed audit. This policy and process review schedule would certainly be strengthened with a ISO9001 program, but if the current program can be taken at face value to be effective, then this would serve as a reasonably effective control for identifying and changing policies for the business, notwithstanding the aforementioned limitations.

How does Medmate decide on pilot programs or ventures?

Medmate's decision making process for new programs or ventures involves several key considerations. Programs generally stem from identification of opportunities by assessing gaps or unmet needs in the market, or more clearly communicating value to the public; assessment of additional risk exposure (both to Medmate, and 3^rd parties like Healthylife) don’t seem to form a key part of this consideration from the outset.

Medmate’s primary measure of performance is financial, with a budget set and reviewed weekly. Analysis of program performance is conducted against dimensions like customer source across Healthylife, Medmate, and Quitmate etc., which is reasonable against financial goals.

Without a formal risk assessment forming part of the stand-up of new programs, both. Medmate and 3^rd parties are exposed to additional and potentially unidentified and untreated risk. For example, if ISO9001 was adopted, then Medmate would identify Healthylife as an interested party, and recognise that new programs may adversely impact the quality of service (compliant, low-risk, good customer experience etc) that Healthylife expects. This would then directly inform how Medmate treats the risk.

It’s important to recognise that Medmate has demonstrated they don’t blindly activate programs without addressing at least some level of risk. The process for a doctor to become ‘accredited’ to deliver Quitmate is one of many examples. The issue at hand is whether that process of identifying and treating risks occurs at the right time, is effective enough, and appropriately considers impacts on Medmate’s interested parties. Given the lack of such a formal structure, our view is that it’s very likely gaps exist.

And so while we are reasonably comfortable with the risk treatments applied to Medmate’s current programs, we are concerned for Healthylife’s risk exposure should Medmate decide to start a more questionable program. Ideally (notwithstanding commercial sensitivites between two related entities) Healthylife would be informed of and given the ability to comment on inherited risk exposure arising from such programs; it’s unclear if any mechanism or protections exist in Healthylife’s engagement with Medmate as we haven’t reviewed this relationship directly.

For the avoidance of doubt, we didn’t see anything to suggest questionable programs are under consideration.

How does Medmate view their own risk exposure?

Firstly, a disclaimer that this is our opinion based on our discussions with Medmate. Medmate has not provided documentation to support this, but we have included this as it serves as an interesting viewpoint into the psyche of management.

Medmate naturally seeks to offload risk to third parties as much as possible. For example, the statement “doctors are independent contractors making independent decisions” is oft repeated at Medmate. While this is (likely) legally correct, Medmate’s close association with these doctors means a doctor’s decision is effectively a Medmate decision, and so risks should be treated as such.

By extension, while Healthylife isn’t Medmate, the relationship can be perceived as such by the general public and media, and therefore Healthylife wears exposure to reputational risk should Medmate come unstuck. Therefore, it’s prudent that understand and manage Medmate’s risk through exercises like this one.

A similar statement is made regarding pharmacies, in that the eRx Script Exchange verifies the validity of a script, and pharmacies complete their own due diligence in filling a script under their own license—so Medmate isn’t responsible for much of the script fulfilment pathway. Again, while legally correct, the perception by media and the general public is likely to be less favourable.

While transferring risk to 3^rd parties is a viable strategy, it doesn’t obviate all (real and perceived) risk exposure for Medmate; Medmate must continue to recognise this fact and manage its risk appropriately without falling into the trap of thinking “that’s their problem”--even if a contract enforces that.

In any case, it’s clear that Medmate understands their business brings about inherent risk. It’s why things like the Clinical Governance Team provides oversight, why Medmate holds additional insurances over and above those provided by doctors, and why they conduct penetration testing on their software and infrastructure.

Medmate does adequately treat most obvious risk, but it doesn’t have a structured program for identifying and managing risk directly, namely those that are less obvious. This is reasonably typical for a business of Medmate’s scale, but it’s need is multiplied given the sensitive nature of the business and to protect Healthylife’s interests.