Patients using the Medmate platform

Relationship, role, and lifecycle

Patients are the primary consumer of the Medmate system—without patient’s, the ecosystem stops. Patients are unique in that, alongside Medmate, they interact with every other actor in the ecosystem and are therefore uniquely exposed to the experience delivered by each actor. It’s a fair assessment to say patients are at the frontline when it comes to any of those actors underperforming—whether that’s a Doctor delivering poor care, a Pharmacy packing an order incorrectly, or a Delivery Partner not meeting their SLA.

Figure 14: The lifecycle of a patient in the Medmate ecosystem.

---

---

Close

In a similar fashion, Medmate’s ongoing maintenance of a patient is distinct to those other actors, in that there isn’t performance management per se. Instead, Medmate’s interests are in generating further sales from that patient, which they achieve through marketing primarily. There is an angle wherein Medmate ensures a patient’s ongoing use of the planform is appropriate (i.e. they’re not doctor shopping, for example). Some mechanisms do exist in to this end; to access Medmate’s services, an account must be made and the patient’s identity must be verified (either IHI verified via Medicare, or ID verified via relevant Government-issued ID).

Figure 15: The end-to-end process of a patient on a prescription journey within the Medmate ecosystem.

---

---

Close

Additionally, patients don’t have—and really don’t immediately require—a formal offboarding process as it currently stands. Like most comparable platforms, these accounts would just sit there until either a) a retention policy kicks in or b) the customer explicitly requests deletion.

How do patients benefit from using Medmate?

Medmate provides patients convenient access to telehealth, including repeat prescriptions, medical certificates, or express consultations—all via a phone or video call with an Australian registered doctor. This service addresses accessibility issues of primary healthcare in Australia, whether that be due to remoteness, access after-hours or the availability of one’s regular GP. Medmate explicitly positions themselves as a transient part of a patient’s healthcare; they don’t aim to replace a regular GP.

In addition to telehealth, Medmate closes the loop by also offering prescription drug access (and other pharmacy products in some cases) to be ordered online, and optionally delivered to a patient’s doorstep via a third-party delivery service. Compare this to most pharmacies in Australia which operate under a traditional bricks-and-mortar operation.

Primarily, a patient benefits using Medmate as follows:

1. Convenience & accessibility: A patient may undertake an online doctor consultation from anywhere, even outside of Australia. This eliminates the need to travel to a physical GP clinic, an Emergency Department (in very limited cases), specialist after-hours GPs, or a pharmacy which saves both time and effort. It also plugs the gap when a patient’s usual GP is unavailable due to capacity or leave.

2. Cost-effectiveness: Medmate telehealth appointments may be cheaper for patients than visiting a GP on a regular basis for repeat prescriptions.

3. Timeliness: Medmate provides a quick and convenient alternative to requesting and receiving prescription medicines. A patient may save time by not having to visit a physical GP clinic or pharmacy, instead utilising Medmate’s telehealth and prescription delivery services.

These aspects arguably also combine to improve the level of patient care available; no longer does a patient have to go without vital prescription drugs while they await an appointment with their usual GP.

How do patients get a script renewal?

Patients can request a renewal of an existing script through the Online Prescriptions pathway of the Medmate website. In this path, they enter the name of the medication (if supported), answer some questions about what the medication is treating, and then enter identity and Medicare details. The doctor will then assess the information—including a call for clarification if required—then issue the script renewal (with optional repeats) via SMS through the eRx system.

Figure 16: The simplified process of how an online prescription renewal is processed via Medmate and it's key actors.

---

---

Close

How do patients get scripts filled?

Patients with an electronic prescription token—either issued by Medmate, or from elsewhere—can choose to have that script filled wherever they see fit. There are two primary methods where this happens via Medmate:

• Uploading via Medmate’s website at medmate.com.au

• Uploading via a pharmacy’s website, which is essentially a white-labelled/integrated version of Medmate.

Both methods share the same process and backend, so no further distinction will be made here.

Upon uploading the script token, the script is validated against the eRx Script Exchange, and if is a valid script, then will be assigned to the nearest—or the selected—pharmacy for fulfilment. Medmate’s systems collect payment from the patient, and the pharmacy begins fulfilling the script as outlined in How does Medmate move data between its system and a pharmacy’s dispense systems?

Figure 9: Conceptual flow of data between the systems used in the prescription fulfilment workflow.

---

---

Close

In contrast to filling a script by walking into a pharmacy, a patient does need to provide personal information (PII) which is governed under Medmate’s Privacy Policy, and payment details online which is secured by using BYOD compliant payment gateways. This does increase the risk exposure of Medmate in collecting and storing PII of patients, but only very marginally given there is already PII collected during the script renewal process (as would be the case if they visited their usual GP), and PHI collected via telehealth.

How does Medmate manage the customer experience?

Medmate’s main management method for customer experience is their self-set SLAs regarding appointment turnaround times e.g. seeing a doctor within 60 minutes. In addition, Medmate collects and monitors customer feedback in addition to the clinical governance overlaid as discussed in How are doctors maintained, and clinically governed?

Whilst discussion on the method in which Medmate manages its customer experience is technically out of scope for this review, there are arguably elements that overlap with the prescribing pathway, and therefore present potential reputational risk for patients referred to Medmate by Healthylife. A future review of the alignment between Healthylife’s expectations of customer experience and Medmate’s current/future ability to deliver would better define the nature of this reputational risk.

How does Medmate prevent misuse of the platform by a patient?

As with any health service, patients may attempt to use the platform for nefarious reasons e.g. accessing drugs of dependence. Medmate is no different.

Medmate’s primary controls to protect against this are:

• Only scripts validated against the eRx Script Exchange can be filled via Medmate.

• Only allowing script renewals via the Online Prescriptions pathway.

• Prescriptions made elsewhere are subject to a doctor’s existing obligations to provide appropriate care.

• Integration of SafeScript alerts within the practice management software, notwithstanding a doctor’s legal obligation to check this service regardless of its integration.

• Policy against prescribing S8 or monitored S4D drugs, and ongoing manual monitoring to ensure this is upheld on the platform.

These controls are effective in treating most of the potential attack surface area. Predominantly, the risk exposure here is no different to that of a traditional doctor prescription pathway.

As doctors are effectively randomly assigned to patients—which is considered appropriate given Medmate fulfils a transient role in patient’s healthcare—there is potential for “doctor shopping” to occur. With most drugs of dependence restrict, one may question if this happens though.

To further reduce misuse and risk of harm via this mechanism, Medmate could explore treatments for:

• Abnormally-high use: if a patient is using the platform more than expected—for example, having multiple telehealth consults per month—this may be an potential marker of harm as the patient could be shopping for the answer they want. Monitoring patients who books more than a reasonable average could serve as a useful control. Further, closely monitoring the top 20 individual users could enable Medmate to identify high-risk behaviour not already captured elsewhere.

• Flagging of unusual requests: if a patient makes an unusual or suspicious request, a process to report, record and analyse these requests would also serve as a useful control to identify potential risky behaviour.

How does Medmate use patient data?

Medmate’s collection and use of patient data is clearly stepped out in their Privacy Policy made available on the website and to all patients. This is a well-structured policy, and is generally aligned with the processes and systems we saw implemented at Medmate.

As an Australian country collecting data on Australians, Medmate is subject to the Privacy Act and the Australian Privacy Principles. This sets the foundation for how Medmate can use a patient’s data.

Of key consideration for our risk analysis is the use of two categories of data:

1. Personally identifiable data: contact information, primarily

2. Private health information: data about a health condition or prescriptions etc.

It should be noted that whenever this data is used, collected and/or stored for any purpose, risk is created—and it is simply impossible to reduce this risk to zero. Given these are required for Medmate to operate, then we must accept some level of residual risk.

The use and management of PII is a reasonably standard affair; it’s used for operational reasons, and for marketing where Medmate has consent to do so. Securing access to PII is an important factor. Our high-level review leaves us comfortable with the systems managing this PII, but we must note that this is out of scope—a comprehensive data usage and cybersecurity review would answer this more thoroughly.

The use and management of PHI is inherently more risky than that of PII. Medmate does not actively use PHI for the purposes of targeting marketing material to customers but can theoretically do so under a clause in its Privacy Policy: We may disclose sensitive information to […] third parties to collect and process data, such as analytics providers and cookies. While we saw no obvious evidence of using PHI for anything other than providing care, this may become possible in future under a new program at Medmate; we encourage Healthylife to consider their role and/or control over these new programs and the additional risk exposure brought about.