Our practice is committed to best practice in relation to the management of information we collect. This practice has developed a policy to protect patient privacy in compliance with the Privacy Act 1988 (Cth) (‘the Privacy Act’). Our policy is to inform you of:
- the kinds of information that we collect and hold, which, as a medical practice, is likely to be ‘health information’ for the purposes of the Privacy Act;
- how we collect and hold personal information;
- the purposes for which we collect, hold, use and disclose personal information;
- how you may access your personal information and seek the correction of that information;
- how you may complain about a breach of the Australian Privacy Principles and how we will deal with such a complaint;
- whether we are likely to disclose personal information to overseas recipients;
[Note: APP entities such as medical practices are required to inform patients whether or not they are likely to disclose personal information to overseas recipients]
What kinds of personal information do we collect?
The type of information we may collect and hold includes:
- Your name, address, date of birth, email and contact details
- Medicare number, DVA number and other government identifiers, although we will not use these for the purposes of identifying you in our practice
- Other health information about you, including:
- Notes of your symptoms or diagnosis and the treatment given to you.
- Your specialist reports and test results.
- Your appointment and billing details.
- Your prescriptions and other pharmaceutical purchases.
- Your dental records.
- Your genetic information.
- Your healthcare identifier.
- Any other information about your race, sexuality or religion, when collected by a health service provider.
How do we collect and hold personal information?
We will generally collect personal information:
- From you directly when you provide your details to us. This might be via a face to face discussion, telephone conversation, registration form or online form.
- From a person responsible for you.
- From third parties where the Privacy Act or other law allows it - this may include, but is not limited to: other members of your treating team, diagnostic centres, specialists, hospitals, the My Health Record system, electronic prescription services, Medicare, your health insurer, the Pharmaceutical Benefits Scheme.
Why do we collect, hold, use and disclose personal information?
In general, we collect, hold, use and disclose your personal information for the following purposes:
- To provide health services to you.
- To communicate with you in relation to the health service being provided to you.
- To comply with our legal obligations, including, but not limited to, mandatory notification of communicable diseases or mandatory reporting under applicable child protection legislation.
- To help us manage our accounts and administrative services, including billing, arrangements with health funds, pursuing unpaid accounts, management of our ITC systems.
- For consultations with other doctors and allied health professional involved in your healthcare.
- To obtain, analyse and discuss test results from diagnostic and pathology laboratories.
- For identification and insurance claiming.
[Note: If your practice uses the My Health Record system]
- If you have a My Health Record, to upload your personal information to, and download your personal information from, the My Health Record system.
[Note: If your practice uses an electronic transfer of prescriptions service - you will need to specify if your practice participates in this service]
- Information can also be disclosed through an electronic transfer of prescriptions service.
- To liaise with your health fund, government and regulatory bodies such as Medicare, the Department of Veteran's Affairs and the Office of the Australian Information Commissioner (OAIC) (if you make a privacy complaint to the OAIC), as necessary.
How can you access and correct your personal information?
[Note: If a fee is charged for providing access, you will need to advise patients of the cost in advance].
You have a right to seek access to, and correction of the personal information which we hold about you.
For details on how to access and correct your health record, please contact our practice as noted below under ‘Contact Details’:
[Note: See below under ‘Contact Details’]
We will normally respond to your request within 30 days.
How do we hold your personal information?
Our staff are trained and required to respect and protect your privacy. We take reasonable steps to protect information held from misuse and loss and from unauthorised access, modification or disclosure. This includes:
[Note: you should provide some detail about how you hold your patients’ health information. You need to provide information on the most relevant security measures you have in place. Without jeopardising security, your policy should describe some of the security processes that the practice applies – for example strong password protections applied; access to personal information restricted on a ‘need to know’ basis’, paper files kept in locked cabinets etc. Some examples might also include:
- Holding your information on an encrypted database.
- Holding your information in secure cloud storage (you can explain whether this information is encrypted or what other security measures are taken with third party storage).
- Holding your information in a lockable cabinet.
- Our staff sign confidentiality agreements.
- Our practice has document retention and destruction policies.]
Privacy related questions and complaints
If you have any questions about privacy-related issues or wish to complain about a breach of the Australian Privacy Principles or the handling of your personal information by us, you may lodge your complaint in writing to (see below for details). We will normally respond to your request within 30 days.
If you are dissatisfied with our response, you may refer the matter to the OAIC:
Anonymity and pseudonyms
The Privacy Act provides that individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with our practice, except in certain circumstances, such as where it is impracticable for us to deal with you if you have not identified yourself.
We have determined that it is largely impracticable for our practice to deal with patients anonymously or via a pseudonym. The provision of medical services is likely to be impacted, and billing via Medicare or a health insurer where applicable is likely to be impracticable.
Therefore, we require that you use your name and not a pseudonym.
[Note: If personal information is likely to be disclosed to overseas recipients, the countries in which such recipients are likely to be located must also be specified if it is practicable to do so. If you will not be disclosing information overseas or it is unlikely that you will do so, your policy should note this. If you do intend to do so, you must make a clear statement such as the one below:]
We may disclose your personal information to the following overseas recipients:
- Any practice or individual who assists us in providing services (such as where you have come from overseas and had your health record transferred from overseas or have treatment continuing from an overseas provider).
[Note: in this case, it is likely that you will have the patient’s permission for the disclosure, but it is best to check that the terms of the permission you have cover this eventuality.]
- Overseas transcription services.
[Note: if you use a transcription service, you should insert what is being transcribed, such as your clinical notes, etc.]
- Overseas based cloud storage.
[Note: you need to be aware that privacy and cloud-based storage services can be a complex issue. For example, if you use an overseas based cloud-storage service provider but the information is encrypted to the point where the cloud service provider cannot access it, but merely stores it, then it is likely that the practice will be considered to be holding and using that personal information and not disclosing it to the cloud service provider. However, if the cloud service provider can access and collect the information, this is likely to be an overseas ‘disclosure’ on the part of the practice. If in doubt, it is best to consider the use of cloud-based storage services as a ‘disclosure’. For more information, see: https://www.oaic.gov.au/agencies-and-organisations/app-guidelines/chapter-8-app-8-cross-border-disclosure-of-personal-information]
- Anyone else to whom you authorise us to disclose it.
Updates to this Policy
This Policy will be reviewed from time to time to take account of new laws and technology, changes to our operations and other necessary developments. Updates will be publicised on the practice's website.
[Note: If your practice does not have an online presence or if you have many patients who do not have internet access you may consider the following sentence instead - "A notification of the updates to the policy will be displayed at our reception desk".]
Privacy and websites
See our Privacy page.
Contact details for privacy related issues
[Note: insert name, telephone number and postal address of nominated privacy contact officer here.]