Purpose and Context
- The medical practice is committed to ensuring the privacy and confidentiality of all personal information affiliated with medical practice’s business undertakings.
- The medical practice follows the terms and conditions of privacy and confidentiality in accordance to the Australian Privacy Principles (APPs) as per schedule 1 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth), forming part of the Privacy Act 1988 (‘the Act’)
- This Policy will guide the Practice staff in meeting these legal obligations. It also details to patients how the Practice uses their personal information. The policy must be made available to patients upon request.
- The point of contact regarding any queries regarding this policy is the Practice Manager, who can be emailed at firstname.lastname@example.org
The Practice will:
- Provide a copy of this policy upon request
- Ensure staff comply with the APP and deal appropriately with inquiries or concerns
- Take such steps as are reasonable in the circumstances to implement practices, procedures and systems to ensure compliance with the APP and deal with inquiries or complaints
- Collect personal information for the primary purpose of managing a patient’s healthcare and for financial claims and payments
The Practice’s staff will take reasonable steps to ensure patients understand:
- What information has been and is being collected
- Why the information is being collected, and whether this is due to a legal requirement
- How the information will be used or disclosed
- Why and when their consent is necessary
- The Practice’s procedures for access and correction of information, and responding to complaints of information breaches, including by providing this policy
The Practice will only interpret and apply a patient’s consent for the primary purpose for which it was provided. The Practice staff must seek additional consent from the patient if the personal information collected may be used for any other purpose.
Why and when your consent is necessary
When you register as a Patient of our Practice, you provide consent for our GPs and Practice Staff to access and use your personal information so they can provide you with the best possible Healthcare. Only Staff who need to see your personal information will have access to it. If we need to use your information for anything else, we will seek additional consent from you to do this.
What personal information do we collect?
The information we will collect about you includes:
- Names, date of birth, addresses, contact details
- Medical information including medical history, medications, allergies, adverse events, immunisations, social history, family history and risk factors, any treatment you may have already received
- Ethnic background, your profession, occupation or job duties
- Medicare, DVA, Pension or Healthcare card number (where available) for identification and claiming purposes
- Healthcare identifiers
- Private Health Fund details.
How do we collect your personal information?
- Our practice will collect your personal information directly and in person, over the phone, by email, SMS, through your access and use of our website, or by completing our online or hard copy forms.
- Practice Staff collect patients’ personal and demographic information via registration when patients present to the Practice for the first time. Patients are encouraged to pay attention to the collection statement attached to/within the form and information about the management of collected information and patient privacy.
- During the course of providing medical services, the Practice’s Healthcare Practitioners will consequently collect further personal information.
- Personal information may also be collected from the patient’s guardian or responsible person (where practicable and necessary), or from any other involved healthcare specialist.
- The Practice participates in the Personally Controlled Electronic Health Record System (PECHR). This record is designed to contain an electronic summary of your key health information. It is the patient’s choice to register for and control their eHealth record. The patient’s Individual Health Identifier is stored in the patient’s electronic record.
In some circumstances personal information may also be collected from other sources. Often this is because it is not practical or reasonable to collect it from you directly. This may include information from:
- Your guardian or responsible person
- Other involved Healthcare Providers, such as Specialists, Allied Health Professionals, Hospitals, Community Health Services, Pathology and Diagnostic Imaging Services
- Your Health Fund, Medicare, or the Department of Veteran’s Affairs (as necessary).
- Your employer or prospective employer
- Third party bodies such as law enforcement and other government entities
The Practice holds all personal information securely, in electronic format using a password protected information systems or in hard copy format in an access controlled environment.
What happens if we can’t collect your personal information?
If you do not provide us with the personal information described above, some or all of the following may happen:
- We may not be able to provide the requested services to you, either to the same standard or at all: or
- Your diagnosis and treatment may be inaccurate or incomplete
Why do we collect, use, hold and share your personal information?
Our Practice will need to collect your personal information to provide Healthcare services to you. Our main purpose for collecting, using, holding and sharing your personal information is to manage your Health and to provide the best possible quality of service to you. . We also use it for directly related business activities, such as financial claims and payments, Practice audits and Accreditation, and business processes (e.g. - Staff training).
- To update our records so that your medical records are accurate and contact details current
- To process and respond to any complaint made
- To comply with laws, rules and regulations
- For the purpose of de-identified data research and analysis with patient consent
- For inclusion in the Recall and Reminder register, and to be advised of appointment and clinical reminders (which may be made by SMS) to provide preventative care for chronic disease
- To report and provide information to third parties with patient written consent, including employers or prospective employers
- Electronic transfer of prescriptions (eTP) services, eReferrals to hospitals, specialists, allied health
- To meet the obligations of notification to our medical defence organisations or insurers
Who do we share your personal information with?
Personal information will only be used for the purpose of providing medical services and for claims and payments, unless otherwise consented to. Transfer of personal information for the provision of medical services is done using an encrypted messaging system, fax or letter.
The Practice will inform the patient where there is a statutory requirement to disclose certain personal information (for example, some diseases require mandatory notification).
The Practice will not disclose personal information to any third party other than in the course of providing medical services, without full disclosure to the patient or the recipient, the reason for the information transfer and full consent from the patient.
We sometimes share your personal information:
- with third parties who work with our Practice for business purposes, such as Accreditation agencies or information technology providers – these third parties are required to comply with APPs and this policy
- with other Healthcare providers
- when it is required or authorised by law (e.g. Court Subpoenas)
- when it is necessary to lessen or prevent a serious threat to a Patient’s life, health or safety or Public health or safety, or it is impractical to obtain the Patient’s consent
- to assist in locating a missing person
- to establish, exercise or defend an equitable claim
- for the purpose of confidential dispute resolution process
- when there is a statutory requirement to share certain personal information (e.g. mandatory reporting of notifiable diseases or family / domestic violence)
- during the course of providing Medical services, through Electronic Transfer of Prescriptions (eTP), MyHealth Record / PCEHR system (e.g. via Shared Health Summary, Event Summary), eReferrals, RIVeR, and Smart Referrals to hospitals, specialists and allied health, and any Department of Health or PHN initiative software
- with consent to your employer, prospective employer, their authorised representative or insurer in case of work related consultations and services
Only people that need to access your information will be able to do so. Other than in the course of providing Medical services or as otherwise described in this Policy, our Practice will not share personal information with any third party without your consent.
We will not share your personal information with anyone outside Australia (unless under exceptional circumstances that are permitted by law) without your consent.
Our Practice will not use your personal information for marketing any of our goods or services directly to you without your express consent. If you do consent, you may opt-out of direct marketing at any time by notifying our Practice in writing.
The Practice evaluates all unsolicited information it receives to decide if it should be kept, acted on or destroyed.
How do we store and protect your personal information?
Our Practice stores all personal information securely e.g. electronic format, either in protected information systems or in hard copy format in a secured environment, as well as the use of a combination of the following including passwords, secure cabinets, confidentiality agreements for Staff and Contractors. A patient’s personal information may be held at the Practice in various forms.
- Paper Records
- Electronic Records
- Visual – X-Rays, CT Scans, Videos and Photos
- Audio Recordings
Privacy and our Website
"Cookies" (small text files placed on your computer when you first visit our website) are used on some parts of our website. Most browsers now recognise when a cookie is offered and permit you to refuse or accept it. If you are not sure whether your browser has this capability, you should check with the software manufacturer, your company's technology help desk or your internet service provider.
Cookies are primarily used to enhance your online experience and are not used to track the navigational habits of identified visitors, unless we obtain your permission to do so. If you visit our website to read or download information, much of the information we do collect is statistical only and is not personally identifiable.
Dealing with us anonymously
You have the right to deal with us anonymously or under a pseudonym unless it is impracticable for us to do so or unless we are required or authorised by law to only deal with identified individuals.
How can you access and correct your personal information at our Practice?
You have the right to request access and correction of your personal information.
Our practice acknowledges Patients may request access to their medical records. We require you to put this request in writing whether that be in person at the Practice’s front counter, directly to their GP, by email (must be signed), or in the regular mail. Our practice will respond within a reasonable time e.g. usually within 30 days. Please note, there may be fee/s associated with providing this information which will not be excessive. In saying this, Patients are not charged for making the request, only for the costs of complying with the request.
Our Practice will take reasonable steps to correct your personal information where the information is not accurate or up-to-date. From time-to-time, we will ask you to verify your personal information held by our Practice is correct and up-to-date. You may also request that we correct or update your information, and you should make such requests in writing addressed to the Practice Manager, Cairns 24 Hour Medical Centre, PO Box 5924, Cairns, Qld 4870, or by email: email@example.com
How can you lodge a privacy related complaint, and how will the complaint be handled at our Practice?
We take complaints and concerns regarding privacy seriously. You should express any privacy concerns you may have in writing. We will then attempt to resolve the issue in accordance with our resolution procedure. Contact details of our Practice are as follows –
Cairns 24 Hour Medical Centre
PO Box 5924, Cairns Qld 4870
Phone – 07 4035 8000
We endeavour to turn around requests within 30 days.
Should the practice become aware of a data breach, we will notify the individual whose personal information has been breached. This will provide a reasonable step in the protection of this information against misuse, loss or unauthorised access.
As a practice we will explain what has gone wrong and what has been done to try to avoid a repeat situation, as well as what has been done to remedy any potential harm. We will help patients regain control of information e.g., change passwords and request re-issue of identifiers.
We will endeavour to regain public trust. We take the protection of your personal information seriously. Our data breach response includes notifying the patient. Serious breaches will involve notifying the OAIC and relevant 3rd parties.
If a patient believes there has been a breach of the Australian Privacy Principles (APP) in the first instance they should make the practice aware. If the patient is not satisfied with the Practice response they can lodge a complaint with the OAIC (Office of the Australian Information Commissioner).
Phone: 1300 363 992
GPO Box 5218, SYDNEY NSW 2001
Policy Review Statement