To ensure patients who receive care from the Practice are comfortable in entrusting their health information to the Practice. This policy provides information to patients as to how their personal information (which includes their health information) is collected and used within the Practice, and the circumstances in which we may disclose it to third parties. Related standards RACGP Compliance indicators for the Australian Privacy Principles: an addendum to the computer and information security standards (Second edition).
Background and rationale
The APP provides a privacy protection framework that supports the rights and obligations of collecting, holding, using, accessing and correcting personal information. The APP consists of 13 principle-based laws and applies equally to paper-based and digital environments. The APP complements the long-standing general practice obligation to manage personal information in a regulated, open and transparent manner. This policy will guide Practice staff in meeting these legal obligations. It also details to patients how the Practice uses their personal information. The policy must be made available to patients upon request and/or via practice Website.
The Practice will:
- provide a copy of this policy upon request
- ensure staffs comply with the APP and deal appropriately with inquiries or concerns
- take such steps as are reasonable in the circumstances to implement practices, procedures and systems to ensure compliance with the APP and deal with inquiries or complaints
- collect personal information for the primary purpose of managing a patient’s healthcare and for financial claims and payments
The Practice’s staff will take reasonable steps to ensure patients understand:
- What information has been and is being collected
- Why the information is being collected, and whether this is due to a legal requirement
- How the information will be used or disclosed
- Why and when their consent is necessary
- The Practice’s procedures for access and correction of information, and responding to complaints of information breaches, including by providing this policy.
The Practice will only interpret and apply a patient’s consent for the primary purpose for which it was provided. The Practice staff must seek additional consent from the patient if the personal information collected may be used for any other purpose.
Collection of information
The Practice will need to collect personal information as a provision of clinical services to a patient at the practice. Collected personal information will include patients’:
- Names, addresses and contact details
- Medicare number (where available) (for identification and claiming purposes)
- Healthcare identifiers
- Medical information including medical history, medications, allergies, adverse events, immunisations, social history, family history and risk factors.
A patient’s personal information may be held at the Practice in various forms, such as:
- Paper records
- Electronic records
- Visual – x-rays, CT scans videos and photos
- Audio recordings
All information is stored in a secure environment, and access to electronic records is only by staff through passwords.
The Practice’s procedure for collecting personal information is set out below:
- Practice staff collects patients’ personal and demographic information via registration when patients present to the Practice for the first time. Patients are encouraged to pay attention to the collection statement attached to/within the form and information about the management of collected information and patient privacy.
- During the course of providing medical services, the Practice’s healthcare practitioners will consequently collect further personal information.
- Personal information may also be collected from the patient’s guardian or responsible person (where practicable and necessary), from other involved healthcare specialists, allied health professionals, hospitals, community health services, and pathology & diagnostic imaging services.
- We may also collect your personal information when you visit our website, send us an email or SMS, telephone us or make an online appointment or update your personal information through our self-check in kiosk.
- We may also collect personal information from your health fund, Medicare, or the Department of Veteran’s Affairs (as necessary).
The Practice holds all personal information securely, whether in electronic format, in protected information systems or in hard copy format in a secure environment.
Who do we share your personal information with?
- Use and disclosure of information Personal information will only be for the purpose of:
- providing medical services and for claims and payments, unless otherwise consented to.
- Some disclosure will occur to third parties engaged by or for the Practice for business purposes, such as accreditation, eHealth records such as My Health Record and for the provision of information technology (Medical Director) - these third parties are required to comply with APP’s and this policy
- With other healthcare providers
- When it is required or authorised by law (e.g. court subpoenas)
We will make all reasonable efforts to ensure the security and privacy of your information. These third parties are required to comply with this policy.
The Practice will inform the patient where there is a statutory requirement to disclose certain personal information (for example, some diseases require mandatory notification).
The Practice will not disclose personal information to any third party other than in the course of providing medical services, without full disclosure to the patient or the recipient, the reason for the information transfer and full consent from the patient. The Practice will not disclose personal information to anyone outside Australia without need and without patient consent.
Exceptions to disclose without patient consent are where the information is:
- Required by law; Necessary to lessen or prevent a serious threat to a patient’s life, health or safety or public health or safety, or it is impractical to obtain the patient’s consent
- To assist in locating a missing person
- To establish, exercise or defend an equitable claim
- For the purpose of a confidential dispute resolution process.
The Practice will not use any personal information in relation to direct marketing to a patient without that patient’s express consent.
Patients may opt-out of direct marketing at any time by notifying the Practice in a letter or email. The Practice evaluates all unsolicited information it receives to decide if it should be kept, acted on or destroyed. Access, corrections and privacy concerns
The Practice acknowledges patients may request access to their medical records. Patients are encouraged to make this request in writing or via email (email@example.com), and the Practice will respond within a reasonable time, usually within 30 days. The Practice will take reasonable steps to correct personal information where it is satisfied they are not accurate or up to date. From time to time, the Practice will ask patients to verify the personal information held by the Practice is correct and up to date, either through Reception staff or via our self-check in kiosk. Patients may also request the Practice corrects or updates their information, and patients should make such requests in writing.
How to lodge a privacy-related complaint
The Practice takes complaints and concerns about the privacy of patients’ personal information seriously. Patients should express any privacy concerns in writing or via email to: firstname.lastname@example.org and we will then attempt to resolve it in accordance with our resolution procedure. Complaints may also be communicated via phone (3550 5000) to the practice Principal or via mail to: PO Box 815, Aspley 4034
The Practice will then attempt to resolve it in accordance with its complaint resolution procedure. You may also contact the OAIC. Generally the OAIC will require you to give them time to respond, before they will investigate. For further information visit www.oaic.gov.au or call the OAIC on 1300 336 002.
Compliance indicators for the Australian Privacy Principles:
An addendum to the computer and information security standards (Second edition) -
RACGP Computer and information security standards (CISS) and templates (2013) -
The RACGP Privacy handbook & patient pamphlet -