Introduction and Purpose
To ensure patients who receive care from Redlynch Village Medical Centre are comfortable in entrusting their health information to the Practice. This policy provides information to patients as to how their personal information (which includes their health information) is collected and used within Redlynch Village Medical Centre, and the circumstances in which we may disclose it to third parties.
RACGP Compliance indicators for the Australian Privacy Principles: and addendum to the computer and information security standards (Second edition).
Background and rationale
The Australian Privacy Principles (APP) provide a privacy protection framework that supports the rights and obligations of collecting, holding, using, accessing and correcting personal information. The APP consists of 13 principle-based laws and apply equally to paper-based and digital environments. The APP complements the long-standing general practice obligation to manage personal information in a regulated, open and transparent manner.
This policy will guide Redlynch Village Medical Centre staff in meeting these legal obligations. It also details to patients how Redlynch Village Medical Centre uses their personal information. The policy must be made available to patients upon request.
Redlynch Village Medical Centre will:
- Provide a copy of this policy upon request
- Ensure staff comply with the APP and deal appropriately with inquiries or concerns
- Take such steps as are reasonable in the circumstances to implement practices, procedures and systems to ensure compliance with the APP and deal with inquiries or complaints
- Collect personal information for the primary purpose of managing a patient’s healthcare and for financial claims and payments.
Redlynch Village Medical Centre Staff will take reasonable steps to ensure patients understand:
- What information has been and is being collected
- Why the information is being collected, and whether this is due to a legal requirement
- How the information will be used or disclosed
- Why and when their consent is necessary
- Redlynch Village Square Medical Centre’s procedures for access and correction of information, and responding to complaints of information breaches, including by providing this policy.
Redlynch Village Medical Centre will only interpret and apply a patients’ consent for the primary purpose for which it was provided. When a patient registers, they provide consent for our GP’s and practice staff to access and use their personal information so they can provide the best possible healthcare. Redlynch Village Medical Centre staff must seek additional consent from the patient if the personal information collected may be used for any other purpose.
Collection of information
Redlynch Village Medical Centre will need to collect, use, hold and share personal information as a provision of clinical services to a patient at the practice. Collected personal information will include patients’:
- Names, date of birth, addresses and contact details
- Medicare number, DVA, Pension or Healthcare Card number (where available) for identification and claiming purposes
- Healthcare identifiers and health fund details
- Medical information including medical history, medications, allergies, adverse events, immunisations, social history, family history and risk factors, any treatment you may have already received
- Ethnic background, your profession, occupation or job duties
A patient’s personal information may be held at Redlynch Village Medical Centre in various forms:
- As paper records
- As electronic records
- As visual – x-ray, CT scans, videos and photos
- As audio recordings.
Redlynch Village Medical Centre’s procedure for collecting personal information is set out below.
1. Redlynch Village Medical Centre staff collect patients’ personal and demographic information via registration when patients present to the Practice for the first time. Patients are encouraged to pay attention to the collection statement attached to/within the form and information about the management of collected information and patient privacy.
2. During the course of providing medical services, Redlynch Village Medical Centre’s healthcare practitioners will consequently collect further personal information.
3. Redlynch Village Medical Centre may also collect personal information when patients visit our website, send us an email or SMS, telephone us, make an online appointment or communicate with us using social media.
4. The Practice participates in the Personally Controlled Electronic Health Record System (PECHR). This record is designed to contain an electronic summary of your key health information. It is the patient’s choice to register for and control their eHealth record. The patient’s Individual Health Identifier is stored in the patient’s electronic record.
5. Personal information may also be collected from other sources, when practical and necessary. This may include information from:
- the patients’ guardian or responsible person,
- other involved healthcare specialists, allied health professionals, hospitals, community health services and pathology/diagnostic imaging services,
- the patients’ health fund, Medicare or the Department of Veteran’s Affairs (as necessary)
Redlynch Village Medical Centre holds all personal information securely, whether in electronic format, in protected information systems or in hard copy format in a secured environment.
Use and Disclosure of Information
Personal information will only be used for the purpose of providing medical services and for directly related business activities, such as financial claims and payments, practice audits and accreditation, and business processes (eg staff training). Some disclosure may occur to third parties engaged by or for Redlynch Village Medical Centre business purposes, such as accreditation or for the provision of information technology. These third parties are required to comply with APPs and this policy.
Redlynch Village Medical Centre will inform the patient where there is a statutory requirement to disclose certain personal information (for example, some diseases require mandatory notification).
Redlynch Village Medical Centre will not disclose personal information to any third party other than in the course of providing medical services, without full disclosure to the patient or the recipient, the reason for the information transfer and full consent from the patient. Redlynch Village Medical Centre will not disclose personal information to anyone outside Australia without need and without patient consent.
Exceptions to disclose without patient consent are where the information is:
- Required by law
- Other health care providers
- Necessary to lessen or prevent a serious threat to a patient’s life, health or safety or public health or safety, or it is impractical to obtain the patient’s consent
- To assist in locating a missing person
- To establish, exercise or defend an equitable claim
- For the purpose of a confidential dispute resolution process
- When there is a statutory requirement to share certain personal information (eg some diseases require mandatory notification or family /domestic violence)
- During the course of providing medical services, through Electronic Transfer of Prescriptions (eTP), MyHealth Record/PCEHR system (eg via Shared Health Summary, Event Summary), eReferrals, Smart Referrals to hospitals, specialists and allied health, and any Department of Health or PHN initiative software
- With consent to your employer, prospective employer, their authorized representative or insurer in case of work related consultations and services
Redlynch Village Medical Centre will not use any personal information in relation to direct marketing to a patient without that patients’ express consent. Patients may opt-out of direct marketing at any time by notifying Redlynch Village Medical Centre in a letter or email.
Redlynch Village Medical Centre evaluates all unsolicited information it receives to decide if it should be kept, acted on or destroyed.
Dealing with us anonymously
You have the right to deal with us anonymously or under a pseudonym unless it is impracticable for us to do so or unless we are required or authorised by law to only deal with identified individuals.
Access and Corrections to your personal information at our Practice
You have the right to request access and correction of your personal information. Redlynch Village Medical Centre acknowledges patients may request access to their medical records. We require you to put this request in writing whether that be in person at the Practice’s front counter, directly to their GP, by email (must be signed), or in the regular mail. Our Practice will respond within a reasonable time e.g. usually within 30 days.
Redlynch Village Medical Centre will take reasonable steps to correct personal information where it is satisfied they are not accurate or up to date. From time to time, we will ask you to verify your personal information held by our Practice is correct and up-to-date. You may also request that we correct or update your information, and you should make such requests in writing addressed to the Practice Manager, Redlynch Village Medical Centre, Shop 5 & 6, 2-4 Redlynch Intake Road, Redlynch Qld 4870, or by email: email@example.com
How can you lodge a privacy related complaint, and how will the complaint be handled at our Practice?
We take complaints and concerns about the privacy of patients’ personal information seriously. Patients should express any privacy concerns in writing. We will attempt to resolve any complaint in accordance with our complaint resolution procedure.
Contact details of our Practice are as follows – Redlynch Village Medical Centre, Shop 5 & 6, 2-4 Redlynch Intake Road, Redlynch, Qld 4870. Email: firstname.lastname@example.org
We endeavour to turn around requests within 30 days.
Should the practice become aware of a data breach, we will notify the individual whose personal information has been breached. This will provide a reasonable step in the protection of this information against misuse, loss or unauthorised access. As a practice we will explain what has gone wrong and what has been done to try to avoid a repeat situation, as well as what has been done to remedy any potential harm. We will help patients regain control of information e.g. change passwords and request re-issue of identifiers. We will endeavour to regain public trust. We take the protection of your personal information seriously. Our data breach response includes notifying the patient. Serious breaches will involve notifying the OAIC and relevant 3rd parties. If a patient believes there has been a breach of the Australian Privacy Principles (APP) in the first instance they should make the practice aware. If the patient is not satisfied with the Practice response they can lodge a complaint with the OAIC (Office of the Australian Information Commissioner).
Australian Privacy Commissioner
Privacy hotline 1300 363 992
GPO Box 5218
Sydney NSW 2001
Members of the public may make a notification to Australian Health Practitioner Regulation Agency (AHPRA) http://www.ahpra.gov.au about the conduct, health or performance of a practitioner or the health of a student. Practitioners, employers and education providers are all mandated by law to report notifiable, conduct relating to a registered practitioner or student of AHPRA.
Policy Review Statement