In this policy we use a number of terms, contained within the Privacy Act, which are explained here:
‘Personal information’ this is ‘information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion’. Essentially, personal information is any information or an opinion that identifies a person (notably there is no definition of person and it is unclear whether the Act applies to deceased or only living persons).
‘Sensitive information’ is a type of personal information that is given extra protection and must be treated with additional care. It includes any information or opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, or criminal record. It also includes health information and biometric information.
‘Health information’ is a subset of sensitive information. It is any information or opinion about the health or disability of an individual, the individual’s expressed wishes about the future provision of health services and a health service provided, currently or in the future, to an individual that is also personal information. Health information also includes personal information collected in the course of providing a health service.
A ‘record’ includes a ‘document’ or an ‘electronic or other device’ where there is writing, anything from which sounds, images or writings can be reproduced.
The Clinic will ensure each of the following:
- That this policy is available, free of charge, to any individual where requested;
- That our staff are aware of our obligations under the APP’s;
- That our staff comply with the AAP obligations through the implementation of the appropriate systems, processes and procedures;
- That our staff appropriately respond to questions or inquiries regarding information collected by us;
- That we collect information only for the primary purpose of managing the individual’s healthcare requirements, including the management of financial claims and payments associated with those health care services.
Our staff are responsible for ensuring that each individual is aware of the following:
- The information that has been collected or is to be collected and why;
- How that information will be used and disclosed;
- When the individuals consent will be needed and why;
- How the individual can access and have their information corrected;
- How the individual can make a complaint; and
- When requested provide you with a copy of this policy
When collecting information the Clinic will seek a client’s consent to do so, and if necessary it may seek their consent should they wish to use the information for a purpose other than that contained in the original consent process.
What kinds of personal information does the Clinic collect and hold? How does the Clinic collect it?
The type of information the Clinic collects and holds includes (but is not limited to) personal information, including health and other sensitive information, about:
the client whether collected before, during and after the course of treatment provided to, or received by them, at the Clinic; a client’s name, address and contact details, their Medicare number or some other number or code that helps in identifying the client or claiming payments (e.g. the clients health insurance number); a specific health care identifier such as a medical record number; the client’s medical history, including medical information, allergies, medications, immunisations, social history, family history, risk factors and previous incidents or adverse events. The Clinic evaluates all unsolicited information it receives to decide if it should be kept, acted on or destroyed.
Personal information the client provides
The Clinic will generally collect personal information, whether in a paper based or electronic form, held about an individual by way of the following:
- forms filled out by the client, or if appropriate their parents or care givers,
- face-to-face consultations, emails and telephone calls.
- personal information provided, on occasions, by people other than the client, their parent or care giver.
- paper based records, electronic records or even images such as X-rays, scans, photos of the client or videos. In some cases even an audio recording may contain information about the client.
Personal Information provided by other people
In some circumstances the Clinic may be provided with personal information about an individual from a third party, for example a report provided by a medical professional or a reference from another clinic.
The Procedure for collecting information at the Clinic:
When a client arrives at the clinic, whether for the first or subsequent visits the staff will collect or confirm a patients’ personal and demographic information. Clients who attend for the first time are encouraged to read the collection statement within the form and where necessary ask questions about the management of collected information and patient privacy.
When the client is being provided a service by the Clinic, the healthcare practitioners will collect further personal information during the consultation.
Personal information may also be collected from the patient’s guardian or responsible person (where practicable and necessary), or from any other healthcare practitioner that has been involved in the patient’s care.
The Clinic will then store all personal information securely, whether in electronic or paper based format, in protected information systems or in hard copy format in a secured environment.
How will the Clinic use the personal information you provide?
The personal information the Client provides will only be used for the purpose of providing health care services and for claims and payments, unless otherwise consented to by the patient.
The Clinic may disclose personal information to other health care professionals where we request services for you such as x-rays, pathology tests etc. or where we ask them to provide you with a health care service, such as specialist opinion.
On occasions the Clinic is required by the law to disclose certain personal information about a patient, such as the notification of certain diseases, and in such a circumstance the Clinic will discuss this with the Client.
The Clinic may disclose personal information to parties we engage for business related purposes. This might include assessing us for accreditation, or providing information technology services. These parties are required to comply with this policy.
The Clinic does not disclose information to any individual or group outside of Australia unless consent to do so has been provided by the Client.
In general terms the Clinic will not disclose personal information to any third party other than in the course of providing medical services, without first providing you with the reason for the information being transferred and having received your consent to do so.
There are however, times where the Clinic is permitted to disclose information about an individual without their consent, including where the information is:
- required by law
- necessary to lessen or prevent a serious threat to a patient’s life, health or safety or public health or safety, or it is impractical to obtain the patient’s consent
- to assist in locating a missing person
- to establish, exercise or defend an equitable claim
- for the purpose of a confidential dispute resolution process.
Management and security of personal information
The Clinic’s staff are required to respect the confidentiality of patient’s personal information and the privacy of individuals.
The Clinic has in place steps to protect the personal information the Clinic holds from misuse, interference and loss, unauthorised access, modification or disclosure by use of various methods including locked storage of paper records and password access rights to computerised records.
The Clinic will not use any personal information in relation to direct marketing to a patient without that patient’s express consent. Patients may opt-out of direct marketing at any time by notifying the Practice in a letter or email.
Access and correction of personal information
An individual has the right to obtain access to any personal information which the Clinic holds about them and to advise the Clinic of any perceived inaccuracy.
There are some exceptions to these rights set out in the applicable legislation.
The Clinic will take reasonable steps to correct personal information where it is satisfied they are not accurate or up to date. From time to time, the Clinic will ask patients to verify the personal information held by the Practice is correct and up to date. Patients may also request the Practice to correct or update their information, and patients should make such requests in writing.
To make a request to access or update any personal information the Clinic holds about you please contact the Practice Manager in writing at the address printed at the end of this policy. The Clinic will respond within a reasonable timeframe. The Clinic may require you to verify your identity and specify what information you require. The Clinic may charge a fee to cover the cost of verifying your application and locating, retrieving, reviewing and copying any material requested. If the information sought is extensive, the Clinic will advise the likely cost in advance. If we cannot provide you with access to that information, we will provide you with written notice explaining the reasons for refusal.
When making a request to access your personal information held by the Clinic you should be aware that there will be occasions when access to this information is denied. Such occasions would include where release of the information would have an unreasonable impact on the privacy of others, or where the release may result in a breach of the Clinic’s duty of care to you as our client.
Enquiries and complaints
If you would like further information about the way the Clinic manages the personal information it holds, or wish to complain that you believe that the Clinic has breached the Australian Privacy Principles please make a written complaint to the Practice Manager at the address printed at the end of this policy. The Clinic will investigate every complaint and will respond within a reasonable time. If appropriate, you may receive updates during the investigation. If you are not satisfied with the response that you have received from the Clinic, you may wish to discuss the matter with the Office of the Australian Information Commissioner by telephoning 1300 363 992 or sending an email to firstname.lastname@example.org.
Goulburn Medical Clinic
6-8 McKell Place
GOULBURN NSW 2580
PH: 02 4823 0200