Privacy Policy

Privacy Policy and Procedures

Background

In compliance with the Privacy Amendment (Private sector) Act 2000, M3 Health has prepared this Privacy Policy to describe the way and circumstances under which personal
information is collected, stored, used and disclosed by the Practice. The policy is intended as a guide to general practitioners, practice staff and for the advice of the broader community.
The policy is a public document and access to it will be granted on request. Personal information means information or an opinion (including information or an opinion
forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. (p 57 guidelines on Privacy in the Private Health Sector, office of the Federal Privacy Commissioner).

Our statement of commitment:
The doctor and staff of this practice are committed to giving you – our valued patient, quality care and service.
All staff are trained in the appropriate handling of personal information by this practice.
We protect your privacy and treat all patient information including health and financial details as private and confidential.
We have developed and documented a privacy policy according to current privacy laws.*
Doctors and staff of this practice abide by this privacy policy and understand that a policy
breach is grounds for dismissal.

Our Privacy Policy states:

• What our primary purpose is?
• What type of personal information we collect?
• Purpose of collection?
• How information is collected and stored?
• How information is used, protected and disclosed?
• Do we inform patients of the intended use of their information?
• Is the data we collect accurate, up to date and complete?
• How do we protect data from misuse, loss and unauthorized access?
• How to access your personal information?
• How you can make a complaint about a possible privacy breach?

• Commonwealth Privacy Act – Privacy Amendment (Private sector) Act 2000

1. Our primary purpose
   Our primary purpose is to provide comprehensive, co-ordinated and continuing whole person medical care for individuals, families and the wide community to the very best of our ability.
2. Type of personal information collected by the practice
   Patient identifying details including date of birth, address, telephone, emergency contacts, marital status, employer details, Medicare Number, Health Insurance details, ethnicity,
   allergies & other sensitivities, past & current medical history, social history, medical procedures, diagnostic tests, results, referrals, reports from other health service providers,
   radiology films and reports, pathology test results, progress notes, financial details related to billing, medications, immunisations, work cover examinations – dates, amounts, related to this data. Where possible information is collected directly from the patient.
3. Purpose of collection
   To gain sufficient information to provide for holistic ongoing management of the patient’s health, care and well-being and to ensure practice viability in continuing to treat patients. How information is collected and stored Paper, electronic – patient registration form, accounts form, Medicare, Health Insurance claim form, Referral letter, medical record forms as per Rolls Printing/RACGP medical records. Medication scripts written manually & via computer (Best Practice software), Immunisation forms – ACIR, Pap Smear Registry forms, S8 Drugs – internal booklet used paper form to denote usage, sterilisation register (paper), doctor’s letters/referrals on computer or paper. Medical records stored electronically on computer; also old records prior to Jan 1999 stored in paper records. Data accessed only on authorisation of authorised GPs and staff.
   Computers have password access with paper medical records stored in restricted filing area. Staff who access files have signed privacy agreements. Practice Manager and Reception staff require access to accounts, demographic records and from time to time actual medical records. GPs are also aware of privacy restrictions and access issues and use passwords for computer access.
4. How information is used, protected and disclosed For maintaining current information about patients, updating demographics; accounts – payment, invoicing, follow-up; recall & reminder system, actioning report results, adding to medical record for comprehensive data – results, operation reports, emergency department
   visits, after hours & home consultations, telephone notes.
   For primary purpose and related secondary purpose: Specialists, Practice Manager, and Reception staff.
   Account details will only be provided to gain payment from insurance/Medicare office. No additional unnecessary data will be given. Pathology/Radiology, other medical, dental
   specialists, and allied health service providers included here. Transfer of files – This Practice will obtain a written request from the patient. GP will
   maintain a copy of the completed patient request form. Provide clear details of the form of release of the patient file.
   If research is being conducted, then each patient provides informed consent for his/her personal health information to be released. Patient has right to access own personal health information under privacy legislation with noted exceptions. See our policy and NPP6 Access & Correction.
   Under certain legislation we must disclose patient information e.g. Infectious Diseases Act – Health (Infectious Diseases) Regulations, Adoption Act.
   Records must be disclosed under court orders, subpoenas, search warrants and Coroner’s Court cases.
5. Do we inform patients of the intended use of their information?
   If the identified information is to be used for a secondary or unrelated purpose, such as data analysis or research, patient informed consent may be obtained;
   Individuals will be given the opportunity to refuse such use or disclosure. If an individual is physically or legally incapable of providing consent, a responsible person
   (as described under the Act) may do so. We will only disclose personal information without consent where such disclosure is required by law, or for law enforcement, or in the interests of the individual’s or the public’s health and safety.
   Information may be disclosed to a responsible person (as described under the Act).
   We will keep records of any such use and disclosure.
6. Do we obtain a patient’s consent?
   Personal information for disclosure to a third party will only be provided with the patient’s informed consent, or where you expect such disclosure, or where we are legally required or authorised to do so.
7. Is the data we collect accurate, up to date and complete?
   This Practice will take reasonable steps to ensure that personal information kept, used or disclosed by the Practice is accurate, complete, and as up to date as practicable.
8. How do we protect data from misuse, loss and unauthorised access?
   This Practice will take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access modification or disclosure.
   All personal information held by this Practice will be:
   – if in paper form, received and stored in a secure, restricted location;
   – if in electronic form, password and firewall protected;
   – accessible by staff only on a “need to know” basis;
   – Not taken from the Practice unless authorised and for a specified purpose.
   We will destroy or permanently de-identify personal information that is no longer required by the Practice.
9. How to access your personal information
   10.1) Under normal circumstances this Practice will provide an individual with access to their personal information within 45 days of receiving a request for access.
   10.2) There will be no fee associated with lodging a request for access, however, a small but reasonable administration fee may be charged.
   10.3) Provision of access to a person’s personal information will be undertaken in a way that is appropriate to the person’s particular circumstances, eg use of interpreters
   etc.
   10.4) If an individual believes that information held by the Practice is inaccurate or incomplete, the Practice will take steps to amend or correct the information.
   10.5) The Practice may refuse access if it reasonably believes that:
   10.5.1) A person’s health, safety or wellbeing may be compromised by releasing the information; or
   10.5.2) Providing access would be unlawful or would prejudice a legal investigation.
   10.6) Under circumstances other than 10.5.1 and 10.5.2 where information is withheld, the Practice will ensure that its practices are consistent with the provisions of NPP 6.
   If information is withheld under 10.5.1, the Practice will provide an explanation to the individual as to the reasons why this was the case.Our practice only uses the required demographic information on our referral letters
10. Do we inform patients of the intended use of their information?
    11.1) Any complaints in relation to this Practice’s handling of personal information should be directed to the Practice Manager. In most cases the complainant will be asked to
    lodge their complaint in writing.
    11.2) Unless a complaint can be dealt with immediately to the satisfaction of both parties, the Practice will provide a written response to the complaint within 30 days of its
    being received.
    11.3) If an individual believes their complaint has not been appropriately handled by the Practice, they should contact the Office of the Federal Privacy Commissioner, Privacy
    Hotline 1300 363 992 (local call charge) or via www.privacy.gov.au
11. How the practice uses document automation technologies, particularly so that only the relevant medical information is included in referral letters? Our practice only uses the required demographic information on our referral letters.