Caulfield Family Medical Practice
Created April 2014/Revised August 2015/Revised September 2018
To ensure patients who receive care from Caulfield Family Medical Practice are comfortable in entrusting their health information to the Practice. This policy provides information to patients as to how their personal information (which includes their health information) is collected and used within the Practice, and the circumstances in which we may disclose it to third parties.
RACGP Compliance indicators for the Australian Privacy Principles (APPs)
Background and rationale
The APPs provide a privacy protection framework that supports the rights and obligations of collecting, holding, using, accessing and correcting personal information. The APPs consist of 13 principle-based laws and apply equally to paper-based and digital environments. The APPs complement the long-standing general practice obligation to manage personal information in a regulated, open and transparent manner.
This policy will guide Practice staff in meeting these legal obligations. It also details to patients how the Practice uses their personal information. This policy is a public document & access to it will be granted on request.
Any enquiries regarding this policy should be directed in the first instance to the Practice Privacy Officer:
Privacy Officer Ms Carmel Pierias
Contact Details: 263 Glen Eira Rd
Caulfield North, Vic 3161
Ph: 9528 1910
The Practice will:
- provide a copy of this policy upon request
- Provide a copy of this policy to all staff members (including new members upon commencement) & will train staff in the appropriate handling of personal information
- ensure staff comply with the APPs and deal appropriately with inquiries or concerns
- take such steps as are reasonable in the circumstances to implement practices, procedures and systems to ensure compliance with the APP and deal with inquiries or complaints
- collect personal information for the primary purpose of managing a patient’s healthcare and for financial claims and payments.
- Ensure all staff & contractors sign confidentiality agreements
The Practice’s staff will take reasonable steps to ensure patients understand:
- what information has been and is being collected
- why the information is being collected, and whether this is due to a legal requirement
- how the information will be used or disclosed
- why and when their consent is necessary
- the Practice’s procedures for access and correction of information, and responding to complaints of information breaches, including by providing this policy.
The Practice will only interpret and apply a patient’s consent for the primary purpose for which it was provided. The Practice staff must seek additional consent from the patient if the personal information collected may be used for any other purpose.
Complaints Handling & Privacy Concerns
The Practice takes complaints and concerns about the privacy of patients’ personal information seriously. Patients should express any privacy concerns in writing or directly to the Privacy Officer (see Privacy Officer section of this document for details). The Practice will then attempt to resolve the matter in accordance with its complaint resolution procedure. In most cases the complainant will be asked to lodge their complaint in writing. Unless a complaint can be dealt with immediately to the satisfaction of both parties, the Practice will provide a written response to the complaint within 30 days of it being received. If an individual believes their complaint has not been appropriately handled by Caulfield Family Medical Practice, they should contact:
Health Services Commissioner Victoria
Complaints and Information
Telephone: 1300 582 113
Fax No.: (61 3) 9032 3111
Level 26 / 570 Bourke Street
Or Alternately contact:
Office of the Australian Information Commissioner
Phone:1300 363 992
Email: email@example.com Fax:+61 2 9284 9666 Post: GPO Box 5218 Sydney NSW 2001
Caulfield Family Medical Practice will take reasonable steps to ensure that personal information kept, used or disclosed by us is accurate, complete, and as up to date as practicable.
Caulfield Family Medical Practice will take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.
- Electronic format information is stored in a secure password protected system
- Hard copy information is stored in a secure environment
- The Practice will destroy or permanently de-identify personal information that is no longer required
- The Practice will ensure that all personal information transmitted electronically will be appropriately encrypted before transmission.
This policy will be made available to any person requesting access to it. A general statement describing our approach to privacy will be on public display at Caulfield Family Medical Practice
Making Information available to Another Health Service Provider
If an individual requests The Practice to make health information relating to them available to another health service provider, or authorises another health service provider to request health information relating to the individual available to them— The Practice will provide a copy or written summary of that health information to the other health service provider within 30 days of the request. Any health information is sent directly to the other health service provider via fax or mail, never by email.
Patients have the right to deal with the practice anonymously or under a pseudonym. Where it is lawful & practicable to do so, the Practice will allow individuals to provide information anonymously
- Any individual who chooses to access the services of the Practice anonymously will be advised of any potential consequences resulting from their decision
- The Practice will not preclude an individual from participating in the activities of the organisation because they request anonymity
Managing Patient Health Information: Collection & Storage of information
The Practice will need to collect personal information as a provision of clinical services to a patient at the practice. Collected personal information will include patients’:
- names, date of birth, addresses and contact details
- Medicare number (where available) (for identification and claiming purposes)
- healthcare identifiers / health fund details
- medical information including medical history, medications, allergies, adverse events, immunisations, relevant social history, relevant family history and risk factors.
A patient’s personal information may be held at the Practice in various forms:
- as paper records
- as electronic records
- as visual – x-rays, CT scans, videos and photos
- as audio recordings.
The Practice’s procedure for collecting personal information is set out below.
- Practice staff collect patients’ personal and demographic information via registration when patients present to the Practice for the first time. Patients are encouraged to pay attention to the collection statement attached to/within the form and information about the management of collected information, patient privacy and consent.
- During the course of providing medical services, the Practice’s healthcare practitioners will consequently collect further personal information. This practice is also registered to participate in Electronic Transfer of Prescriptions (eTP) & PCEHR systems where personal information may also be collected
- In some circumstances personal information may also be collected from other sources, including the patient’s guardian or responsible person, any other involved healthcare specialists, your healthfund, Medicare or Dept Vet Affairs. This will only occur where practicable, necessary or unable to be collected from the patient directly
- We may also collect your personal information when you make an online appointment via our secure online system
The Practice holds all personal information securely, whether in electronic format, in protected information systems or in hard copy format in a secured environment. This practice uses individual staff passwords for electronic systems & holds regularly updated confidentiality agreements for staff & contractors.
Use and disclosure of information
Personal information will only be used for the purpose of managing your health, financial claims and payments & business processes eg staff training unless otherwise consented to. Some disclosure may occur to other healthcare providers, third parties engaged by the Practice for business purposes, such as accreditation, audits or for the provision of information technology. These third parties are required to comply with APPs and this policy. .
The Practice will not disclose personal information to any third party other than in the course of providing medical services or as otherwise described in this policy, without full disclosure to the patient or the recipient, the reason for the information transfer and full consent from the patient. The Practice will not disclose personal information to anyone outside Australia without need and without patient consent.
Exceptions to disclose without patient consent are where the information is:
- required by law
- necessary to lessen or prevent a serious threat to a patient’s life, health or safety or public health or safety, or it is impractical to obtain the patient’s consent
- to assist in locating a missing person
- to establish, exercise or defend an equitable claim
- for the purpose of a confidential dispute resolution process.
- Where there is a statutory requirement to disclose personal information (eg. Some diseases require mandatory notification).
- During the course of providing medical services, through eTP, My Health Record (eg via Shared Health Summary)
Direct Marketing The Practice will not use any personal information in relation to direct marketing to a patient without that patient’s express consent. Patients who do consent may opt-out of direct marketing at any time by notifying the Practice in a letter or email.
The Practice evaluates all unsolicited information it receives to decide if it should be kept, acted on or destroyed.
Access and corrections
Patients have the right to request access to their personal information. Patients are encouraged to make this request in writing, and the Practice will respond within 30 days. No fee is charged for requesting access to personal information the Practice may hold, however a reasonable fee may be charged for processing the request.
Patients have the right to request correction of their personal information e.g. if patient believes information held by the practice is incorrect or out of date.
The Practice will take reasonable steps to correct personal information where it is satisfied the information is not accurate or up to date. From time to time, the Practice will ask patients to verify the personal information held by us is correct and up to date.
The Practice takes complaints and concerns about the privacy of patients’ personal information seriously. Patients should express any privacy concerns in writing or directly to the Privacy Officer. The Practice will then attempt to resolve it in accordance with its complaint resolution procedure.
Policy Review statement