Current as of June 2020
Sinnamon Park Medical Centre (‘the/our practice’) takes pride in delivering a personalised and friendly experience to each patient. In doing so, we respect your privacy and are committed and legally obligated to complying with the Australian Privacy Principals (APPs) in the Privacy Act 1988.
The purposes of this policy are to ensure you, our patient, are comfortable in entrusting your health information to the practice and also to provide information as to how your personal information (which includes your health information) is collected and used within our Practice and the circumstances in which we may disclose it to third parties.
The APPs provide a privacy protection framework that supports the rights and obligations of collecting, holding, using, accessing and correcting personal information. The APPs consist of 13 principle-based laws and apply equally to paper-based and digital environments. The APPs complement the long-standing general practice obligation to manage personal information in a regulated, open and transparent manner.
This policy guides practice staff in meeting these legal obligations. It also details how our practice uses your personal information. The policy will be made available to you upon request.
Why and when your consent is necessary
When you register as a patient of our practice, you provide consent for our GPs and practice staff to access and use your personal information so they can provide you with the best possible healthcare and the highest level of quality customer service.
Only staff who need to see your personal information to perform their duties will have access to it. Our practice will use your consent only for the primary purpose for which it was provided. If we need to use your information for any other purpose, we will seek additional consent from you to do this.
Why do we collect, use, hold and share your personal information?
Our practice will need to collect your personal information to provide healthcare services to you. Our main purpose for collecting, using, holding and sharing your personal information is to manage your health. We also use it for:
- directly related business activities, such as administrative and billing purposes, financial claims and payments, practice audits and accreditation, quality improvement activities and business processes (e.g. staff training), and information technology support
- direct marketing purposes (with your express consent and you may notify us at any time opt out)
- complying with any legislative or regulatory requirements
- advising you if our practice will be closing down, merging or relocating
- informing you if you have entered and won a competition
- responding to enquiries, complaints and compliments you have made
What personal information do we collect?
The information we will collect about you includes:
- Names, date of birth, addresses and contact details
- Medicare number (where available) (for identification and claiming purposes)
- Healthcare identifiers (for accessing My Health Record)
- Occupation and employer
- Lifestyle and hobbies
- Bank and credit card details
- Medical information including medical history, medications, allergies, adverse events, immunisations, social history, family history and risk factors
- Details of products you have purchased
- Any information that you provide to us directly in person, through our website, email, written letters and phone conversations
Dealing with us anonymously
You have the right to deal with us anonymously or under a pseudonym unless it is impracticable for us to do so or unless we are required or authorised by law to only deal with identified individuals.
How do we collect your personal information?
Our practice will collect your personal information:
- When you make your first appointment
- During the course of providing medical services, we may collect further personal information.
- When you visit our website, send us an email or SMS, send us an enquiry via our website, speak with us on the telephone, make an online appointment, enter a competition or communicate with us using social media.
- In some circumstances from other sources, often because it is not practical or reasonable to collect it from you directly. This may include information from:
- your guardian or responsible person
- other involved healthcare providers, such as other GPs, specialists, allied health professionals, hospitals, community health services and pathology and diagnostic imaging services
The method in which we collect this information may include:
- discussions with you
- completion of forms
- access to and contact with third party non-government services (e.g. Electronic Transfer of Prescriptions [eTP], private health insurers, solicitors, lawyers, workers compensation companies)
- access to and contact with third party government services/agencies (e.g. My Health Record/PCEHR, Medicare, Department of Veteran Affairs)
Who do we share your personal information with?
We sometimes share your personal information:
- with third parties who work with our practice for business purposes, such as accreditation agencies or information technology providers – these third parties are required to comply with APPs and this policy
- with other healthcare providers
- with Primary Health Networks
- when it is required or authorised by law (e.g. court subpoenas)
- when it is necessary to lessen or prevent a serious threat to a patient’s life, health or safety or public health or safety, or it is impractical to obtain your consent
- to assist in locating a missing person
- to establish, exercise or defend an equitable claim
- for the purpose of confidential dispute resolution process
- when there is a statutory requirement to share certain personal information (e.g. some diseases require mandatory notification) – we will inform you where this is applicable
- during the course of providing medical services, through Electronic Transfer of Prescriptions (eTP), My Health Record (e.g. via Shared Health Summary, Event Summary) – only people that need to access your information will be able to do so
To assist with improving health services in our local area, our practice, like others around Australia, participates in quality improvement activities in conjunction with the Department of Health Primary Health Network. This involves the sharing of de-identified health data via a secure encrypted method in accordance with privacy legislation and confidentiality agreements. The data shared does not include any information that would allow you to be identified. If you wish to opt out of having your de-identified data sent for this purpose, please speak to reception.
We will not disclose your personal information to any third party other than in the circumstances outlined in this policy, without full disclosure to you and your consent. Any third parties we engage are bound by the same privacy legislation (APPs and the Privacy Act 1988).
We will not disclose personal information to anyone outside Australia (except under exceptional circumstances that are permitted by law) without need and without your consent.
How do we store and protect your personal information?
Your personal information may be held at our Practice in various forms:
- as paper records, including x-rays, CT scans and photos
- as electronic records, including videos and photos
- as audio recordings
We store all personal information securely. Because of the sensitive nature of the information collected by us to provide our services, extra precautions are taken to ensure the security of that information and its appropriate destruction when no longer required. We monitor and implement appropriate technical advances and management processes to safeguard your personal information.
Our electronic patient records are password-protected on several levels, and the computer backup records are stored offsite. We require all our employees and contractors to observe obligations of confidentiality in the course of their employment/contract. We require independent contractors to sign a confidentiality undertaking.
How can you access, correct and update your personal information at our practice?
You have the right to access and correct your personal information.
We acknowledge patients may request access to their medical records. We require you to put this request in writing on the form “SPMC Patient Request for Personal Health Information” available from reception. We will respond as soon as practicable, but within 30 days.
You may request your information be transferred to another medical practice by completing the “SPMC Request for Transfer of Medical Records” form.
You may request your information be released to another doctor, hospital or third party by completing the appropriate Authority to Release Medical Information form.
A fee may apply to cover administration costs depending on the size of the information requested and the method of delivery required.
Our practice will take reasonable steps to correct your personal information where the information is not accurate or up-to-date. From time-to-time, we will ask you to verify that the personal information held by us is correct and up-to-date.
You may also request that we correct or update your information:
- In person (preferable)
- By phone
- In writing to the contact details detailed below
In all cases, staff will confirm your identity using three identifiers (e.g. full name, date of birth, address, phone number, HPI-I) before updating your information.
Only the person listed as primary contact on a patient’s medical file may request to update information. Unfortunately, we cannot update information for other patients, including family members, where you are not listed as their primary contact. This also applies to patients under the age of 18 whose doctor has determined they are mature enough to make decisions regarding the use and disclosure of their personal health information (“mature minor”). We understand this can be frustrating and inconvenient at times, however the privacy of our patients is our top priority.
If you believe that the primary contact we have recorded on a patient’s chart is not appropriate or correct, please advise reception or your doctor and we will investigate the matter further.
How can you lodge a privacy related complaint, and how will the complaint be handled at our practice?
We take complaints and concerns regarding privacy very seriously. You should express any privacy concerns you may have in writing to the contact details below.
Alternatively, you may express your concerns to the Practice Manager via phone or in person.
We will acknowledge your concern or complaint within 3 working days and aim to have fully investigated within 30 working days of the date it was received.
While we hope that we will be able to resolve any complaint you may have without needing to involve third parties, you may also wish to contact the relevant regulators, such as Office of the Australian Information Commissioner (OAIC) (www.oaic.gov.au; 1300 363 992), or the Office of the Information Commissioner in Queensland (07 3234 7373 or 1800 642 753).
Privacy and our website
Our website may contain links to other websites of interest. Please be aware that we do not have control over the privacy practices of other sites. When you click the link to other websites, we advise you exercise caution and read the privacy statement applicable to the website in question.
Enquiries sent via the “Send an email” tool on our website are encrypted to maintain your privacy.
General emails sent to and from our practice are not encrypted and we cannot guarantee confidentiality of information sent using this method. All attachments sent via email from our practice that contain personal information are encrypted and password protected, unless you provide specific consent on each occasion to do otherwise.
Encryption and password protection helps to reduce the risk of your personal information being compromised. We do not encourage the use of email to correspond with our practice or doctors.
Our staff will take reasonable steps to ensure you understand:
- what information has been and is being collected
- why the information is being collected, and whether this is due to a legal requirement
- how the information will be used or disclosed
- why and when their consent is necessary
- our procedures for access and correction of information, and responding to complaints of information breaches, including by providing this policy.
The Practice Manager
Sinnamon Park Medical Centre
5/58 Oldfield Road
Sinnamon Park, QLD 4078
(07) 3279 0444
Related resources and standards
Compliance indicators for the Australian Privacy Principles: An addendum to the computer and information security standards (Second edition)
RACGP Computer and information security standards (CISS) and templates (2013) www.racgp.org.au/your-practice/e-health/protecting-information/ciss/
The RACGP Privacy handbook & patient pamphlet