Purpose

Our practice must comply with the Privacy Act 1988 (Cth) (Privacy Act) in dealing with any personal information. We have systems in place to protect the personal information we hold from misuse, interference and loss, and from unauthorised access, modification or disclosure. This document provides guidance to employees so they are aware of our practice’s obligations under applicable privacy legislation and the requirements for handling any personal information they may interact with.

Personal and sensitive information

Personal information under the Privacy Act is any information or an opinion about an identified individual (or an individual who is reasonably identifiable). The Privacy Act sets out various obligations in relation to the collection, handling, storage, use or disclosure of personal information. Under the Privacy Act, additional obligations apply in relation to sensitive information, which requires a higher level of privacy protection than other personal information. Sensitive information includes any information or an opinion about an individual’s:

  • racial or ethnic origin
  • political opinions or associations
  • religious or philosophical beliefs
  • trade union membership or associations
  • sexual orientation or practices
  • criminal record
  • health or genetic information
  • some aspects of biometric information

The Practice will:

  • provide a copy of this policy upon request
  • ensure staff comply with the APP and deal appropriately with inquiries or concerns
  • take such steps as are reasonable in the circumstances to implement practices, procedures and systems to ensure compliance with the APP and deal with inquiries or complaints
  • collect personal information for the primary purpose of managing a patient’s healthcare and for financial claims and payments.

The Practice’s staff will take reasonable steps to ensure patients understand:

  • what information has been and is being collected
  • why the information is being collected, and whether this is due to a legal requirement
  • how the information will be used or disclosed
  • why and when their consent is necessary
  • the Practice’s procedures for access and correction of information, and responding to complaints of information breaches, including by providing this policy.

Patient consent

The Practice will only interpret and apply a patient’s consent for the primary purpose for which it was provided. The Practice staff must seek additional consent from the patient if the personal information collected may be used for any other purpose.

Collection of information

The Practice will need to collect personal information as a provision of clinical services to a patient at the practice. Patient information is collected on the Patient Registration Form or via HOTDOC registration. Collected personal information will include patients’:

  • names, addresses and contact details
  • Medicare number (where available) (for identification and claiming purposes)
  • healthcare identifiers
  • medical information including medical history, medications, allergies, adverse events, immunisations, social history, family history and risk factors.
  • Kardinia Health may also collect your personal information when you visit our website, send us an email or SMS, telephone us, make an online appointment, or communicate with us using social media.

In some circumstances, personal information may also be collected from other sources, including:

  • Your guardian or responsible person.
  • Other involved healthcare providers, such as specialists, allied health professionals, hospitals, community health services, and pathology and diagnostic imaging services.
  • Your health fund, Medicare, or the Department of Veterans’ Affairs (if relevant).
  • While providing medical services, further personal information may be collected via:
  • electronic prescribing
  • My Health Record
  • online appointments.
  • Photos and medical images: These can be taken using personal devices for medical purposes, following the guidelines outlined in our guide on using personal devices for medical images.

A patient’s personal information may be held at the Practice in various forms:

  • paper records
  • electronic records
  • visual – x-rays, CT scans, videos and photos
  • audio recordings.

The Practice’s procedure for collecting personal information is set out below:

  1. Practice staff collects patients’ personal and demographic information via registration when patients present to the Practice for the first time. Patients are encouraged to pay attention to the collection statement attached to/within the form and information about the management of collected information and patient privacy.
  2. During the course of providing medical services, the Practice’s healthcare practitioners will consequently collect further personal information.
  3. The Practice participates in the personally controlled electronic health record system (PECHR). This record is designed to contain an electronic summary of your key health information. It is the patient’s choice to register for and control their eHealth record. The patient’s Individual Health Identifier is stored in the patient’s electronic record.
  4. The Practice holds all personal information securely, in electronic format using a pass word protected information systems or in hard copy format in an access-controlled environment.

Use and disclosure of information

We sometimes share your personal information:

  • with third parties for business purposes, such as accreditation agencies or information technology providers – these third parties are required to comply with APPs and this policy
  • with other healthcare providers (e.g. In referral letters)
  • when it is required or authorised by law (e.g. court subpoenas)
  • when it is necessary to lessen or prevent a serious threat to a patient’s life, health or safety or public health or safety, or it is impractical to obtain the patient’s consent
  • to assist in locating a missing person
  • to establish, exercise or defend an equitable claim
  • for the purpose of confidential dispute resolution process
  • When it is a statutory requirement to share certain personal information (e.g. some diseases require mandatory notification)
  • When it is provision of medical services, through electronic prescribing, My Health Record (e.g. via Shared Health Summary, Event Summary).

Personal information will only be used for the purpose of providing medical services and for claims and payments, unless otherwise consented to. Transfer of personal information for the provision of medical services is done using an encrypted messaging system, fax or letter.

Some disclosure may occur to third parties engaged by or for the Practice for business purposes, such as accreditation or for the provision of information technology. These third parties are required to comply with this policy.

The Practice will inform the patient where there is a statutory requirement to disclose certain personal information (for example, some diseases require mandatory notification).

The Practice will not disclose personal information to any third party other than in the course of providing medical services, without full disclosure to the patient or the recipient, the reason for the information transfer and full consent from the patient.

The Practice will not disclose personal information to anyone outside Australia without need and without patient consent.

This Practice Participates in Primary Care Research

The initial patient information form and on-line registration will ask for the patients consent for their health records to be use in a de-identified manner for research projects approved by the Kardinia Health research committee, and in line with Australian Human Research Ethics Approval.

Any research project that requires your active participation will gain your patient consent, via the required patient consent process for that specific trial

Exceptions to disclose without patient consent are where the information is:

  • required by law
  • necessary to lessen or prevent a serious threat to a patient’s life, health or safety or public health or safety, or it is impractical to obtain the patient’s consent
  • to assist in locating a missing person
  • to establish, exercise or defend an equitable claim
  • for the purpose of a confidential dispute resolution process.

The Practice will not use any personal information in relation to direct marketing to a patient without that patient’s express consent. Patients may opt-out of direct marketing at any time by notifying the Practice in a letter or email.

The Practice evaluates all unsolicited information it receives to decide if it should be kept, acted on or destroyed.

Artificial Intelligence software- How are document automation technologies used?

Document automation is where systems use existing data to generate electronic documents relating to medical conditions and healthcare.

The practice uses document automation technologies to create documents such as referrals, which are sent to other healthcare providers. These documents contain only your relevant medical information.

These document automation technologies are used through secure medical software HEIDI HEALTH.

All users of the medical software have their own unique user credentials and password and can only access information that is relevant to their role in the practice team.

The practice complies with the Australian privacy legislation and APPs to protect your information.

All data, both electronic and paper are stored and managed in accordance with the Royal Australian College of General Practitioners Privacy and managing health information guidance.

How are Artificial Intelligence (AI) Scribes used?

The practice uses an AI scribe tool to support GPs and Allied Health practitioners take notes during their consultations with you. The AI scribe uses an audio recording of your consultation to generate a clinical note for your health record. The practice AI scribe service is Heidi Health.

Heidi Health:

  • does not share information outside of Australia
  • the audio file is not recorded or stored.
  • Removes sensitive, personal identifying information as part of the transcription.

The practice will only use data from our digital scribe service to provide healthcare to you.

Access, corrections and privacy concerns

The Practice acknowledges patients may request access to their medical records. Patients are encouraged to make this request in writing and sent attention of the Practice Manager or email admin@kardiniahealth.com.au; the Practice will respond within a reasonable time.

The Practice will take reasonable steps to correct personal information where it is satisfied they are not accurate or up to date. From time to time, the Practice will ask patients to verify the personal information held by the Practice is correct and up to date. Patients may also request the Practice corrects or updates their information, and patients should make such requests in writing and send attention of the Practice Manager or email admin@kardiniahealth.com.au

The Practice takes complaints and concerns about the privacy of patients’ personal information seriously. Patients should express any privacy concerns in writing or speak with the Practice Manager. The Practice will then attempt to resolve the matter in accordance with its complaint resolution procedure. Patients may also contact the Office of the Victorian Privacy Commissioner on 1300 666 444, www.privacy.gov.au or the Office of the Australian Information Commissioner 1300 363 992, www.oaic.gov.au