- Access to Personal Information Policy
- Summary of Australian Privacy Principles (APPs) – Health service providers
Orthopaedic Associates Melbourne takes your privacy seriously. Privacy protection and confidentiality of health information is essential for quality health care and we are committed to protecting the privacy and confidentiality of the information we handle about you.
This policy explains:
- how we collect, store, use and disclose your personal information;
- how you may access your personal information;
- how we protect the quality and security of your personal information;
- how you may seek correction of any personal information we hold; and
- how you may make a complaint about our handling of your personal information.
In addition to our professional and ethical obligations, at a minimum, our practice handles your personal information in accordance with federal and state privacy law. This includes complying with the federal Australian Privacy Principles (APPs) forming part of the Privacy Act 1998 (Cth) and the Victorian Health Privacy Principles (HPPs) forming part of the Health Records Act 2001 (Vic).
More information about the APPs and HPPs can be found on the Australian Information Commissioner’s website www.oaic.gov.au or in hard copy on request from our practice reception.
Collection of information
The practice collects and holds personal information about you so that we may properly assess, diagnose, treat and be proactive in your health care needs.
The type of personal information we collect may include:
- personal details (name, address, date of birth, Medicare number);
- your medical history;
- notes made during the course of a medical consultation;
- details of surgical procedures;
- images or photos such as pictures taken during surgery;
- referral to other health services providers;
- results and reports received from other health service providers; and
- credit card or direct debit information for billing purposes.
Wherever practicable we will collect this information from you personally – either at the practice, over the phone, via written correspondence or via internet if you transact with us online.
In some instances we may need to collect information about you from other sources such as referring doctors, treating specialists, pathology, radiology, hospitals or other health care providers.
In an emergency, we may collect information from your immediate family, friends or carers.
Use and disclosure
Your personal information will only be used or disclosed for purposes directly related to providing you with quality health care, or in ways you would reasonably expect us to use it in order to provide you with this service.
This includes use or disclosure:
- to the professional team directly involved in you health care, including treating doctors, pathology services, radiology services and other specialists outside this medical practice. For example, this may occur through referral to other doctors when requesting medical tests or in the report or result returned to us following the referrals;
- to your health insurance fund, Medicare or other organisations responsible for the financial aspects of your care;
- where required by law, for example, pursuant to a subpoena;
- to insurers or lawyers for the defence of a medical claim; and/or
- to assist with training and education of other health care professionals.
We aim to ensure the information we hold about you is accurate, complete, up to date and relevant. To this end our staff may ask you to confirm that your personal details are correct when you attend a consultation. Please let us know if any of the information we hold about you is incorrect or not up to date.
Our practice takes all reasonable steps to protect the security of the personal information we hold, by:
- securing our premises;
- using passwords on all electronic systems and databases and varying access levels to protect electronic information from unauthorised interference, access, modification or disclosure; and
- storing hard copy records in secure filing cabinets or rooms that are accessible only to practice staff.
Access to your personal information
Under law you have a right to access personal information we hold about you. Please contact our practice manager for more information on our Access to Medical Records Policy.
We ask that you put your request in writing. A fee for the retrieval and copying of your medical record will apply, charged in accordance with the schedule of fees specified in the Health Records Regulations 2008 (Vic), plus GST. This fee is not redeemable through Medicare.
Amendment of your personal information
If you consider the information we hold about you is not correct, please contact the practice in writing. You have the right to have any incorrect information corrected.
What happens if you choose to withhold your personal information?
You are not obliged to give us your personal information. However, if you choose not to provide the practice with the personal details requested, it may limit our ability to provide you with full service. We encourage you to discuss your concerns with our reception staff prior to your first consultation or with your doctor.
What about use of personal information for direct marketing?
Australian privacy law limits the use of personal information for direct marketing of goods and services. We do not use your personal information for direct marketing.
What should I do if I have a privacy complaint?
If you have a complaint regarding the way your personal information has been handled by our practice, please put it in writing and address it to the practice manager. We will acknowledge receipt of your complaint within 14 days, and endeavor to provide a full response within 30 days of receipt.
Should you be dissatisfied with our response, you may lodge your written complaint with the Victorian Privacy Commissioner at https://www.privacy.vic.gov.auand/or the Victorian Health Services Commissioner at http://www.health.vic.gov.au.
Access to Personal Information Policy
Under the Privacy Act 1988 (Cth) and the Health Records Act 2001 (Vic), you have a legal right to access the personal information Orthopaedics Associates Melbourne (practice) holds about you (such as your medical record), subject to some exceptions.
The practice is entitled to charge an appropriate fee, determined in accordance with the Health Records Regulations 2002 (Vic), plus GST, to cover the administrative costs of this service. Our reception will advise you of the applicable fee, which is not redeemable under Medicare or private health insurance.
How do I request access to my personal information?
Patients who wish to access or obtain a copy of their personal information should put their request in writing using the attached Request to Access Personal Information Form, and submit the form to our Practice reception. All requests will be acknowledged in writing within 14 days of receipt of the request.
Ordinarily, access to the requested information will be provided within 30 days.
How will access be provided?
Access may be provided by:
- inspecting your medical record (or a print out of your record) at the practice.; and/or
- providing a copy of the requested information in person or via secure email or post (additional fees for postage may apply); or
- providing an accurate summary of the information, instead of a copy, if you and the doctor agree that a summary is appropriate.
We recommend that you make an appointment with your doctor to view your medical record together, so the doctor can assist you to understand and interpret the material contained within it. A consultation fee will apply in addition to the administration fee, plus GST. The fee is not redeemable via Medicare or private health insurance.
Can I amend my medical record?
You will not be permitted to remove any contents of your medical record from the practice. Should you wish to amend or delete any personal information, you will need to fill out a separate written request using the Request to Amend Medical Record Form available from reception.
When will access to my medical record be refused?
Access to your personal information may be legitimately withheld in certain situations, including (among others):
- where access would pose a serious threat to the life, health or safety of any individual or the public;
- where access would cause unreasonable impact on the privacy of other individuals;
- where the request is frivolous or vexatious; or
- where the information is privileged as a result of actual or anticipated legal proceedings.
If access to your personal information is refused, the practice will provide you with written reasons for the refusal. You will not be charged an access fee in this instance. If access is refused, you are welcome to contact the practice to discuss means by which access may be facilitated.
If you have any queries regarding the above policy, please contact the practice manager who will be happy to discuss these with you.
Summary of Australian privacy principles (apps) – Health service providers
APP 1 Open and transparent management of personal information
APP 2 Anonymity and pseudonymity
Individuals must have the option of not identifying themselves, or using a pseudonym, unless impracticable or unlawful.
APP 3 Collection of solicited information
Sensitive information (including health information) must only be collected:
- with consent from the individual (or authorised guardian); and
- where reasonably necessary for the functions and activities of the practice (that is, the provision of health services).
Information should only be collected from the patient unless it is impracticable to do so.
Example: Information about a patient’s family member is collected while taking a history. This is acceptable if the information is reasonably necessary to treat the patient.
APP 4 Dealing with unsolicited information
Where an entity receives personal information it did not solicit, it must determine whether the information could have been collected under APP 3. If not, the information must be de-‐identified or destroyed.
APP 5 Notification of collection of personal information
Individuals must be made aware of the nature of the personal information the practice collects. This includes information on:
- accessing and amending medical records;
- how to make a complaint;
- whether information will be used for direct marketing or disclosed to overseas recipients.
The practice’s privacy and patient consent documents should cover these points.
APP 6 Use and disclosure of personal information
Information collected by the practice must only be used for a primary purpose or a secondary purpose directly related to the primary purpose, and only where the patient has provided consent to the use or disclosure.
A ‘primary purpose’ is the reason the information was collected (for example, for the provision of health care).
A ‘secondary purpose’ is a purpose ancillary but closely related to the primary purpose. For example, using patient details for billing purposes, or disclosing patient details to a specialist for referral.
Disclosure may also be required by law, including where there is a:
- warrant from police to access medical records;
- subpoena to produce document or give evidence;
- obligation of mandatory notification of child abuse or notifiable disease.
Use or disclosure for a secondary purpose is also lawful in ‘permitted general situations’, without consent of the patient. These most relevant of these include:
- where necessary to lessen or prevent a serious threat to the life, health or safety of an individual or the public and it is unreasonable/impracticable to obtain the patient’s consent. The threat need not be ‘imminent’ but it must be ‘serious’;
- in instances of suspected or actual unlawful activity or serious misconduct that relates to the practice’s functions and use or disclosure is necessary to take appropriate action;
- to locate a missing person – if the practice has a reasonable belief that the use or disclosure of personal information is reasonably necessary to locate a missing person. Example: Medical records indicate a 17 year old male who has been reported missing was proposing to travel interstate to meet a girl he met on facebook;
- to defend or establish a legal or equitable claim;
- to lawyers or insurers in response to complaints or claims;
- for confidential mediation/ADR processes – practices have the right to use or disclose patient information during a confidential alternative dispute resolution process such as mediation.
There are 3 ‘permitted health situations’ where a practice can use or disclose health or genetic information for a ‘secondary purpose’. These are:
- research – if relevant to public health or safety and it is impracticable to obtain a patient’s consent. The research must be conducted in accordance with research guidelines and the practice must reasonably believe that the information will not be further disclosed by the recipient
- prevention of a serious threat to the life, safety or health of a genetic relative. Example: A female daughter may request access to her mother and grandmother’s medical records to determine the nature of their disease.
- responsible person/guardian – where a patient is either physically or mentally incapable of giving consent, a practice may disclose information to a responsible person or guardian where the disclosure is necessary to provide appropriate care or treatment to the patient or for ‘compassionate reasons’. The disclosure must not be contrary to the wishes of the patient and limited to the extent necessary for care or compassion.
APP 7 Direct marketing
The practice must not use personal information for direct marketing unless the individual has given specific consent for this to occur.
Direct marketing involves the use of personal information to communicate with an individual to promote goods and services.
Example: Sending patients an SMS offering discounted services at the practice is direct marketing and not permitted.
Direct marketing is permitted where an individual would have a reasonable expectation that this would occur and they can easily ‘opt out’.
APP 8 Cross border disclosure of personal information
If the practice is going to send personal information overseas, it must take reasonable steps to ensure the overseas recipient will not breach the APPs. There are exceptions where the overseas recipient has a similar enforceable law in place or the patient has consented after being expressly informed that information will be sent overseas.
Example: Having a contract with an overseas cloud service provider that requires compliance with APPs.
APP 9 Use of government identifiers
The practice must not adopt, use of disclose a government related identifier unless:
- the adoption, use or disclosure is required or authorised by law
- it is reasonably necessary to verify the identify of the individual.
- It is reasonably necessary to fulfil the obligations to a Commonwealth agency or state or territory authority;
- the practice believes it is reasonably necessary to lessen or prevent a serious threat to the life, health or safety of an individual or the public;
- the practice reasonably believes use or disclosure is necessary to take action in relation to suspected unlawful activity or misconduct of a serious nature
- the practice reasonably believes use or disclosure is necessary for enforcement related activities of an enforcement body.
A government related identifier includes a Medicare number, Centerlink reference number, driver’s licence or passport number.
Example: The practice is not permitted to use Medicare numbers as the basis for patient identification. However, a practice can view and record Medicare numbers to verify the identification of a patient and for billing purposes.
APP 10 Quality of personal information
Practices must take reasonable steps to ensure the personal information it collects uses or discloses is accurate, up to date complete and relevant.
APP 11 Security of personal information
Practices must take reasonable steps to protect the personal information it holds from misuse, interference, loss, unauthorised access, modification or disclosure.
Example: Practices should issue staff with passwords to access patient databases that are changed on a regular basis, and store hard copy files in lockable filing cabinets or rooms, accessible only to authorised practice staff.
APP 12 Access to personal information
The practice must, on request, provide a patient with access to their personal information within a reasonable time, unless an exception applies (see APP 6 above).
The practice is entitled to charge a ‘reasonable’ fee for access under the Privacy Act 1988 (Cth).
The Victorian Health Records Act 2001 (Vic) sets specified fees for access to medical records. Further information on these fees can be obtained from AMA Victoria.
Any refusal must be accompanied by written reasons and information on how the patient may lodge a complaint.
APP 13 Correction of personal information
A practice must take reasonable steps to ensure the personal information it holds is up to date, accurate, complete, relevant and not misleading. There is a positive obligation on practices to correct information where it is wrong.
The practice must acknowledge a request for an amendment to their medical records, within a reasonable time. No charge can be made for the practice making the requested changes.
Example: Reception staff should confirm the contact details of the patient are up to date when they present for an appointment.
Health Records Act 2008 (VIC) obligations
In addition to the obligations imposed by the APPs under the Privacy Act 1988 (Cth), the Health Records Act 2008 (Vic) imposes 11 Health Privacy Principles (HPPs) which apply specifically to the collection, use, disclosure and handling of health information in Victoria.
The HPPs are substantially the same as the APPs and so it is not required to set them out separately. There are, however, two added obligations imposed by the HPPs that are not included in the APPs. These are:
- HPP 10 – a practice must provide a patient with information about their medical record if the practice is transferred, sold or closed.
- HPP 11 – a practice is required to transfer a patient’s health information to another health service provider upon request from the patient.