Privacy Policy

Gladstone Street Medical Clinic Privacy Policy (Updated August 2020, Review August 2021) Gladstone Street Medical Clinic (“GSMC” or “Our Practice”) is committed to ensuring your personal information is professionally managed in accordance with all Australian Privacy Principles (APPs). This privacy policy is to provide information to you, our patient, on how your personal information (which includes your health information) is collected and used at our practice. This Privacy Policy is available at, in our waiting room and a hard copy will be provided upon request. APP1 – Open and Transparent Management of Personal Information Our principal concern is patient health. To ensure our patients can feel confident with providing their personal information, a high level of trust and confidentiality is constantly maintained. Our established culture of confidentiality is in accordance with the Federal Privacy Act 1988. All staff, doctors, nurses and allied health professionals at GSMC treat patient information given to them either directly or indirectly, formally or informally, as strictly and absolutely confidential. Only practice staff who need to see your personal information will have access to it. All practice staff and contractors have signed a Confidentiality Agreement as part of their employment at our practice. APP2 – Anonymity and Pseudonymity We recognise that, on occasion, patients wish for their consultations to be anonymous and choose to use a pseudonym. You have the right to deal with us anonymously or under a pseudonym unless it is impracticable for us to do so, or unless we are requested or authorized by law to only deal with identified individuals. However, if standard identifiers are not used, we will be unable to bulk bill (if the patient is eligible) and a Medicare rebate would not be available if a private patient. This would also be the case with any other allied health care services, such as pathology or imaging that we refer you to under your choice of anonymity or pseudonymity. In terms of recalls or important results or reminders for recommended testing, e.g. cervical screening, a system would be in place to ensure that all information is managed as per our current policies and procedures. APP3 – Collection of Solicited Personal Information If information is required to assist in your medical management, and you are unable to provide this information, we will seek your consent prior to seeking to obtain this information from other sources, which may include (but not limited to): • Your guardian or responsible person. • Other involved healthcare providers such as specialists, allied health professionals, • Hospitals, community health services and pathology and diagnostic imaging services • Your Private Health Fund, Medicare or DVA. We will only collect sensitive information that is deemed reasonably necessary. We will only collect information by lawful and fair means. If we collect personal information for an individual, GSMC must ensure that the individual is aware that we have collected this information and the circumstances of that collection, why we collect that information and the consequences for the patient if we don’t collect it.   APP4 – Dealing with Unsolicited Personal Information GSMC will lawfully and reasonably destroy, or ensure the de-identification, within a reasonable period of time personal information that we have not sought to collect. APP5 – Notification of the Collection of Personal Information Each new patient to the practice is asked to complete a Registration and Consent form, at which time they are also provided with a copy of our Practice Information sheet and advised that they can request to see a full Privacy Policy. Personal information collected via your registration form includes (but is not limited to): • The patient’s name, birthdate, address, telephone number(s), email • Next of kin/emergency contacts • Medicare Number • Pension/DVA Number • Aboriginal or Torres Strait Islander identification • Current Drugs/Medication or treatment used by patient • Current and Previous medical history, including where clinically relevant, family medical history • The Name of any health service provider or medical specialist to whom the patient is referred • Copies of any letter of referrals and any investigation reports relating to the patient. Our practice collects your personal information in an on-going manner in person (via reception or in consultations), via telephone, by email, SMS, social media, by online or hard copy forms and other relevant means. Information is also collected about the medical and allied health practitioners who provide services within our practice. This information includes: • Their Name • Address • Telephone number • Qualifications and experience • Insurance information Website Privacy and Social Media GSMC does not record identifiable information from visits to our website at GSMC uses a Facebook page to broadcast messages to our patients/community. Commenters on Facebook posts should be aware their personal information/comments are public, will be viewed by GSMC, are viewable by third parties, may be used for Facebook’s own marketing, etc. GSMC will not be held responsible for Facebook’s terms of use, collection of information, use of information, viewing and uses by third parties. In general, GSMC will not engage in conversations via Facebook and comments will be deleted once reviewed and actioned.   APP6 - How we use and disclose information personal information The primary purpose for which GSMC collects personal information is to provide general practice services to diagnose and treat patients. In direct relation to this primary purpose, we will also use information you provide for: • appointment confirmation messages • sending reminders, recalls, results and health promotions via SMS, emails, telephone, mail or mobile app. For each patient, we have an individual patient health electronic record containing all clinical information held by our practice relating to that patient. When your treating doctor is unavailable, your patient health record is available to be accessed and shared with another GSMC practitioner who can provide care for you. We also use personal information for directly related secondary purposes such as billings and payments, practice audits, accreditation and other normal business processes. With Whom GMSC May Share Your Personal Information and When Only those people that need to access your personal information will be able to do so. Other than in the course of providing medical services or as otherwise described in this policy, GSMC will not share personal information with any third party without your consent. We may share information with: • Other healthcare providers for the purpose of which the patient was advised and to provide the patient with the best health treatment Patients referred to another health service provider will be aware that their personal health information will be included in their referral letter/request, given to that service provider for the normal course of ongoing patient care and management. • Third parties who work with our practice for business purposes such as software/IT solution providers and accreditation agencies. • Statutory requirement to lawfully share certain personal information, such as mandatory notification of certain diseases • Court subpoenas required or authorised by law • When necessary to lessen or prevent a serious threat to a patient’s life, health or safety or public health or safety, or it is impractical to obtain the patient’s consent • During the course of providing medical services through Electronic Transfer of Prescriptions (eTP), or My Health Record system • Visiting Medical Students, with patient consent, may access patient files to present patient case histories to teaching GPs. All Medical Students sign confidentiality agreements. • There are instances where patient information is requested by another health service provider, such as the Emergency Department of a Hospital – where the patient is being seen and they request a copy of the patient’s health summary. We provide this to them to assist in patient care and management and document this action in your file.   Research From time to time, GSMC participates in research projects via institutions that have security and ethics approvals in place. De-identified data is provided via secure means and patient confidentiality is always maintained. If identified data is required for the research, our practice ensures: • The patient provides explicitly and documented written consent • The patient received a written and verbal explanation about the research • The patient can withdraw their consent at any time • The project is approved by a relevant Human Research Ethics Committee (HREC) established under the National Health and Medical Research Council guidelines • Privacy laws are followed. APP7 - Direct Marketing Direct marketing messages may be sent to you via HotDoc Appointment Management Software. Our practice will not use your personal information for marketing any of our goods or services directly to you without your express consent (provided via the New Patient Registration Form). If you do consent, you may opt-out of direct marketing at any time by notifying our practice in writing or by telephone. Other than what is stated in this policy we will not sell, distribute or disclose any personal information to any third party. APP8 – Cross-Border Disclosure of Personal Information With your consent, your information may be disclosed to an overseas recipient. Will we only disclosed information to overseas recipients who have highly secure information systems, who will handle an individual’s personal information in accordance with the Australian Privacy Principles and will only use the information for the purpose for which it was disclosed. GSMC will strive to obtain your consent before disclosing any information to any third party unless if required by law or if there is a serious threat to the health or safety of an individual or to public health and safety. APP9 – Adoption, Use or Disclosure of Government Related Identifiers We do not adopt, use or disclose government related identifiers of an individual unless permitted by an Australian law or court/tribunal order. APP10 Quality of Personal Information We endeavour to ensure that the personal information that we collect is accurate, up-to-date and complete. Please speak to Reception to update personal information. APP11 – Security of Personal Information In our practice, to ensure the maintenance of privacy and security, health records are stored on the computer. GSMC works together with a medical IT specialist to keep your health record as secure and protected as possible Computer screens are positioned so that individuals cannot see information about other individuals. Access to computerised patient information is strictly controlled with passwords and personal logins, automatic screen savers and computer terminals are logged off when the computer is left unattended for a significant period of time so that unauthorised persons are unable to access information. How Long is Your Personal Information Kept? Health information is kept for a minimum of 7 years for adults from the last occasion in which health service was provided to the patient. If the person is under the age of 18 then records must be kept until the person has attained 25 years of age. Both active and inactive patient health records are kept and stored securely. APP12 – Access to Personal Information Patients have the right to access their own personal health information under the Federal Privacy Act 1988 and the APP (Australian Privacy Principles), with noted exceptions. Requests for access to personal information must be in writing and signed by the patient. They may be addressed to the Practice Manager, Michael Sterling, PO BOX 385 Warragul, VIC 3820. To discuss a request, please call Ph 5622 0444. The request is to be scanned into the patient’s file and must include all details. A request for access will be processed within 30 days. All records are retained in the computer records, and only a copy will be sent. The Practice retains the right to charge a fee for the transfer of records. Practices are advised to contact their insurers if they have any concerns about third party request for transfer of patient health information. Release of information is an issue between the patient and the doctor. Information will only be released according to privacy laws and at the doctor's discretion. Requested records are reviewed by the medical practitioner prior to their release and written authorisation is obtained. Exemptions to access must be noted. We respect an individual's privacy and allow access to information via personal viewing in a secure private area. Each patient or legally nominated representative must have their identification checked prior to access being granted. The patient may take notes of the content of their record or may be given a photocopy of the requested information. A GP may explain the contents of the record to the patient if required. As a patient will not have unsupervised access to the computer - a staff member must be present at all times to access the documents for the patient, when required. If a patient feels that the information in their file is incorrect, this matter will be dealt with on a case-by-case situation. The patient would be requested to provide in writing reasoning as to what information needs to be corrected and evidence as to why. Then appointment would be made for the GP to discuss this matter with the patient. Access to your health record may be denied. Reasons for denied access will be given to the patient or third party in writing. In some cases, refusal of access may be in part or full. You may be charged administration, photocopying or other fees to reasonably cover our costs in fulfilling your request. Transfer of Health Records Situations in which health records may need to be transferred from GSMC include: • A patient requests records to be sent to another practice • Legal reasons e.g. subpoena • Where health records are requested from another source (consent will be gained as/if required) APP13 – Correction of Personal Information You have the right to correct personal information that we hold about you. We take reasonable steps to correct personal information to ensure that our information is accurate, up-to-date, complete, relevant and not misleading. Where there is a disagreement about whether the information is indeed correct, our practice attaches a statement to the original record outlining the patients' claims. If you wish to correct your personal information, we request this in writing, addressed to the Practice Manager, Michael Sterling, PO BOX 385 Warragul VIC 3820. To discuss further, please call Ph 5622 0444. A request for correction will be processed within 30 days. OTHER IMPORTANT INFORMATION WHO IS RESPONSIBLE? Our practice has a designated person, Mr Michael Sterling, Practice Manager, with primary responsibility for the practice’s electronic systems, computer security and adherence to protocols as outlined in our Computer Information Security Policy. This responsibility is documented in the Position Description. Tasks may be delegated to others and this person works in consultation with the privacy officer. Our security policies and procedures regarding the confidentiality of patient health records and information are documented and our Practice team are informed about these at induction and when updates or changes occur. The practice team can describe how we correctly identify our patients using 3 patient identifiers: name and date of birth, address or gender to ascertain we have the correct patient record before entering or actioning anything from that record. DATA BREACH Should the practice become aware of a data breach, we will notify the individual whose personal information has been breached. This will provide a reasonable step in the protection of this information against misuse, loss or unauthorised access. As a practice we will explain what has gone wrong and what has been done to try to avoid a repeat situation, as well as what has been done to remedy any potential harm. We will help patients regain control of information e.g., change passwords and request re-issue of identifiers. We will endeavour to regain public trust. We take the protection of your personal information seriously. Our data breach response includes notifying the patient. Serious breaches will involve notifying the OAIC and relevant 3rd parties. If a patient believes there has been a breach of the Australian Privacy Principles (APP) in the first instance they should make the practice aware. If the patient is not satisfied with the GSMC’s response he or she can lodge a complaint with the OAIC (Office of the Australian Information Commissioner: Phone - 1300 363 992 Address - GPO Box 5218, SYDNEY NSW 2001. COMPLAINTS GSMC treats all complaints seriously. We will acknowledge receipt of complaint, maintain a register of complaints and resultant actions, discuss issues within the complaint and solve the problem if we are able. If no resolution can be made, details of appropriate tribunals for the complainant to contact will be given to the complainant to take the issue further. We will give you information about how you can lodge a privacy-related complaint and how it will be handled at our practice. If you have any concerns about your privacy, or wish to make a complaint about a privacy breach, contact our Practice Manager Practice Manager, Michael Sterling, Ph (03) 5622 0444. You should provide us with sufficient details regarding your complaint together with any supporting information. We will take steps to investigate the issue and will notify you in writing of the outcome within 30 days from the receipt date of original written complaint. If you are not satisfied with our response, you can contact us directly to discuss your further concerns, or: The Victorian Health Services Commissioner is able to receive and resolve complaints about the disclosure of health information and access to health information. Health Services Commissioner: The National Privacy Commissioner is able to receive complaints concerning privacy issues. Complainants will receive a response within 28 days. National Privacy Commissioner: Privacy hotline: 1300 363 992.

POLICY REVIEW This privacy policy will be reviewed annually, or earlier when legislation is changed or updated, to ensure it is in accordance with current legislation and regulations. We will notify our patients of these changes via our website and our handout hard copy Privacy Policy available at our practice premises.