Privacy Policy for the Management of Health Information

Purpose

Our group is committed to best practice in relation to the management of information we collect. This group has developed a policy to protect patient privacy in compliance with the Privacy Act 1988 (Cth) (‘the Privacy Act’). Our policy is to inform patients and staff of:

• the kinds of information that we collect and hold, which, as a medical practice, is
• likely to be ‘health information’ for the purposes of the Privacy Act;
• how we collect and hold personal information;
• the purposes for which we collect, hold, use and disclose personal information;
• how patients may access your personal information and seek the correction of that information;
• how patients may complain about a breach of the Australian Privacy Principles and how we will deal with such a complaint;
• whether we are likely to disclose personal information to overseas recipients;

Responsibilities

All staff are responsible for reading and understanding this policy, and implementing privacy requirements accordingly. The Directors of each facility have overall responsibility for ensuring that these requirements are followed.

Procedure

The type of information we may collect and hold includes:

• Patients name, address, date of birth, email and contact details
• Medicare number , DVA number and other government identifiers,
• Other health information about patients, including:
  • notes of symptoms or diagnosis and the treatment given
  • specialist reports and test results
  • appointment and billing details
  • prescriptions and other pharmaceutical purchases
  • dental records
  • genetic information
  • healthcare identifier
  • any other information about race, sexuality or religion, when collected by a health service provider.

How do we collect information?

We will generally collect personal information:

• from patients directly when they provide their details to This might be via a face to face discussion, telephone conversation, registration form or online form
• from a person responsible for the patient
• from third parties where the Privacy Act or other law allows it – this may include, but is not limited to: other members of the patient’s treating team, diagnostic centres, specialists, hospitals, the My Health Record system , electronic prescription services, Medicare, your health insurer, the Pharmaceutical Benefits Scheme

Why do we collect, hold, use and disclose personal information?

In general, we collect, hold, use and disclose a patient’s personal information for the following purposes:

• to provide health services
• to communicate in relation to the health service being provided
• name and contact details may be used for direct marketing purposes
• to comply with our legal obligations, including, but not limited to, mandatory notification of communicable diseases or mandatory reporting under applicable child protection legislation.
• to help us manage our accounts and administrative services, including billing, arrangements with health funds, pursuing unpaid accounts, management of our ITC systems
• for consultations with other doctors and allied health professional involved in healthcare;
• to obtain, analyse and discuss test results from diagnostic and pathology laboratories
• for identification and insurance claiming
• If the patient has a My Health Record, to upload your personal information to, and download your personal information from, the My Health Record system.
• Information can also be disclosed through an electronic transfer of prescriptions
• To liaise with the patient’s health fund, government and regulatory bodies such as Medicare, the Department of Veteran’s Affairs and the Office of the Australian Information Commissioner (OAIC) (where patients make a privacy complaint to the OAIC), as necessary.

How can you access and correct your personal information?

Patients have a right to seek access to, and correction of the personal information which we hold about them. A formal request must be made to the Practice Manager. A fee may be charged for this process and patients will be informed of this fee upon request of their information.

For details on how to access and correct their health record, patients are directed to please contact our practices as noted below under ‘Contact Details’

We will normally respond to requests within 30 days.

How do we hold personal information?

Our staff are trained and required to respect and protect your privacy. We take reasonable steps to protect information held from misuse and loss and from unauthorised access, modification or disclosure. This includes:

• Holding information on an encrypted database
• Use of password protections on electronic systems
• Holding information in secure cloud storage
• Holding information in an area which is restricted to clinician access only
• Our staff sign confidentiality agreements
• Our practice has document retention and destruction policies

Transfer or sharing of your information

We may transfer your information between facilities where necessary for the provision of health services to you. Where this is necessary, you will be required to provide your consent in writing, and you have the right to revoke consent at any time.

If the licensee of a health facility is to be transferred, the existing licensee ensures that

all your records are made available and transferred to the incoming licensee. In Queensland, prior to a facility ceasing to operate as a health facility, the licensee submits details of the safe keeping of the records to the Chief Health Officer for approval.

De-identified information about you and/or your treatment may be provided to third parties without your consent where required by law, for the management, funding or monitoring of a health service (for example, de-identified patient data provided to the relevant departments of health for future health facility planning, or to health funds for payment of benefits to the health service, or for the analysis of safety and quality data for licensing, accreditation and healthcare regulation purposes).

Your information will be provided to third parties without your consent where required by law, for example for public health requirements to report infectious diseases or mandatory reporting of risks, where subpoenaed to produce information, where a warrant from law enforcement is presented to produce documents.

Privacy related questions and complaints

If patients have any questions about privacy-related issues or wish to complain about a breach of the Australian Privacy Principles or the handling of their personal information by us, they may lodge a complaint in writing to the Practice Manager at their local clinic. We will normally respond to requests within 30 days.

If patients are dissatisfied with our response, they may refer the matter to the OAIC: Phone: 1300 363 992

Email: [email protected] Fax: +61 2 9284 9666

Post: GPO Box 5218 Sydney NSW 2001

Website:  https://www.oaic.gov.au/individuals/how-do-i-make-a-privacy-complaint

Overseas disclosure

We will not transfer your personal information to an overseas recipient unless we have your consent or we are required to do so by law.

Notifiable data breaches

A notifiable (eligible) data breach happens when personal information is lost, or accessed or disclosed without authority. Levant CS must notify affected individuals and the OAIC when a data breach is likely to result in significant harm.

An eligible data breach occurs when:

• there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds
• this is likely to result in serious harm to one or more individuals, and
• the organisation or agency hasn’t been able to prevent the likely risk of serious harm

An organisation or agency that suspects an eligible data breach may have occurred must quickly assess the incident to determine if it is likely to result in serious harm to any individual.

When you notify us and any affected individuals include:

• your organisation or agency’s name and contact details
• a description of the data breach
• the kinds of information involved
• recommendations about the steps individuals should take in response to the data breach

A data breach can be reported using the online form in the link below: https://forms.business.gov.au/smartforms/servlet/SmartForm.html?formCode=OAIC-NDB

If a notifiable data breach has occurred, the Medical Director of the affected facility, Compliance Manager and Levant CS Board must be immediately notified.

Retention period

In Queensland Medical records, whether electronic or paper-based must be retained for at least 10 years from the date of last treatment.

In NSW, SA and the ACT for adult patients, medical records must be kept for a minimum period of 7 years from the date of the last entry. Records must be retained for patients under 18 years of age until they reach 25 years of age.

Updates to this Policy

This Policy will be reviewed from time to time to take account of new laws and technology, changes to our operations and other necessary developments.

Contact details for privacy related issues
Please contact the Practice Manager at your local Levant CS facility:

Related Documents

• Medical records
• Confidentiality Agreements

References

• Privacy and Health Record Resource Handbook for Medical Practitioners in the Private Sector, AMA 2017
• Sample Privacy Policy, AMA 2017
• Privacy Act 1988 (Cth) and Australian Privacy Principles
• QLD Health Private Health Facility Standards – Information management standard (version 5) IPC, NSW: Fact Sheet – A guide to retention and storage of health information in NSW for private health service providers October 2025

Amendment Record