Why and when your consent is necessary
When you register as a patient of our practice, you provide consent for our GPs and practice staff to access and use your personal information so they can provide you with the best possible healthcare. Only staff that need to see your personal information will have access to it. If we need to use your information for anything else, we will seek additional consent from you to do this.
Our Practice is governed by a number of state specific privacy laws. We respect your right to privacy and have a legal obligation to abide by the Privacy Act 1988. The rules and regulations under the Privacy Act are known as the Australian Privacy Principles or the APP.
What is a patient health record?
Medical records, whether electronic or not, are a collection of information about a patient’s healthcare that are essential for his or her present and future care (WHO 2001) and are covered by s.3 of the Health Records Act 2001 (AustLII 2012).
As such, the medical record must contain sufficient information to identify the patient to whom it relates, as well as information relevant to the patient’s treatment during current and future episodes of care, for example:
- the patient’s medical history
- the orders and results of any physical examination or tests
- information relating to allergies
- other factors that may need special consideration.
Secure and guaranteed access to complete information collected in the medical record is essential to ensure that healthcare professionals have the right information available when and where they need it. This maximises the quality and efficiency of the treatments they can provide to their patients at the point of care.
What is personal information?
What is sensitive information?
Sensitive information is any information that is necessary for us to collect in regards to your healthcare. This information may include family, social or medical history, genetic information and emergency contact. In this policy both personal and sensitive information are referred to as “personal information”
What personal information do we collect and hold?
Cornwall Street Medical Centre collects and stores personal information such as:
- your name, address and telephone number;
- your age or date of birth;
- your Medicare number, Veterans’ Affairs number, Health Care Card number, health fund details or pension number;
- current and past medications and or treatments;
- information relevant to your medical care, including but not limited to your previous and current medical history and your family medical history (where clinically relevant);
- your ethnicity;
- occupation or job title;
- the name of any health service provider or medical specialist to whom you are referred, copies of any letters of referrals and copies of any reports back; and
- any additional information relating to you that you provide to us directly through our representatives, medical or allied health professionals providing services at or from our Centres, Clinics or Call Centres, or otherwise.
We may also collect some information that is not personal information because it does not identify you or anyone else. For example, we may collect anonymous answers to surveys.
How do we collect your personal information?
We collect your personal information directly from you unless it is unreasonable or impracticable to do so. When collecting personal information from you, we may collect it in ways including:
- by you completing one of our patient registration forms;
- or disclosed by you during a consultation with your GP, one of our Registered Nurses or Allied Health Professionals In some circumstances personal information may also be collected from other sources.
- Often this is because it is not practical or reasonable to collect it from you directly. This may include information from:
- your guardian or responsible person
- other involved healthcare providers, such as specialists, allied health professionals, hospitals, community health services and pathology and diagnostic imaging services
- your health fund, Medicare, or the Department of Veterans’ Affairs (as necessary).
- We may also collect your personal information when you telephone us or make an online appointment.
Dealing with us anonymously
You have the right to deal with us anonymously or under a pseudonym unless it is impracticable for us to do so or unless we are required or authorised by law to only deal with identified individuals.
What happens if we can’t collect your personal information?
If you do not provide us with the personal information required:
- We may not be able to provide the requested services to you, either to the same standard or at all; or
- your diagnosis and treatment may be inaccurate or incomplete.
- there may be risks to your health outcome
Why do we collect, use, hold and share your personal information?
Our practice will need to collect your personal information to provide healthcare services to you. Our main purpose for collecting, using, holding and sharing your personal information is to manage your health.
We also use it for directly related business activities, such as financial claims and payments, practice audits and accreditation, and business processes (eg staff training).
- to deliver medical services and treatment to you, and to enable you to be attended by medical practitioners, registered nurses and other allied health professionals at Cornwall Street Medical Centre;
- for organizational, administrative and billing purposes;
- to keep your contact details up to date;
- to process and respond in the event that a complaint is made by you;
- to comply with any law, rule, regulation, decision or direction of a regulator, or in cooperation with any governmental authority;
- for the purposes of data research and analysis including conducting clinical trials and proactive screenings and for the purpose of sending you direct marketing communications in relation to these;
- for inclusion in a recall and reminder system to be advised of follow up visits and health promotion;
- to answer enquiries and provide information or advice about existing services and all matters relevant to the services we provide to you;
- to meet requirements of notification to our medical defence organisations or insurers.
How do we store and protect your personal information?
Your personal information is stored electronically.
Our practice is considered paperless and has systems in place to protect the privacy, security, quality and integrity of the personal health information held electronically. Appropriate staff members are trained in computer security policies and procedures.
All personal information including patient health records, visual records (X-rays, CT scans, videos and photos), and audio recordings are stored electronically.
Our practice ensures that our practice computers and servers comply with the RACGP computer security checklist and that:
- computers are only accessible via individual password access to those in the practice team who have appropriate levels of authorisation.
- computers have screensavers or other automated privacy protection devices are enabled to prevent unauthorised access to computers.
- servers are backed up and checked at frequent intervals, consistent with a documented business continuity plan.
- back up information is stored in a secure off-site environment.
- computers are protected by antivirus software that is installed and updated regularly
- computers connected to the internet are protected by appropriate hardware/software firewalls.
- we have a business continuity plan that has been developed, tested and documented.
- The quality of the personal information we hold.
- All staff and contractors must sign confidentiality agreements prior to commencing work with our practice.
It is most important that we have up to date personal information on your file. Please ensure that any changes to your personal information are updated promptly with our reception staff. Out of date or incorrect information could lead to adverse health outcomes.
When, why and with who do we share your personal information?
Sometimes we are required to share your personal information:
- with third parties who work with our practice for business purposes, such as accreditation agencies or information technology providers – these third parties are required to comply with APPs and this policy
- with other healthcare providers
- when it is required or authorised by law (eg court subpoenas)
- when it is necessary to lessen or prevent a serious threat to a patient’s life, health or safety or public health or safety, or it is impractical to obtain the patient’s consent
- to assist in locating a missing person
- to establish, exercise or defend an equitable claim
- for the purpose of confidential dispute resolution process
- when there is a statutory requirement to share certain personal information (eg some diseases require mandatory notification)
- during the course of providing medical services, through eTP, My Health Record (eg via Shared Health Summary, Event Summary).
Only people who need to access your information will be able to do so. All referral templates including those that utilise document automation technology are regularly reviewed to ensure only relevant medical information is included and released to a third party.
Other than in the course of providing medical services or as otherwise described in this policy, our practice will not share personal information with any third party without your consent.
Direct marketing materials
We may send you information our about services that we consider may be of interest to you. This information may be sent via SMS, email or post in accordance with all marketing laws such as the Spam Act 2003. You can opt out of receiving such material from us at any time. Please inform our reception staff if you do not wish to receive this information from us.
How can you access and correct your personal information at our practice?
You have the right to request access to, and correction of, your personal information.
Our practice acknowledges patients may request access to their medical records. We require you to put this request in writing to the Practice Manager, Cornwall Street Medical Centre, 20 Cornwall Street, WOOLLOONGABBA, QLD 4102.
Our practice will respond to your request for access within 30 days. There may be a fee for access to information. This fee covers any administrative costs associated with access. The fee for access to records is $30.00 plus gst and is to be paid in full prior to access.
There may be instances where we cannot grant you access to the personal information we hold; however, we will only do so in accordance with our rights and obligations under the Act. For example, we may need to refuse access if granting access would interfere with the privacy of others or if it would result in a breach of confidentiality. If that happens, we will give you written reasons for any refusal.
Our practice will take reasonable steps to correct your personal information where the information is not accurate or up to date. From time to time, we will ask you to verify that your personal information held by our practice is correct and current. You may also request that we correct or update your information, and you should make such requests in writing to The Practice Manager, Cornwall Street Medical Centre, 20 Cornwall Street, WOOLLOONGABBA, QLD 4102. Our practice will respond to your request within 30 days.
How can you lodge a privacy-related complaint, and how will the complaint be handled at our practice?
We take complaints and concerns regarding privacy seriously.
You should express any privacy concerns you may have in writing. We will then attempt to resolve it in accordance with our resolution procedure. Such requests should be made in writing and addressed to the Practice Manager, Cornwall Street Medical Centre
Level 3, PACE Building 20 Cornwall St, WOOLLOONGABBA QLD 4102.. Our practice will respond to your request within 30 days.
You may also contact the OAIC. Generally, the OAIC will require you to give them time to respond before they will investigate. For further information visit www.oaic.gov.au or call the OAIC on 1300 363 992.
If you believe that your privacy has been breached, please contact us in accordance with the arrangements set out below and provide details of the incident so that we can investigate it.
Do we disclose your personal information to anyone outside Australia?
We do not disclose your personal information to overseas recipients. In the event that we are required to do so, we will obtain your consent.
We take all reasonable steps to ensure your personal information is protected from misuse and loss and from unauthorised access, modification or disclosure. We hold your information electronically. Personal information is destroyed or de-identified when no longer needed.
We will treat your requests or complaints confidentially. We will aim to ensure that your concern is resolved in a timely and appropriate manner.
The Practice Manager
Cornwall Street Medical Centre
Level 3, PACE Building
20 Cornwall St, WOOLLOONGABBA QLD 4102.