• Home
  • Privacy and Confidentiality
PRIVACY AND CONFIDENTIALITY

Introduction

We are committed to protecting the privacy of patient information and to handling your personal information in a responsible manner in accordance with the Privacy Act 1988 (Cth), the Privacy Amendment (Enhancing Privacy Protection) Act 2012, the Australian Privacy Principles and relevant State and Territory privacy legislation (referred to as privacy legislation).

This Privacy Policy explains how we collect, use and disclose your personal information, how you may access that information and how you may seek the correction of any information. It also explains how you may
make a complaint about a breach of privacy legislation.

This Privacy Policy is current from 1 July 2024 and is reviewed annually. From time to time, we may make changes to our policy, processes and systems in relation to how we handle your personal information.
We will update this Privacy Policy to reflect any changes. Those changes will be available on our website and in the practice.

When you register as a patient of our practice, you provide consent for our GPs and practice staff to access and use your personal information so they can provide you with the best possible healthcare. Only staff who need to see your personal information will have access to it. If we need to use your information for anything else, we will seek additional consent from you to do this.

Collection

Types of information to be collected

We collect information that is necessary and relevant to provide you with medical care and treatment, and manage our medical practice. This information may include your name, address, date of birth, gender, health information, medicare number (where available) (for identification and claiming purposes), healthcare
identifiers, medical information including medical history, medications, allergies, adverse events, immunisations, social history, family history, health risk factors, diagnostic investigations, credit card and direct debit details and your contact details. Please advise us if your details have changed so that our information is accurate and up to date.

Other individuals we may collect personal information from include emergency contacts of patients, as well as job applications or referees for job applicants. The extent of the personal information we collect from these individuals will depend on the circumstances in which the individual is engaging with ICO Health Group.

How the information is collected

Your information is collected in writing where practicable or through implied consent. We may need to collect information about you from third parties such as another health service provider, your insurer, a guardian or other sources. We will only do this with your consent and if it is necessary to enable us to facilitate to provision of health care services to you.

We collect information in various ways, such as over the phone, in writing, in person at our Practices and/or over the internet. This information may be collected by medical and non-medical staff.

In emergency situations we may also need to collect information from your relatives or friends.

How the information is stored

Your information stored by us may be held physically as paper records, or as electronic records, x-rays, CT scans, videos and photos and/or audio recordings.

To protect the information from misuse, interference and loss, from unauthorised access and from modification or disclosure we ensure that our administrative and clinical staff with access to your personal health information have signed privacy and confidentiality agreements.

Your electronic medical record information is password protected and accessed by authorised personnel. Where practicable, any other forms of information we hold is converted digitally and held in the password protected electronic medical record.

This information is backed up regularly on-site after encryption and stored securely. A backup of this encrypted information is kept off-site safely and securely. We use appropriate access authentication methods, antivirus software and the necessary firewall applications to prevent unauthorised access, modification or disclosure of your information.

Under the Australian Privacy Principles (APPs), “use” and “disclosure” of personal information are defined as follows:

Use 

“Use” of personal information refers to how an organisation handles and processes the information within the organisation. This includes any action taken with the data, such as;

• Accessing the data.

• Reading or analysing the data.

• Updating or modifying the data.

• Making decisions based on the data.


Instance where ICO Health Group will use your personal information

ICO Health Group will use your personal information for the following purposes;

• Providing Healthcare services and treatment to patients.

• Administering billing, Medicare claims and payments.

• Managing patient appointments and records.

• Communicating with patients regarding their healthcare and clinic-related matters.

• Complying with legal and regulatory obligations.

• Direct Marketing campaigns including e-newsletters, promotions and special offers*.


*If you have received marketing information from ICO Health Group and you wish to stop receiving it, you can contact us through the opt-out mechanism detailed in our marketing material and ask us to stop sending the marketing information within a reasonable time after your request has been made. ICO Health Group will not charge you, or in any way disadvantage you, if you choose to opt out of receiving marketing material.

ICO Health Group may occasionally provide its marketing material to third parties to distribute material on ICO Health Group’s behalf.

Disclosure

“Disclosure” of personal information refers to making the information available to another entity or person outside the organisation. This includes;

• Sharing the data with third parties.

• Transferring the data to another organisation or individual.

• Publishing the data in any form.

• Allowing external access to the data.


ICO Health Group will take all reasonable steps to ensure that the personal information remains in Australia and in compliance with the applicable privacy laws. ICO Health Group does not transfer, publish or hold your personal information in any cloud based systems or servers located outside of Australia.

ICO Health Group will take all reasonable steps to ensure that the personal information which may be disclosed to our contracted third parties outside of Australia follow the local laws of those jurisdictions and whose privacy laws are equal to or better than Australia’s privacy laws.

ICO Health Group will take all reasonable steps to ensure that your personal information will not be held, used or disclosed by the recipient of the information inconsistently with the Australian Privacy Laws.

Instance where ICO Health Group will disclosure your personal information

ICO Health Group may disclose personal information in the following instances;

• For medical defence purposes.

• As required by law in instances of mandatory reporting of communicable diseases.

• Where it is necessary to lessen or prevent a serious threat to a patient’s life, health or safety or public health or safety, or it is impracticable to obtain patient’s consent.

• To assist in locating a missing person.

• For the purpose the patient was advised during consult with the treating Doctor.

• As required during the normal operation of services provided. i.e. for referral to a medical specialist or other health service provider.

• For the purpose of a confidential dispute resolution process.

• Some disclosure may occur to third parties engaged by or for the practice for business purposes such as accreditation or for the provision of information technology. These third parties are required to comply with this policy.


How ICO Health Group will use and disclose your personal information

Primary purpose

ICO Health Group will use and disclose your personal information for the purpose for which it was collected, or otherwise in accordance with privacy laws or your consent. In some cases, this will include disclosure of your personal information to a person or entity outside of the ICO Health Group network.

For patients, some disclosures that may be necessary in providing you with a health service include;

• ICO Health Group staff, partners, agents, contractors and consultants involved in the provision of your care or administrative staff involved in the provision of services to you.

• Other health service providers involved in your care and treatment, and their staff.

• Financial institutions, Medicare, DVA or your private health insurer for the purposes of billing.

• Your authorised or responsible contact or next of kin.

• Government and regulatory authorities and other organisations, as required or authorised by law, including those operating relevant public health registers.


Secondary purpose

ICO Health Group will otherwise only use or disclose your personal information for another, secondary, purpose if;

• you have consented to the use or disclosure barring specific exceptions permissible by the Australian Privacy Act (i.e., reasonable expected use, legal or regulatory compliance, health and safety and public interest).

• for the general management and operation of ICO Health Group, for example;

• billing/debt-recovery, service-monitoring, funding, complaint-handling, incident reporting, developing and planning services, evaluation and improvement, quality assurance or audit activities, and accreditation activities.

• education and training of our staff (who may not be our employees), where de-identified information is not sufficient for this purpose.

• third party service providers who provide services to ICO Health Group such as information technology, maintenance and repair, marketing, payment systems, etc.

• ICO Health Group will reasonably believe the use or disclosure is necessary to lessen or prevent a serious and imminent threat to an individual’s life, health or safety, or a serious threat to public health or public safety.

• the use or disclosure is required or authorised by law.


Data breach

The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) introduced the requirement for a Notifiable Data Breach (NDB) scheme. This required an assessment when an entity covered by the Australian Privacy Act 1988 (Cth) to notify individuals of suspected loss, unauthorised access to, or unauthorised disclosure of personal information.

This response plan is intended to enable ICO Health Group to contain, assess and respond to data breaches quickly, to help mitigate potential harm to affected individuals and to comply with the NDB scheme that commenced on 22 February 2018. Our actions in the first 24 hours after discovering a data breach are crucial to the success of our response.

Our response to a data breach plan takes into consideration and includes the following key principles:

• When should a data breach be escalated to ICO Health Group’s data breach response team?

• Who within our organisation uses the discretion in deciding whether to escalate to the response team?

Some data breaches may be comparatively minor, and able to be dealt with easily without action from the data breach response team. For example, a staff member may, as a result of human error, send an email containing personal information to the wrong recipient. Depending on the sensitivity of the contents of the email, if the email can be successfully recalled (only relates to internal emails), or if the staff member can contact the recipient and obtain an assurance that the recipient has deleted the email, it may be that there is no utility in escalating the issue to the response team.

The following four key steps are considered when responding to a breach or suspected breach:

• Containing the breach

• Assessing the risks associated with the breach

• Considering breach notification

• Reviewing the incident and take action to prevent future breaches

Accessing and amending your personal information

We will take reasonable steps to provide you access to an/or correct your information within 30 days of your request. In certain circumstances, we reserve the right to refuse to allow you to access your personal information, where authorised by law. If this happens, we will give you a written notice explaining the reasoning behind the refusal and advise you on how you may make a complaint.

Your personal information may be accessed by you, your authorised representative, your lawyer and your insurance provider with prior written request by you or with authority to release your personal information to these third parties by yourself.

Exceptions to disclose without your consent is where the information is:

• Required by law

• Necessary to lessen or prevent a serious threat to a patient’s life, health or safety or public health or safety, or it is impractical to obtain the patient’s consent

• To assist in locating a missing person

• To establish, exercise or defend a legal or equitable claim

About Us
Our Services
Our Practices
Patient Information & Fees

Working With Us
ICO Health Group Updates
Contact Us

 

Copyright © ICO Health Group | All Rights Reserved.