Drummoyne Dermatology Privacy Policy

Introduction

The Privacy Act 1988 (Privacy Act) regulates how personal information is handled. The Privacy Act includes thirteen Australian Privacy Principles (APPs). We are committed to protecting the privacy of our patients. This Privacy Policy has been developed to protect patient privacy in compliance with the Privacy Act 1988 (Privacy Act) and Australian Privacy Principles (APP’s), March 2014. 

This Privacy Policy is to inform you of:

• The information we collect and how we collect and store your personal information
• The purposes for which we collect, hold, use and disclose personal information
• How we protect the security of your personal information and respond to data breaches
• How you may access your personal information and how you may seek a correction of any personal information
• How you may make a complaint about our handling of your personal information

Collection of Information

This practice collects and holds personal information that is necessary and relevant to provide you with medical care and treatment. The type of information we may collect and hold includes:

• Personal details (name, address, date of birth, Medicare number, DVA number, pension number, email and contact details)
• Your medical history, including symptoms, diagnosis, previous and current treatment, medications, prescriptions, family history and photos
• referrals, results and reports received from other health service providers
• appointment and billing details, including credit card information

Our practice uses Genie Desktop Medical Software. Patient information may be collected by medical and non-medical staff employed by Drummoyne Dermatology. Patient information is entered into Genie by our team of receptionists, nurses and dermatologists. 

Where practicable we will collect this information from you personally or from your authorised representative, either at the practice, over the phone, via SMS or via written or electronic correspondence. We also utilise an Online Booking Registration provided through Genie, which provides a secure link for our new patients to enter their Personal details as listed above. We have the functionality to utilise HotDoc through Genie. When HotDoc is enabled Patients are able to make Online Bookings for themselves with practitioners at Drummoyne Dermatology. Information is securely and automatically updated to the patient’s Genie record.

In emergency situations we may also need to collect information from your immediate family, friends or carers. 

In some instances we will need to collect information about you from other sources, such as your treating General Practitioner (GP), specialists, pathologists, radiologists, hospitals, nursing homes and other health care providers.

If a photo is required of a lesion, rash or biopsy site, the image stored on the practice device will be de-identified. We will remove personal information such as name, address, DOB when transmitting an image. De-identified information is not considered to be ‘personal information’ under the Privacy Act. 

We may be required by law to retain medical records for certain periods of time.

Use and Disclosure

All staff, medical and non-medical will treat your personal information as strictly private and confidential. We will only use or disclose it for purposes directly related to your immediate and ongoing care and treatment.  

This includes the use or disclosure; verbally or via written or electronic correspondence (which can include Healthlink, My Health Record, MEDICARE Web Services, e-scripts, fax and email),

• To the medical team directly involved in your health care, including treating doctors, allied health professionals, pathology services, radiology services and other specialists. 
• To our administrative staff for billing and other administrative services.
• To liaise with government and regulatory bodies such as Medicare, the Department of Veteran’s Affairs and My Health Record. 

At your request we will disclose your biopsy results and treatment to your authorised representative. This request can be made in writing and/or given verbally as long as staff are satisfied that they have confirmed your identity over the phone. 

Appointment confirmations are usually sent via SMS to the mobile number provided by the patient at registration. If no mobile number is recorded, our practice will be to contact the patient on their listed landline. 

Results may be given in person in our rooms, via a phone call and/or via SMS to the mobile number we have received at registration. If a patient does not want to receive results or communication via SMS, we ask that they make our reception team aware. 

The Privacy Act does not specify an age after which individuals can make their own privacy decisions. It is the practice of Drummoyne Dermatology that once a patient turns 18, their results are disclosed directly to them and not a parent/guardian unless there has been consent to disclose to an authorised representative. 

It is the practice of Drummoyne Dermatology for patient’s under the age of 18, to disclose health information to a person responsible for the child, such as a parent or guardian. There is an allowance in the Privacy Act for patient’s between the ages of 15 and 18 to make their own privacy decisions where they have sufficient understanding and maturity. This is assessed on a case by case basis but may be enforced by Drummoyne Dermatology at a minor’s request if it deemed they have capacity for consent. 

There are times where we may be permitted or required by law to disclose your personal information to third parties. For example, to Medicare, Police, Family and Community Services (FACS), government and regulatory bodies, insurers, lawyers and debt collection agents. 

We may also from time to time provide statistical data to third parties for research. 

Security of Information and Accuracy

We will take reasonable steps to ensure that your personal information is accurate, complete and up to date. Our staff may ask you to confirm that your personal details are correct when booking appointments and/or at your consultation. We do request that our patient’s advise us if there has been any change to contact details. 

Our practice uses Genie Desktop Medical Software. We migrated away from paper files in 2016. All our old paper files are securely stored on our premises accessible only to Practice Staff.  Our computer workstations and our server are password protected. 

Trend Anti-virus software is installed on our server and all associated workstations on our network. Virus definitions are auto updated. The objective of Anti-virus software is to prevent all forms of virus infecting our network. There is a physical Fortinet Firewall at the practice. The objective of a Firewall is to provide protection from outside our Network. It prevents unauthorised access from external providers. 

We have a PMS (Power Management System) which provides power surge protection to the server and our data. Our server is located onsite. Our data is backed up locally every 15 minutes and it is backed up offsite to our data centre every 15 minutes. We also back up our data daily to USB onsite. 

Monthly verification and maintenance is completed by our IT team, assessing Anti-Virus, PMS, Server and Backup functionality.

We utilise Genie’s Online Patient Registration, where patient demographic details, including contact and Medicare information is securely and automatically updated to the patient’s Genie record. When enabled we have the functionality to utilise through Genie, specialist bookings powered by HotDoc. Again patient information is securely and automatically updated to the patient’s Genie record. 

With both the Online Patient Registration and HotDoc specialist bookings, specific data is synced to Genie’s Cloud Platform. As at February 2022 specific data that is synced includes; Patient Demographic Information, Appointments, Appointment types, Invoice Data, Providers. This data is stored in the cloud with Amazon Web Services at Genie’s Australian data centres. At no time is patient clinical information stored to Genie’s cloud platform, this continues to be stored directly to the Drummoyne Dermatology Server.

Services Australia required Medical Software providers to have Web Services ready by 13 March 2022 to access Medicare Online (including DVA) and PBS Online. Web services is a technology used over the internet so that health professionals can securely share data with Services Australia. Genie is Medicare Web Services compliant since 13 March 2022 and this data is synced with Genie’s Cloud Platform. 

Genie confirms that No Protected Health Information (PHI) or Personally Identifiable Information (PII) will be shared with a third-party. Below is the link to the privacy policy of Genie. 

https://www.geniesolutionssoftware.com.au/privacy-policy

Data Breaches

A data breach is unauthorised access to or unauthorised disclosure of personal information held by the practice. As per the Notifiable Data Breach Scheme covered by the Privacy Act 1988, as at 22 February 2018 we are required to notify the Office of the Australian Information Commissioner (OAIC) and individuals likely to be at risk of serious harm because of a data breach. The organisation needs to notify the individual and OAIC as soon as practicable, after becoming aware of a breach but should not be more than 30 days. An example of a data breach is where a computer Medical Record System is hacked or personal information is mistakenly given to the wrong person. 

Access of Information 

You have a right to seek access to and request correction of your personal information we hold on file. We ask that you put your request in writing. A fee for the retrieval and copying of your Medical Record may apply. We aim to respond to your request within a reasonable time frame. 

If you require your Medical Record to be forwarded to another health care provider we also ask that this request is made in writing. A fee for retrieving, copying and posting your file may apply.  

Complaints

If you have a complaint about the privacy of your personal information, we request that you contact us in writing:

Practice Manager

Drummoyne Dermatology

1/109 Victoria Rd

Drummoyne NSW 2047 

Upon receipt of a complaint we are required to address the complaint within 30 days. If you are dissatisfied with the handling of a complaint or the outcome of a complaint, you may make an application to the Office of the Australian Information Commissioner. Their website has information on how to lodge a complaint https://www.oaic.gov.au/individuals/how-do-i-make-a-privacy-complaint

Contact details of the Office of the Australian Information Commissioner (OAIC)