Why and when your consent is necessary
When you register as a patient of our practice, you provide consent for our GPs and practice staff to access and use your personal information so they can provide you with the best possible healthcare. Only staff who need to see your personal information will have access to it. If we need to use your information for anything else, we will seek additional consent from you to do this.
Why do we collect, use, hold and share your personal information?
Our practice will need to collect your personal information to provide healthcare services to you. Our main purpose for collecting, using, holding and sharing your personal information is to manage your health. We also use it for directly related business activities, such as financial claims and payments, practice audits and accreditation, and business processes (e.g. staff training).
What personal information do we collect?
The information we will collect about you includes your:
· names, date of birth, addresses, contact details
· medical information including medical history, medications, allergies, adverse events, immunisations, social history, family history and risk factors
· Medicare number (where available) for identification and claiming purposes
· healthcare identifiers
· health fund details.
Dealing with us anonymously
You have the right to deal with us anonymously or under a pseudonym unless it is impracticable for us to do so or unless we are required or authorised by law to only deal with identified individuals.
How do we collect your personal information?
Our practice may collect your personal information in several different ways.
1. When you make your first appointment our practice staff will collect your personal and demographic information via your registration.
2. During the course of providing medical services, we may collect further personal information.
3. We may also collect your personal information when you visit our website, send us an email or SMS, telephone us, make an online appointment or communicate with us using social media.
4. In some circumstances personal information may also be collected from other sources. Often this is because it is not practical or reasonable to collect it from you directly. This may include information from:
your guardian or responsible person
other involved healthcare providers, such as specialists, allied health professionals, hospitals, community health services and pathology and diagnostic imaging services
your health fund, Medicare, or the Department of Veterans’ Affairs (as necessary).
When, why and with whom do we share your personal information?
We sometimes share your personal information:
with third parties who work with our practice for business purposes, such as accreditation agencies or information technology providers – these third parties are required to comply with APPs and this policy
with other healthcare providers
when it is required or authorised by law (e.g. court subpoenas)
when it is necessary to lessen or prevent a serious threat to a patient’s life, health or safety or public health or safety, or it is impractical to obtain the patient’s consent
to assist in locating a missing person
to establish, exercise or defend an equitable claim
for the purpose of confidential dispute resolution process
when there is a statutory requirement to share certain personal information (e.g. some diseases require mandatory notification)
during the course of providing medical services, through eTP, MyHealth Record (e.g. via Shared Health Summary, Event Summary).
Only people who need to access your information will be able to do so. Other than in the course of
providing medical services or as otherwise described in this policy, our practice will not share personal information with any third party without your consent.
We will not share your personal information with anyone outside Australia (unless under exceptional
circumstances that are permitted by law) without your consent.
Our practice will not use your personal information for marketing any of our goods or services directly to you without your express consent. If you do consent, you may opt out of direct marketing at any time by notifying our practice in writing.
How do we store and protect your personal information?
Your personal information may be stored at our practice in various forms.
Paper records, electronic records, visual records (X-rays, CT scans, videos and photos), audio recordings.
Our practice stores all personal information securely.
We use password to protect records stored electronically. All staff members are bind to aconfidentiality agreement.
How can you access and correct your personal information at our practice?
You have the right to request access to, and correction of, your personal information.
Our practice acknowledges patients may request access to their medical records. We require you to put this request in writing and our practice will respond within a reasonable time (usually 3-5 working days). Also fees may be associated with providing this information. Patients will not be charged for making the request – only for the costs of complying with the request.
Our practice will take reasonable steps to correct your personal information where the information is not accurate or up to date. From time to time, we will ask you to verify that your personal information held by our practice is correct and current. You may also request that we correct or update your information, and you should make such requests in writing to our email (firstname.lastname@example.org) or in person.
How can you lodge a privacy-related complaint, and how will the complaint be handled at our practice?
We take complaints and concerns regarding privacy seriously. You should express any privacy concerns you may have in writing or in person. We will then attempt to resolve it in accordance with our resolution procedure.
You may also contact the OAIC. Generally, the OAIC will require you to give them time to respond before they will investigate. For further information visit www.oaic.gov.au or call the OAIC on 1300 363 992.
Policy review statement
Social Media Policy
This policy provides guidance for general practice on using social media internally and externally. The policy helps identify and mitigate potential risks associated with social media usage.
‘Social media’ is online social networks used to disseminate information through online interaction.
Background and rationale
Regardless of whether social media is used for business related activity or for personal reasons, the following standards apply to all GPs and practice staff of the practice. GPs and practice staff are legally responsible for their postings online. GPs and staff may be subject to liability and disciplinary action including termination of employment if their posts are found to be in breach of this policy.
When using the practice’s social media, practice staff will not:
a) post any material that:
is unlawful, threatening, defamatory, pornographic, inflammatory, menacing, or offensive
infringes or breaches another person’s rights (including intellectual property rights) or privacy or misuses the practice’s or another person’s confidential information (e.g. do not submit confidential information relating to our patients, personal information of staff, or information concerning the practice’s business operations that have not been made public)
is materially damaging or could be materially damaging to the practice’s reputation or image, or another individual
is in breach of any of the practice’s policies or procedures.
b) use social media to send unsolicited commercial electronic messages, or solicit other users to buy
or sell products or services or donate money
c) impersonate another person or entity (for example, by pretending to be someone else or another practice employee or other participant when you submit a contribution to social media) or by using another’s registration identifier without permission
d) tamper with, hinder the operation of, or make unauthorised changes to the social media sites
e) knowingly transmit any virus or other disabling feature to or via the practice’s social media account, or use in any email to a third party, or the social media site
f) attempt to do or permit another person to do any of these things:
claim or imply that you are speaking on the practice’s behalf, unless you are authorised to do so
disclose any information that is confidential or proprietary to the practice, or to any third party that has disclosed information to the practice.
g) be defamatory, harassing, or in violation of any other applicable law
h) include confidential or copyrighted information (e.g. music, videos, text belonging to third parties
i) violate any other applicable policy of the practice.
Privacy and security
All practice staff must obtain the relevant approval from the social media responsible officer prior to posting any public representation of the practice on social media websites. The practice reserves the right to remove any content at its own discretion.
Monitoring social media sites
Any social media must be monitored in accordance with the practice’s current polices on the use of internet, email and computers.
The practice will appoint a staff member as social media responsible officer to manage and monitor the practice’s social media accounts. All posts on the practice’s social media website must be approved by this staff member.
The practice complies with AHPRA national law and takes reasonable steps to remove testimonials that advertise their health services (which may include comments about the practitioners themselves). The practice is not responsible for removing (or trying to have removed) unsolicited testimonials published on a website or in social media over which they do not have control.
Any social media posts by staff on their personal social media platforms should:
a) include the following disclaimer example in a reasonably prominent place if you identify yourself as a practice employee on any posting: ‘The views expressed in this post are mine and do not reflect the views of the practice/business/committees/boards that I am a member of’.
b) respect copyright, privacy, fair use, financial disclosure and other applicable laws when publishing on social media platforms.
Breach of policy
Social media activities internally and externally of the practice must be in line with this policy.
Internet and Email Policy
Patrick St Medical Centre recognises the practice team requires access to email and the internet to assist in the efficient and safe delivery of healthcare services to our patients. Patrick St Medical Centre supports the right of staff to have access to reasonable personal use of the internet and email communications in the workplace using the devices and networks provided by the practice.
Purpose and objectives
This policy sets out guidelines for acceptable use of internet and email by the practice team, contractors and other staff of Patrick St Medical Centre. Internet and email is provided primarily to assist the team carry out their duties of employment.
This internet and email policy applies to the practice team, contractors and other staff of Patrick St Medical Centre who access the internet and email on practice owned devices, including, but not limited to laptops, desktop computers and iPads to perform their work.
Use of the internet by the practice team, contractors and other staff is permitted and encouraged where this supports the goals and objectives of Patrick St Medical Centre Access to the internet is a privilege and the practice team, contractors and other staff must adhere to this policy.
Violation of these policies could result in the practice to determine what action will be taken if this policy is breached and outline this as part of the policy scope. Action could include:
disciplinary and/or legal action
termination of employment
the practice team, contractors and other staff being held personally liable for damages caused by any violations of this policy
All employees are required to confirm they have understood and agree to abide by this email and internet policy.
The practice team, contractors and other staff may use the internet and email access provided by Patrick St Medical Centre for:
any work and work-related purposes
limited personal use
more extended personal use under specific circumstances (see below)
Limited personal use of email and internet
The practice defines what is considered limited personal use of internet and email which could include the following:
infrequent and brief use
does not interfere with the duties of the practice team, contractors and other staff
does not interfere with the operation of your general practice
does not compromise the security of your general practice
does not impact on your general practice electronic storage capacity
does not decrease your general practice network performance (eg large email attachments can decrease system performance and potentially cause system outages)
does not incur any additional expense for your general practice
does not violate any legislation
does not compromise any confidentiality requirements of your general practice
Examples of what could be considered reasonable personal use could be included in your policy and could include:
conducting a brief online bank transaction
paying a bill
sending a brief personal email, similar to making a brief personal phone call]
Unacceptable internet and email use
The practice team, contractors and other staff may not use internet or email access provided by Patrick St Medical Centre to:
creating or exchanging messages that are offensive, harassing, obscene or threatening
visiting web sites containing objectionable (including pornographic) or criminal material
exchanging any confidential or sensitive information held by your general practice
creating, storing or exchanging information in violation of copyright laws
using internet-enabled activities such as gambling, gaming, conducting a business or conducting illegal activities
creating or exchanging advertisements, solicitations, chain letters and other unsolicited or bulk email
playing electronic or online games in work time.
Policy review statement
This policy will be reviewed regularly to ensure it reflects the current processes and procedures of Patrick St Medical Centre and current legislation requirements.
Disclaimer: The policy template for general practices is intended for use as a guide of a general nature only and may or may not be relevant to particular practices or circumstances. The Royal Australian College of General Practitioners (RACGP) has used its best endeavours to ensure the template is adapted for general practice to address current and anticipated future privacy requirements. Persons adopting or implementing its procedures or recommendations should exercise their own independent skill or judgement, or seek appropriate professional advice. While the template is directed to general practice, it does not ensure compliance with any privacy laws, and cannot of itself guarantee discharge of the duty of care owed to patients. Accordingly, the RACGP disclaims all liability (including negligence) to any users of the information contained in this template for any loss or damage (consequential or otherwise), cost or expense incurred or arising by reason of reliance on the template in any manner.
In Hour Home Visit Policy
The following safe practice procedures have been developed to enable staff employed by
Patrick St Medical Centre to carry out home visits with a high level of safety.
As part of any safe workplace, doctors are strongly encouraged to always use past experience and to consult with colleagues and management at all times.
Maintenance of a safe work environment for staff is a joint responsibility for staff and management.
We will not provide a service in a patient’s home if formal assessments identify an unacceptable level of risk indicating it is not safe for the doctor providing the service.
When conducting home visits, workers must take the following steps.
1. Carry out risk assessments
Always conduct an assessment of risk of aggression before visiting any patient at home.
Patients who have stable mental health should have the level of risk reassessed at their management/ individual plan review or where there is reason to believe that the level of risk has changed. Assessment, prevention and management planning should include the consumer, as well as the roles of relevant others and their contributions.
Doctors who are uncertain as to the level of risk involved in a home visit must discuss the situation with their other doctors before going to and/or entering the patient's home.
Consider risk to male doctors concerning possible allegations of sexual misconduct by female patients, particularly in the privacy of a patient’s home.
Advice should be sought and taken from local mental health services that may have relevant history or information about the consumer being assessed.
2. Once a risk assessment has been carried out, the level of risk determined and the risks
prioritised, a decision needs to be made about risk management options. For example:
a) The level of risk is acceptable and able to be managed with existing procedures.
b) The level of risk is acceptable but requires adjustments to human resources (e.g. must be
visited by 2 people) and the development of a risk management plan:
Risk management strategies need to be built into the individual’s care plan.
The effectiveness of the strategies must then be monitored and evaluated:
individually between the patient and their care coordinator
through regular team meetings and care conferences (where applicable).
c) The level of risk is too high and cannot be mitigated through rearrangement of resources or a risk management plan:
Explain and document the reasons.
Work with the patient to identify more appropriate options.
With the patient’s consent, refer appropriately.
3. Identify risks and make decisions relating to the risks identified, for example, cancel visit.
4. Have the necessary equipment, for example:
Always carry a mobile phone that is appropriately charged and in good working order.
Have 000 and the relevant office numbers programmed into the speed dial function of the mobile phone.