Introduction

Epworth Medical Imaging (EMI) respects and upholds the thirteen Australian Privacy Principles (APP’s) outlined in the Privacy Act (the Act).

This APP Privacy Policy explains;

  • the kinds of personal information that EMI holds
  • how EMI collects and holds personal information
  • matters related to anonymity and pseudonymity
  • the purpose for which EMI holds, collects, uses and discloses personal information
  • how an individual may access personal information about the individual that is held by the entity and see the correction of such information,
  • how an individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds EMI, and how EMI will deal with such a complaint
  • whether EMI is likely to disclose information to overseas recipients
  • if the entity is likely to disclose personal information to overseas recipients – the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy

Personal Information held by Epworth Medical Imaging

Patients and Prospective Patients

Information we commonly collect about patients includes but is not limited to:

  • name, gender, address and contact details
  • medical history
  • Medicare, pension, health care card and other government identifiers
  • family, social and employment history and circumstances
  • health services requested or provided and the outcome or results
  • billing information/history
  • expressed wishes about the future provision of health services
  • details of feedback, complaints, suggestions

Referring Clinicians, Practice Managers and Ancillary Staff

Information we commonly collect about referring clinicians, practice managers and ancillary staff, includes but is not limited to:

  • name, address, telephone numbers, fax /email address and other contact details
  • details of IT systems and web addresses
  • Medicare provider numbers and billing information
  • area of specialisation
  • employment history
  • service delivery preferences, referral patterns and fees paid by referred patients
  • information gathered by client services/marketing staff during practice visits/interactions
  • expressed wishes about the future provision of health services
  • service improvement comments/preferences
  • details of feedback, complaints, suggestions

Staff

Information we commonly collect about Staff includes but is not limited to:

  • name, address, telephone numbers, email address and other contact details
  • employment records
  • performance records

Employment Applicants

Information we commonly collect about employment applicants includes but is not limited to:

  • name, address, email address and other contact details
  • letters of application/expressions of interest and associated correspondence
  • Curriculum Vitae/Resume
  • referee comments

Anonymity and Pseudonymity

It is impractical for persons to deal with EMI anonymously or by using a pseudonym. This is because:

  • diagnosis and advice may be seriously impaired
  • there would be an unacceptable risk to patient safety and would conflict with Australian Commission on Safety and Quality in Healthcare’s Patient Identification Safety Standards
  • there may be mismatching of an individual’s results
  • there is an unacceptable risk of communication breakdown between EMI and a patient’s treating physician
  • it may result in a breakdown in good public health practice
  • examination may not be claimed under Medicare or Private Health Funds

Patients are entitled to approach EMI anonymously to request a service; however the service itself may not be able to be provided anonymously to ensure appropriate patient care is maintained.

How Epworth Medical Imaging Collects Personal Information

EMI collects personal information by the following means:

  • face to face
  • telephone
  • email and other electronic means
  • fax

Solicited vs Unsolicited Information

Most of the personal information collected by EMI is solicited. On occasions EMI may receive unsolicited information. When unsolicited information is received the principals outlined in this policy will still apply.

How Epworth Imaging Holds Personal Information

In order to provide the highest level of care to our patients we operate a single integrated national medical records system for Radiology and all Sonic Imaging entities have access to this system.

EMI commonly holds personal information in the following mediums:

  • electronically
  • hard copy
  • digital audio recordings
  • digital and hard copy images
  • paper based and other hard copy documents located securely within the practice. (All practices have twenty four-hour security systems)
  • contained in electronic records in a secure environment; and
  • archived in dedicated secure storage facilities

Security of Personal Information

We have procedures in place to store personal information securely to protect from misuse and loss, unauthorised access modification or disclosure.

Processes include but are not limited to:

  • hard copy documents are located securely within the practice or secure storage centres. All practices have twenty four-hour security systems
  • in electronic databases in a secure environment; and in a dedicated archive storage facility
  • records are only accessible by persons who require access to that information for the purpose of carrying out their employment.
  • hard copy documents securely destroyed using a dedicated third party document destruction service
  • incident reporting of data security breaches
  • strong corporate governance practices
  • staff training
  • regular review of policy and procedures

How Epworth Medical Imaging Uses Personal Information

EMI may collect personal information;

  • for the primary purpose for which it was collected; or
  • for directly related secondary purposes which we believe are within your reasonable expectations; or
  • in a manner for which you have given consent

As required for the provision of our service EMI may collect Sensitive Information as defined in the Privacy Act.

Patients

Primary Purposes

  • to provide reliable healthcare services
  • to link medical records of patients and to their healthcare provider
  • ensure appropriate testing
  • diagnose and interpret results
  • allow billing and payments
  • if lawfully instructed to reveal information

Secondary Purposes

  • for our internal administrative requirements, including for management purposes, funding, service monitoring, planning, evaluation and accreditation activities
  • to provide data in both an identified and de-identified form to State and Federal Government agencies in compliance with numerous legislative requirements (eg BreastScreen, Cancer Council, National Health and Medical Research Council)
  • for complaint handling and defence of anticipated or existing legal actions;
  • to our insurers, brokers, lawyers and other experts for the purposes of addressing liability indemnity arrangements or to obtain advices as to our legal or other obligations
  • for planning and evaluation of accreditation activities and with our professional bodies
  • for teaching purposes, case studies and multidisciplinary clinical team meetings in de-identified form
  • for provision of further information about medical advances in pathology/radiology and treatment options

If your health information is used or disclosed for one or more of these purposes, we will not normally seek your specific consent.

Uses Requiring Patient Consent

EMI will obtain your consent if your health information is proposed to be used or disclosed without de-identification for:

  • marketing, and to communicate special events
  • research

If research is being contemplated, reasonable steps will be taken to ensure you understand what the proposed research involves, the ways in which your health information will be used, and the risks and benefits of agreeing to participate.

Referring Clinicians, Practice Managers and Ancillary Staff

Primary Purposes

  • to provide reliable healthcare services for patients
  • to link medical records to patients and their healthcare provider
  • ensure appropriate testing
  • to diagnose and interpret results
  • to tailor services to a referrers needs
  • to provide educational material to referrers and their staff

Secondary Purposes

  • direct marketing via email or mail

Disclosure of Personal Information

EMI may disclose your personal information

  • for the purposes of getting a second medical opinion
  • to a third party health provider or service who is providing direct clinical care to a patient
  • to a third party health provider within a hospital campus where an individual is being treated
  • where it may be more appropriate for a test to be performed by a specialist service
  • where there are statutory requirements to report results to registries
  • to third parties organisation for billing/accounting/systems management purposes

An individual’s right to control the use and disclosure of personal information.

EMI believes that the use and disclosure of personal information in the ways described in this policy will reflect the reasonable expectations of an individual dealing with us.

An individual may understand the advantages and approve of health information being shared between several health service providers, such as EMI and individual’s referring medical practitioner, as part of their overall health treatment and management.

However, sometimes the parties’ expectations do not align. For example, an individual may not want a report to be directly sent to the referring medical practitioner following the service.

An individual may also not want EMI to provide certain health information or does not want their health information to be used or disclosed in a particular way.

EMI respects such wishes and will, in accordance with the Act and the APPs, take all reasonable steps to comply with such wishes.

EMI strongly encourages patients to obtain their health information, particularly copies of results from their referring medical practitioner. This is likely to best facilitate effective and efficient delivery of treatment and ensures that the referring medical practitioner has an opportunity to clarify any aspects of the results and to answer any questions or concerns a patient may have. It is the referring medical practitioner who makes the diagnosis. Results provided in isolation may be misleading.

Integrity of Personal Information

EMI takes reasonable steps to ensure personal information it holds is:

  • accurate, complete, well organised and legible
  • up to date, in that they reflect the personal information most recently obtained from the individual
  • does not contain prejudicial, derogatory or irrelevant statements

For Patients

  • All relevant personal information is reconfirmed at each attendance
  • EMI fulfils regulatory, accreditation and public health requirements on patient identity

For referring practitioners, their staff and other third parties

  • Providing mechanisms to update personal information (address, phone, fax, email).
  • Receiving feedback via face to face, phone or written contact and updating records accordingly.

Access to and Correction of Personal Information

Access

Individuals have the right to access personal information held by EMI. An individual does not have to provide a reason for requesting access.

The preferred method for patients to receive results is in consultation with their treating practitioner where the results can be explained in the context of their health management.

EMI may provide patients with online access which provide access to their medical records. Our online patient access systems are opt-in and patients may choose not to subscribe to such systems.

EMI may request that an individual complete a written request to access their medical records in order to ensure that you are given the correct health information. Proof of identity will be required.

EMI is not required to provide access to the personal information to the extent that:

  • EMI reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety; or
  • giving access would have an unreasonable impact on the privacy of other individuals; or
  • the request for access is frivolous or vexatious; or
  • the information relates to existing or anticipated legal proceedings between the EMI and the individual, and would not be accessible by the process of discovery in those proceedings; or
  • giving access would reveal the intentions of the EMI in relation to negotiations with the individual in such a way as to prejudice those negotiations; or
  • giving access would be unlawful; or
  • denying access is required or authorised by or under an Australian law or a court/tribunal order; or
  • EMI has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in;
  • giving access would be likely to prejudice the taking of appropriate action in relation to the matter; or
  • giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or
  • giving access would reveal evaluative information generated within the entity in connection with a commercially sensitive decision-making process.

Correction

If an individual believes information held about them is incorrect, incomplete or inaccurate, then the individual may apply for the information to be corrected by contacting the privacy officer.

EMI may refuse to correct personal information and will provide a written response that sets out:

  • the reasons for the refusal except to the extent that it would be unreasonable to do so; and
  • the mechanisms available to complain about the refusal; and
  • any other matter prescribed by the regulations

Request to associate a statement or opinion

  • If EMI refuses to correct the personal information as requested by the individual; and
  • the individual requests the entity to associate with the information a statement that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading;

EMI will take such steps as are reasonable in the circumstances to associate the statement in such a way that will make the statement apparent to users of the information.

Transborder Data Flow

In rare instances EMI may disclose personal information outside Australia. An individual’s privacy will continue to be protected as per APP’s.
Instances where transborder disclosure may occur include;

  • where an individual is participating in a clinical trial
  • when requested by a patient’s treating doctor overseas
  • when requested by the patient
  • when samples are sent overseas for expert opinion/analysis

Each instance where personal information is sent overseas is unique, in most cases the individual will already be aware of, and consent to, transfer. Where reasonable the individual will be notified of the overseas destination however it is not always practical to specify.

Use of Personal Information for Direct Marketing

We may use personal information for marketing directly related to our services. All marketing communication includes instructions on how to opt out of future communications.

An individual may advise us that they do not wish receive direct marketing from us at any time by contacting the privacy officer.

We will not disclose your personal information to a third party for any marketing purposes.

Privacy Complaints Process

Complaints may be lodged in any form (written, verbal email etc.) to the EMI’s Privacy Officer. Where reasonable, EMI will respond to privacy complaints within 30 days.

If the complainant is unsatisfied with the response from EMI they may lodge a complaint with the Office of the Australian Information Commissioner.

Privacy Officer Contact Details

Should you have any questions or concerns please contact your local privacy officer.

Epworth Medical Imaging
P: 03 9426 6666

M: Privacy Officer, Epworth HealthCare, 89 Bridge Road, Richmond, VIC 3121

E: Through the feedback form on the patient feedback page of our website.

Office of the Australian Information Commissioner (OAIC)
GPO Box 2999
Canberra, ACT 2601

P: 1300 363 992
E: enquiries@oaic.gov.au
W: http://www.oaic.gov.au/

OAIC Online Privacy Complaint Form
https://forms.business.gov.au/aba/oaic/privacy-complaint-/

Revised: October 2018