6 Privacy and Personal Health Information

6.1 Privacy and Security of Personal Health Information


Bowenfels Medical Practice and Eskbank Surgery are committed to providing quality health care for its patients. As part of this commitment principals and staff of the practice recognise the importance of ensuring that our patients are fully informed and involved in their health care.

The Bowenfels Medical Practice and Eskbank Surgery are, as a NSW health provider in the private sector, bound by the Health Records and Information Privacy Act 2002 (NSW) and the Privacy Act 1988 (Cth) this includes both the Australian Privacy Principles and the NSW Health Privacy Principles. This policy provides information to patients as to how their personal information (which includes their health information) is collected and used within the Practice, and the circumstances in which we may disclose it to third parties.

The APP provide a privacy protection framework that supports the rights and obligations of collection, holding, using, accessing and correcting personal information. The APP consists of 13 principle-based laws and applies equally to paper-based and digital environments. The APP complement the longstanding general practice obligation to manage personal information in a regulated, open and transparent manner.

This policy will guide the Practice staff in meeting these obligations. It also details to patients how the Practice use their personal information. The policy will be made available to patients upon request.

The Practice will:
• Provide a copy of this policy upon request
• Ensure staff comply with the APP and deal appropriately with inquiries or concerns
• Take such steps as are reasonable in the circumstances to implement practices, procedures and systems to ensure compliance with the APP and deal with inquiries or complaints
• Collect personal information for the primary purpose of managing a patient’s healthcare and for financial claims and payments.


The practice’s staff will take reasonable steps to ensure patients understand:
• What information has been and is being collected
• Why the information is being collected, and whether this is due to a legal requirement
• How the information will be used or disclosed
• Why and when their consent is necessary
• The Practice’s procedures for access and correction of information, and responding to complaints of information breaches, including by providing this policy.

The Practice will only interpret and apply a patient’s consent for the primary purpose for which it was provided. The Practice staff must seek additional consent from the patient if the personal information collected may be used for any other purpose.

The Practice will need to collect personal information as a provision of clinical services to a patient at the practice and it is necessary for us to maintain files pertaining to patient health.

A patient’s personal information may be held at the Practice in various forms:
• As paper records
• As electronic records

The files may contain the following types of information:
• Patient name, address, telephone number and Medicare and Veterans Affairs (for identification and claiming purposes), Health Care card or Pension numbers and health fund details
• Individual Healthcare identifiers
• Information for the purpose of providing electronic prescriptions (eTP)
• Date of birth
• Current and previous medical history including medications, allergies, adverse events, immunisations, social history, family history and risk factors.
• The name of any health service provider or medical specialist to whom the patient is referred, copies of any letters of referral and reports back.
• Current treatments or medicines used by the patient
• Your ethnic background
• Any additional information relating to you that you provide to us.

Bowenfels Medical Practice and Eskbank surgery may access patient information:

• Provided by the patient on our New Patient Information Form or Patient Information update form
• Provided on the patients behalf with patient consent
• From a referring health service provider
• Provided by the patient during the course of a consultation
• From your employer or prospective employer
• From third party such as law enforcement or other government agencies

The Practices’s procedure for collecting personal information is set out below.

1. Practice staff will collect patients’ personal and demographic information via registration when patients present to the Practice for the first time. Patients are encouraged to pay attention to the collection statement attached to the form and information about the management of collected information and patient privacy.
2. During the course of providing medical services, the Practice’s healthcare practitioners will consequently collect further personal information.
3. Personal information may also be collected from the patient’s guardian or responsible person (where practicable and necessary), or from any other involved healthcare specialists.
The Practice holds all personal information securely, whether in electronic format, in protected information systems or in hard copy format in a secured environment.

Patient information may be stored electronically and /or in hard copy form. Electronically stored files are password protected and daily backups of data are performed. Paper records are kept securely in filing cabinets and accessible only by practice staff. Employees are versed in the principles and importance of doctor–patient confidentiality and staff/contractors are required to sign a Confidentiality Agreement as a condition of employment.

Personal information will only be used for the purpose of providing medical services and for claims and payments, unless otherwise consented to. Some disclosure may occur to third parties engaged by or for the Practice for business purposes, such as accreditation or for the provision of information technology. These third parties are required to comply with this policy. The Practice will inform the patient where there is a statutory requirement to disclose certain personal information (for example, some diseases require mandatory notification).

The Practice may use your health information, as directed by you, for the purposes of using the Personally Controlled Electronic Health Record System (PCEHR), including use of patients Healthcare Identifier and electronic transfer of prescriptions (eTP).

The Healthcare Identifiers Act 2010 (the HI Act) specifies that healthcare identifiers are to be used for healthcare and related management purposes, with penalties in place for misuse. Healthcare identifiers cannot be used for other purposes including for insurance and employment purposes, unless the use is for the purpose of healthcare delivery to an individual.

The Practice will not disclose personal information to any third party other than in the course of providing medical services, without full disclosure to the patient or the recipient, the reason for the information transfer and full consent from the patient. The Practice will not disclose personal information to anyone outside Australia without need and without patient consent.

Exceptions to disclose without patient consent are where the information is:

• As required for the delivery of the health service to the patient
• As required to refer the patient to a medical specialist or other health service provider
• for billing and liaising with government offices regarding Medicare entitlements and payments
• Required by law
• Necessary to lessen or prevent a serious threat to a patient’s life, health or safety or public health or safety, or it is impractical to obtain the patients consent
• To assist in locating a missing person
• To establish, exercise or defend an equitable claim
• For the purpose of a confidential dispute resolution process.

The Practice will not use any personal information in relation to direct marketing to a patient without that patient’s express consent. Patients may opt-out of direct marketing at any time by notifying the Practice in a letter or email.

The Practice evaluates all unsolicited information it receives to decide if it should be kept, acted on or destroyed.

Patients may request access to their medical records and in most cases the Practice can facilitate this.Patients are encouraged to make this request in writing, and the Practice will respond within a reasonable time. Access to your personal information may be declined in special circumstances, such as where giving access would put you or another person at risk of mental or physical harm or where access may be denied under the Privacy Act or other laws.

The Practice will take reasonable steps to correct personal information where it is satisfied they are not accurate or up to date. From time to time, the Practice will ask patients to verify the personal information held by the practice is correct and up to date. Patients may also request the Practice corrects or updates their information.
The Practice takes complaints and concerns about the privacy of patients’ personal information seriously. Patients should express any privacy concerns in writing. The Practice will then attempt to resolve it in accordance with its complaint resolution procedure.

Complaints in relation to privacy policies or requests to access, correct or update patient records may be made in writing at either Bowenfels Medical Practice or Eskbank Surgery They should be addressed to the Practice Manager and marked private and confidential or may be emailed to
We advise that we will make our best endeavor to address complaints within 30 days of receipt of your complaint.
Should you be unsatisfied with our response to your privacy complaint, you may lodge a written complaint with the NSW Privacy Commissioner, the NSW Health care Complaints Commission or the Office of the Australian Information Commissioner.

Office of the Australian Privacy Commissioner
Deals with complaints about private health service providers or organisations holding health or 1300 363 992.

NSW Health Care Complaints Commission
Deals with complaints about confidentiality of medical records and conduct of health workers in or 1800 043 159.

NSW Privacy Commissioner
Deals with matters about health privacy, which include dealing with complaints concerning the private sector handling of health information in New South or 1800 472 679

RACGP 4th edition Standards 4.2.1.