Privacy Policy

Home / Privacy Policy

The practice team can describe how we correctly identify our patients using 3 patient identifiers, name, date of birth, address or gender to ascertain we have the correct patient record before entering, actioning or releasing anything from that record.

Patient consent for the transfer of health information to other providers or agencies is obtained on the first visit and retained on file in anticipation of when this may be required.

As a rule no patient information is to be released to a 3rd Party unless the request is made in writing and provides evidence of a signed authority to release the requested information, to either the patient directly or a third party. Where possible de identified data is released.

Written requests should be noted in the patient’s medical record and also documented in the practice’s Request Register. Requests should be forwarded to the designated person within the practice for follow-up.

Requested records are to be reviewed by the treating medical practitioner or principal doctor prior to their release to a third party. Where a report or medical record is documented for release to a third party, having satisfied criteria for release, (including the patients written consent and where appropriate written authorisation from the treating doctor), then the practice may specify a charge to be incurred by the patient or third party, to meet the cost of time spent preparing the report or photocopying the record. Section 1.01

The practice retains a record of all requests for access to medical information including transfers to other medical practitioners.

Where hard copy medical records are sent to patients or 3 rd Parties copies are forwarded not original documentation wherever possible. If originals are required copies are made in case of loss.

Security of any health information requested is maintained when transferring requested records and electronic data transmission of patient health information from our practice is in a secure format.

Subpoena, Court Order, Coroner Search Warrant

Note the date of court case and date request received in the medical record. Depending on whether a physical or electronic copy of the record is required follow procedures as described above. Refer also to section 8 “Management of potential Medical defence claims’

On occasions a member of staff is required to accompany the medical record to court or alternatively a secure courier service may be adequate. If the original is to be transported, ensure a copy is made in case of loss of the original during transport. Ensure that the record is returned after review by the court.


A patient may authorise another person to be given access if they have the legal right and a signed authority. See 6.3 Patient Requests for Personal Health Information. See also NPP2 Use & Disclosure.

In 2008 the Australian Law Reform Commission recognised that disclosure of information to ‘a person responsible for an individual’ can occur within current privacy law. If a situation arises where a carer is seeking access to a patient’s health information, practices are encouraged to contact their medical defence organisation for advice before such access is granted.

Individual records are advised for all family members but especially for children whose parents have separated where care must be taken that sensitive demographic information relating to either partner is not recorded on the demographic sheet. Significant court orders relating to custody and guardianship should be recorded as an alert on the children’s records.

External Doctors and Health Care Institutions

Direct the query to the patient’s doctor and or the practice manager/principal doct0L

Police/ Solicitors

Police and solicitors must obtain a case specific signed patient consent (or subpoena, court order or search warrant) for release of information. The request is directed to the doctor.

Health Insurance Companies IWorkers Compensation/ Social Welfare Agencies

Depending on the specific circumstances information may be need to be provided. It is recommended that these requests are referred to the Doctor.

It is important that organisations tell individuals what could be done with their personal health information and if it is within the reasonable expectation of the patient then personal health information may be disclosed. Doctors may need to discuss such requests with the patient and perhaps their medical defence organisation.


If the patient has signed consent to release information for a pre-employment questionnaire or similar report then direct the request to the treating doctor.

Government Agencies – Medicare/Dept. Veterans Affairs

Depending on the specific circumstances information may be need to be provided. It is recommended that doctors discuss such issues with the medical defence organisations.

State Registrar of Births, Deaths and Marriages

Death certificates are usually issued by the treating doctor.


There are a large number of Centrelink forms (treating doctor’s reports) which are usually completed in conjunction with the patient consultation

Accounts/ Debt Collection

The practice must maintain privacy of patient’s financial accounts. Accounts are not stored or left visible in areas where members of the public have unrestricted access. Accounts must not contain any clinical information. Invoices and statements should be reviewed prior to forwarding to third parties such as insurance companies or debt collection agencies.

Outstanding account queries or disputes should be directed to the practice manager/bookkeeper or principal.

Hint: Practices may like define an adequate period of time between the initial account and pursuing aggressive collection.

Students (Medical & Nursing)

This practice does participate in medical student education.

The practice acknowledges that some patients may not wish to have their personal health information accessed for educational purposes. The practice always advises patients of impending student involvement in practice activities and seeks to obtain patient consent accordingly. The practice respects the patient’s right to privacy.

Researchers/Quality Assurance Programs

Where the practice seeks to participate in human research activities and/or continuous quality improvement (CQI) activities, patient anonymity will be protected. The practice will also seek and retain a copy of patient consent to any specific data collection for research purposes.

Research requests are to be approved by the Practice Principal/ practice partners and must have approval from a Human Research Ethics Committee (HREC) constituted under the NH&MRC guidelines. A copy of this approval will be retained by the practice.

Practice accreditation is a recognised peer review process and the reviewing of medical records for accreditation purposes has been deemed as a “secondary purpose” by the Office of the Federal Privacy Commissioner. As a consequence patients are not required to provide consent.

Patients should be advised of the ways in which their health information may be used (including for accreditation purposes) via a sign in the waiting room and the practice information brochure.


Please direct all enquiries to Practice Manger/ Principal. Staff must not release any information unless it has been authorised by the Practice Manager/ Principal and patient consent has been obtained.


Where patient consent is provided then information may be sent overseas however the practice is under no obligation to supply any patient information upon receipt of an international subpoena.

NPP9 Transborder Data Flows

Disease Registers

This practice submits patient data to various disease specific registers (cervical, breast bowel screening etc) to assist with preventative health management.

Consent is required from the patient with the option of opting in or opting out. Patients are advised of this via a sign in the waiting area and in the practice’s information leaflet.

Telephone Calls

Requests for patient information are to be treated with care and no information is to be given out without adherence to the following procedure:

Take the telephone number, name (and address) of the person calling and forward this onto the treating doctor/principal or Practice Manager where appropriate,