What is personal information?
‘Personal information’ is information or opinion that allows others to identify a person. It includes name, address, email address, phone number and financial information. Personal information includes ‘sensitive information’, such as health information.
What kinds of personal information do we collect?
We collect personal information, including health information, which is reasonably necessary for the purposes of providing billing and account collection services to health service providers.
We typically collect the following types of information about health service providers:
- Address, telephone and other contact details
- Provider number
- Provider location
- Billing information
- Bank account details
We typically collect the following types of information about patients of health service providers:
- Name, date of birth, gender
- Address, telephone and other contact details
- Medicare number
- Health fund and member number
- Date(s) on which the health service was provided
- Medicare item number for the service provided
- Admitting hospital and hospital patient identifier
When may we collect personal information?
Personal information is disclosed to us and collected by us for the primary purpose of billing and recovering payments in relation to health services provided by health services providers.
That purpose is directly related to the provision of health services. Health services practitioners warrant to us that they have obtained all necessary consents to the disclosure of this information to us for this purpose. In addition, we would reasonably expect the patient to provide that consent having regard to general community expectations of how information usually flows within the health system.
It is necessary for us to collect personal information in order to carry out its functions and activities. We may not be able to do so if we are unable to collect such information, or if the information we receive is incomplete or inaccurate.
It is not reasonable or practical for us to collect anonymised or de-identified information about health service providers or patients.
How do we collect personal information?
We usually collect personal information from health service providers and may also collect it from third parties such as health funds. It is not reasonable or practical for us to obtain personal information (including health information) about patients directly from them.
How do we obtain consent to the collection of personal information?
We collect personal information from health service providers who warrant to us that they have obtained all necessary consents from their patients for the lawful use and disclosure of personal information to us. We also collect information from third parties who are authorised to provide it, such as health funds. We do not seek consent directly from patients.
How do we deal with unsolicited information?
For what purposes may we collect, hold, use and disclose personal information?
We hold, use and disclose personal information that we collect for the primary purpose of billing and recovering payments in relation to health services provided by health services providers to their patients.
We may disclose personal information about a health services provider and/or patient to any person who may be liable to make a payment in respect of the health services provided by the health services provider to the patient, including:
- the patient;
- any legal personal representative, attorney or guardian of the patient;
- One or more health funds.
We may also disclose personal information about health services providers and patients to our electronic data storage provider to facilitate secure, confidential storage of the information. We may also make use or disclosure where authorised or required by law.
How do we store personal information?
We may hold personal information in hard copy records or in the form of electronic records within our software or systems. We store electronic records in Australia with a third party electronic data storage provider.
We take reasonable steps to collect accurate personal information and to secure personal information against unauthorised access, disclosure, misuse, alteration or deletion, including by:
- obtaining binding confidentiality undertakings from employees;
- obtaining binding confidentiality undertakings from our electronic data storage provider, such as undertakings to secure data against unauthorised access, alteration or deletion (including by its employees and contractors) and to store data in jurisdictions where data protections are at least equivalent to those required under OECD guidelines;
- implementing security measures to restrict unauthorised access to our systems and business premises; and
- requiring identification before granting access to personal information, on request.
When we no longer need to retain personal information, then provided that we are not legally bound to retain it, we will destroy records containing the information or permanently de-identify them.
How can personal information be accessed?
Health service providers are entitled to request access to the personal information that they have provided to us.
Patients in relation to whom we possess personal information may request access to their individual personal information.
We require that access requests be made in writing, supported by such information and documents as are reasonably necessary to determine the request. If a request is made verbally, we may require it to be made in writing.
We will take steps to satisfy itself as to the identity of the person making the access request and as to the authority of any person who makes an access request on behalf of another person.
We will provide access, or written reasons for refusal, within 45 days (or such other period as is provided by law). Grounds upon which we may refuse access are set out in the Privacy Act 1988 (Cth) and the Health Records Act 2001 (Vic). For example, we may deny access if granting it would pose a serious threat to life, health or safety or have an unreasonable impact on the privacy of other individuals.
We may provide access by one of the following means, at our discretion:
- we may permit inspection of the information or a print out of it, and provide an opportunity for the inspecting party to take notes about the contents of the information;
- we may provide a copy of the information or any document recording it; or
- we may permit the information to be viewed.
We are not a health service provider and will not explain health information. If an explanation is required, a health services provider should be consulted.
We are entitled to impose a reasonable charge for access to personal information, where permitted by law, and will notify you if any fee applies at the time you request access. However we are only entitled to impose a fee for access to health information if, and to the extent, that a fee is prescribed under the Health Records Act 2001 (Vic).
Questions and Complaints
- Post: Suite 411, Level 4, 220 Collins Street, Victoria, 3000
- Email: firstname.lastname@example.org
We will respond to you as soon as reasonably practicable.
If you feel that the issue has not been satisfactorily resolved, you may make a complaint to:
- Office of the Australian Information Commissioner
- Post: Level 3, 175 Pitt Street, Sydney NSW 2000
- Email: email@example.com
- Telephone: +61 2 9284 9666
- Online: www.oaic.gov.au
- Office of the Health Services Commissioner
- Post: Level 26, 570 Bourke Street, MELBOURNE, VICTORIA 3000
- Email: firstname.lastname@example.org
- Telephone: 1300 582 113
- Online: www.health.vic.gov.au