Privacy Policy

Our Privacy Policy

WestView Medical
Phone: 03 9282 7525
Email: info@westviewmedical.com.au
Post: 6 Synnot Street,Werribee ,3030.Vic

1. Introduction
   WestView Medical is a medical practice. We run the administrative aspects of practice management for independent GPs who serve our community . We handle personal information to manage our practice, meet patients’ healthcare needs, and to ensure smooth and appropriate flows of information between patients, doctors, aged care
   facilities, Medicare, DVA, My Health Records, and other healthcare providers.
   WestView medical is committed to best practice in relation to the management of the personal information we handle. We have developed a policy to protect patient privacy in
   compliance with the Privacy Act 1988 (Cth) (‘the Privacy Act’) and the Health Records Act 2001 (Vic).
   In this policy, ‘we’, ‘us’, and ‘our’ shall refer to:
   WestView medical records Pty Ltd ATF The Trustee for The Oladiran Family Trust; and employed and independently contracted healthcare practitioners who operate
   under the umbrella of the practice.
   This policy explains:
   the kinds of information that we collect and hold, which, as a medical practice, is likely to be ‘health information’ for the purposes of the Privacy Act;
   how we collect and hold personal information;
   the purposes for which we collect, hold, use and disclose personal information;
   how you may access your personal information and seek the correction of that information;
   how you may complain about a breach of the Australian Privacy Principles and how we will deal with such a complaint; and
   how we share information with overseas service providers who assist us with information technology and administrative tasks.

If you have any queries, concerns or feedback regarding our Privacy Policy, please do not hesitate to contact us using the details set out at the beginning of this document.
There are further details about privacy at our website at the end of this policy.

2. What kinds of personal information do we collect?
   The type of information we may collect and hold includes:
   your name, address, date of birth, email and contact details;
   Medicare number, DVA number, IHI number for My Health Records and other
   government identifiers; and
   other health information about you, including:
   notes of your symptoms or diagnosis and the treatment given to you;
   notes of your preferences (or the preferences communicated by next of kin
   responsible for your care) regarding medical treatment;
   your specialist reports and test results;
   your appointment and billing details;
   your prescriptions and other pharmaceutical purchases;
   your genetic information;
   your healthcare identifier; and
   any other information about your race, sexuality or religion, when collected by a health service provider.
3. How do we collect and hold personal information?
   General
   We collect patients’ personal information in various ways:
   from patient registration forms where you enter your details;
   from aged care facilities arranging appointments with our practitioners;
   from you directly when you provide details to doctors during appointments;
   from doctors and administrative staff entering data into our databases including
   via:
   medical practice administration software;
   appointment management software;
   from drug charts created and maintained by doctors and other care providers; and from other organisations involved in the provision or administration of your healthcare, including:
   other members of your treating team;
   diagnostic centres;
   specialists;
   hospitals;
   the My Health Record system;

electronic prescription services;
Medicare;
your health insurer;
the Pharmaceutical Benefits Scheme; and
the Department of Veterans Affairs.
Transfer of patients from other practices/third party
The practice will seek to securely transfer medical records from other practices to our software securely and likewise if we are required to do so for another practice or 3rd party
Website
Our website may collect information about website visitors including: webpage views, IP address, referring web site addresses, location, browser type, operating system, domain
name, access times and other data typically collected by analytics services like Google Analytics.
We also use cookies to allow us to customise our website to the needs of our users. If you do not want information collected through the use of cookies, there is a simple
procedure in most browsers that allows you to deny or accept the cookie feature.
However, cookies may be necessary to provide you with some features of our website.

4. Why do we collect, hold, use and disclose personal information?
   We collect, hold, use and disclose your personal information for the following purposes:
   to provide health services to you;
   to manage the administration of healthcare services including record management, appointment management, account management, billing, arrangements with health
   funds, pursuing unpaid accounts, and management of our ITC systems;
   to ensure smooth and appropriate flows of information between patients, doctors, aged care facilities, Medicare, DVA, My Health Records, and other healthcare providers;
   to communicate with you and those responsible for your care in relation to the health service being provided to you;
   to comply with our legal obligations, and help healthcare practitioners comply with their legal obligations, including, but not limited to, mandatory notification of communicable diseases, or mandatory reporting under applicable child protection legislation; for consultations with other doctors and allied health professional involved in your healthcare;
   to obtain, analyse and discuss test results from diagnostic and pathology laboratories; for identification and insurance claiming; if you have a My Health Record, to upload your personal information to, and download your personal information from, the My Health Record system; to facilitate electronic prescriptions; to monitor the use of our website and optimise it; and to liaise with your health fund, government and regulatory bodies such as

Medicare, the Department of Veteran’s Affairs and the Office of the Australian Information Commissioner (OAIC) (if you make a privacy complaint to the OAIC), as necessary.
We may provide your personal information, where appropriate, to designated family members involved in your care.
We use third party suppliers to assist with administration including: contractors providing secretarial and administrative services; and IT service providers.
Such suppliers, to the extent necessary to perform their services, may have access to your personal information.
Communications and Spam
We may contact you directly or send you communications and information about our services that we consider may be of interest to you. These communications may be sent
in various forms, including mail, phone and email, in accordance with applicable marketing laws, such as the Spam Act 2003 (Cth). If you indicate a preference for a method of communication, we will use that method of communication. In addition, at any time you may opt-out of receiving communications from us by contacting us (see the
details below) or by using opt-out facilities provided in the communication and we will ensure that your name is removed from our mailing list.
We will not provide your personal information to other organisations for the purposes of such communications.

5. Overseas service providers
   We may sometimes engage oversea service providers to assist us with administrative duties
   These service providers access your personal information to the extent necessary to perform their services.
   We take great care to ensure these overseas recipients of your personal information comply with the Australian Privacy Principles and other privacy laws that apply to us, including through:

training;
contracts imposing strict privacy compliance obligations; and
implementing clear data breach response plans.
If you wish to contact these overseas recipients in relation to privacy matters, you may do so through us, using the contact details provided in this privacy policy.

6. How do we ensure your personal information safe ?
   We strive to maintain the reliability, accuracy, completeness and currency of the personal information we hold and to protect its privacy and security. All personal information,
   whether stored as a hard copy or in electronic form, is protected from unauthorised access, misuse, interference, loss, modification or disclosure. Some of the steps we take
   to ensure the security of your personal information include:
   physical security over our paper records and premises, including the use of security alarms;
   staff training on privacy;
   detailed internal processes and systems to protect your privacy; and
   IT security measures including virus controls, firewalls, encryption, user identifiers
   and passwords to control access to computer systems, 2 factor authentication for emails, and administrative systems that allow rapid change of passwords on any devices that are lost or stolen where your information is stored.
   Our website and email are linked to the internet. No data transfer over the internet is 100% secure. Accordingly, any information which you transmit to us online or via email is
   transmitted at your own risk.
   Subject to applicable laws, we may destroy records containing personal information when the record is no longer required.
   All patient records are stored electronically. Any incoming paper records containing patient information – such paper results, correspondences and letters – are scanned into
   the patient’s electronic file and the paper version is securely destroyed by shredding.
7. How can you access and correct your personal information?
   You have a right to seek access to, and correction of the personal information which we hold about you.
   You can contact us using the contact details set out at the beginning of this policy
   If you make a request to access personal information that you are entitled to access, we will provide you with suitable means of accessing it. We will not charge you for making the
   request. In circumstances where you request that we provide a copy of your personal information to you, we may charge you a fee to cover our reasonable costs for complying with the request for access.

There may be instances where we cannot grant you access to some of the information we hold. For example, we may need to refuse access if granting access would interfere with the privacy of others. If that is the case, we will provide you with a written explanation of those reasons.
We will normally respond to your request within 30 days.

8. Privacy related questions and complaints
   If you have any questions about privacy-related issues or wish to complain about a breach of the Australian Privacy Principles, or our handling of your personal information,
   please contact us using the contact details set out at the beginning of this privacy policy.
   We will normally respond to complaints within 30 days.
   If you are dissatisfied with our response, you may refer the matter to the OAIC:
   Phone: 1300 363 992
   Email: enquiries@oaic.gov.au
   Fax: +61 2 9284 9666
   Post: GPO Box 5218
   Sydney NSW 2001
   Website: https://www.oaic.gov.au/individuals/how-do-i-make-a-privacy-complaint
9. Policy updates
   We will review this Policy from time to time to take account of new laws and technology, changes to our operations and other necessary developments. Updates will be made
   available on our practice website .

Our communications policy
Email communications
In line with our privacy policy, our practice will only engage in communication via telephone, SMS message, in person and fax. We may able to communicate via email but we cannot guarantee the security . Where email communication cannot be avoided, the patient or their NOK will be informed and asked their permission for the correspondence to be sent via email through our official email address which contains our domain name (@westviewmedical.com.au)

Receiving and returning telephonic communications
Our team ensures that three identifiers are used at the beginning of each call to clearly and correctly identify the patient the caller is referring to. Our team also asks for the caller to identify themselves and crosschecks the information against the patient’s file and their competency. If the caller is not registered in our system as an authorised representative
of the patient, we kindly inform the caller that we are unable to provide any information or forward any message to the doctor. We redirect the caller to go through the authorised
representative of the patient (being careful not to disclose who that is) or the patient themselves if they are competent.
Where we are returning telephonic communications, we use the same principles as above, being careful to correctly identify the person we are speaking with before
discussing any information with them.

Electronic communications
As explained in our Privacy Policy, we use a number of different, secured electronic systems to transfer information to other health professionals.
Examples of the secured pathways we use secured fax to cloud ,and encrypted transfer of pathology/radiology referrals if needed.
The practice uses the medical software templates to create patient referrals, ensuring only the most relevant and current information is used for referrals. This template technology is also used in our Health assessments/CMAs, RMMR ,DMR ,care plans and reviews documents, along with any other documentation generated by the nursing team.

Your Right to access your health records under the privacy act .
Policy
Patients at this practice have the right to access their personal health information (medical record) under legislation. Commonwealth Privacy Amendment (Private Sector)
Act 2000 and the Health Records Act 2001 (Victoria). The HRA gives individuals a right of access to their personal health information held by any organisation in the private sector

in Victoria in accordance with Health Privacy Principle 6 (HPP 6). This principle obliges health service providers and other organisations who hold health information about a person to give them access to their health information on request, subject to certain exceptions and the payment of fees (if any).
Public sector organisations continue to be subject to the Freedom of Information Act 1982.
This practice complies with both laws and the National and Health Privacy Principles (NPPs & HPPs) adopted therein. See summary headings of Principles in this section.
Both Acts give individuals the right to know what information a private sector organisation holds about them, the right to access this information and to also make corrections if they
consider data is incorrect. Compliance with the access provisions in the Health Records Act 2001 (Victoria) will generally ensure compliance with the Commonwealth Privacy Act.

We have a privacy policy in place that sets out how to manage health information and the steps an individual must take to obtain access to their health information. This includes
the different forms of access and the applicable time frames

Non GP specialists correspondents/reports .
This information forms part of the patient’s medical record, hence access is permitted under privacy law.

Test/investigation results.
This information forms part of the patient’s medical record, hence access is permitted under privacy law.
Note: Amendments to the Privacy Act apply to information collected after 21st December 2001, however they also apply to data collected prior to this date provided it is still in use
and readily accessible.

We respect an individual’s privacy and allow access to information via personal viewing in a secure private area. The patient may take notes of the content of their record or may be
given a photocopy of the requested information. A GP may explain the contents of the record to the patient if required. An administrative charge may be applied, at the GPs discretion and in consultation with the Privacy Officer, e.g. for photocopying records, X-rays and for staff time involved in processing requests.
Procedure
A notice is displayed on our website advising patients and others of their rights of access and of our commitment to privacy legislation compliance. An information brochure is also
available that provides further details if required.
Release of information is an issue between the patient and the doctor. Information will only be released according to privacy laws and at doctor’s discretion. Requested records are reviewed by the medical practitioner prior to their release and written authorisation is obtained.

On receiving your request:
When our patients request access to their medical record and related personal information held at this practice, we document each request and endeavour to assist patients in granting access where possible and according to the privacy legislation.
Exemptions to access will be noted and each patient or legally nominated representative will have their identification checked prior to access being granted.
A patient may make a request in writing only by e.g. fax, email,letter or filling the form provided at the practice . No reason is required to be given. The request is referred to the
patient’s doctor or delegated Privacy Officer.
A Request for Personal Health Information form is completed to ensure correct processing. Once completed a record of the request is filed/scanned in the patient record.

Who else can request for your health records?
An individual may authorise another person to be given access, if they have the right e.g. legal guardian or Medical Treatment Decision Maker, and if they have a signed authority.

What of deceased persons health record ?
A request for access may be allowed for a deceased patient’s legal representative if the patient has been deceased for 30 years or less and all other privacy law requirements
have been met. Ref: Sec 28 Health Records Act. No mention is made of deceased patient’s access in Commonwealth privacy legislation.

Reasons why we may withhold or refuse to provide health information .
Data may be withheld under privacy legislation for the following reasons.
● Where access would pose a serious threat to the life or health of any individual
● Where the privacy of others may be affected
● If a request is deemed frivolous or vexatious
● If information relates to existing or anticipated legal proceedings
● If access would prejudice negotiations with the individual
● If access would be unlawful
● Where denying access is required or authorised by law
See National Privacy Principles in full for comprehensive list of exclusions.

We can deny access,
Reasons for denied access must be given to the patient in writing. Note these on request form. In some cases refusal of access may be in part or full.

If access is granted :
Personal health information may be accessed in the following ways:
● Obtain a copy of our BP records
CHECK IDENTITY OF PATIENT

● Ensure a visible form of ID is presented by the person seeking access. E.g. driver’s licence, passport, other photo identification. Note details on request form.
● Does the person have the authority to gain access? Check age, legal guardian documents; is the person an authorised representative?
If a copy is to be given to the patient ensure all pages are checked and this is noted in the request form.
If the doctor is to explain the contents to a patient then ensure an appointment time is made.

Correction of information held by us :
A patient may ask to have their personal health information amended if he/she considers that is not up to date, accurate and complete.
Our practice must try to correct this information. Corrections are attached to the original health record.
Where there is a disagreement about whether the information is indeed correct, our practice attaches a statement to the original record outlining the patient’s claims.

Expected time frames on receipt of your request:

Acknowledge request – within 14 days.
Complete the request – within 30 days