Privacy Policy

 

 

 

 

 

Patient Privacy and Confidentiality Policy

Flex Physio is dedicated to protecting your privacy and the confidentiality of your personal and health information. This policy details how we collect, use, store, and disclose your information, complying with the Privacy Act 1988 (Cth), including the Australian Privacy Principles (APPs), and incorporating the Privacy and Other Legislation Amendment Act 2024 (POLA). “Personal Information” identifies you; “Health Information” is sensitive personal data requiring higher protection. Your use of our services indicates agreement with this policy.

1. Our Commitment to Your Privacy

Your privacy is vital to our trusting relationship. We understand the sensitive nature of health information and uphold the highest standards of confidentiality and data protection. We strictly adhere to all Australian privacy laws and ethical guidelines, managing your information with utmost care and integrity.

2. What Information Do We Collect?

To provide effective physiotherapy, we collect only necessary information for diagnosis, treatment, and ongoing care. This includes:

  • Personal Information: Your name, address, date of birth, contact details, emergency contacts, and billing information (Medicare, DVA, third-party billing information).

  • Health Information (Sensitive): Your medical history, symptoms, diagnosis, treatment plans, progress notes, referrals, relevant test results, and other health-related details you provide.

3. How We Collect Your Information

We primarily collect information directly from you when you:

  • Complete new patient forms.

  • Attend appointments.

  • Communicate with us in person, by phone, email, or via our website.

With your explicit consent, we may also gather relevant information from trusted third parties, such as:

  • Other Healthcare Providers: For integrated care, e.g., your GP or specialists.

  • Third-Party Payers: If your treatment is covered by external entities like Workers’ Compensation or a motor vehicle accident insurer, always with your prior authorization.

4. Why We Collect Your Information

We collect, hold, use, and disclose your information to deliver exceptional physiotherapy and manage our practice. Our core purposes include:

  • Providing Comprehensive Care: To assess, diagnose, develop treatment plans, and monitor progress for safe, effective, and tailored interventions.

  • Facilitating Communication: To contact you regarding appointments, treatment, and follow-up care.

  • Practice Management: For accurate billing, efficient administration, and meticulous record keeping.

  • Coordinated Care: With your consent, to liaise with other healthcare providers for holistic treatment outcomes.

  • Meeting Legal and Ethical Obligations: To fulfill mandatory reporting requirements and other legal duties.

We will not use your sensitive health information for direct marketing without your explicit consent.

5. When We May Disclose Your Information

We strictly control information disclosure. Your data is shared only for original purposes, directly related secondary purposes, or when legally required or permitted. Potential recipients include:

  • Other Healthcare Professionals: With your express consent, for integrated care.

  • For Billing and Claims: To Medicare, DVA, or your private health insurer.

  • For Third-Party Payers: To Workers’ Compensation or TAC, with your authorization.

  • Professional Advisors: For essential business, financial, or legal advice.

  • Accrediting Bodies: For quality assurance, often using de-identified data.

Australian privacy law permits disclosure without your explicit consent in specific, limited situations to protect significant public or individual interests, such as:

  • Serious Threat to Life, Health, or Safety: To prevent serious harm to you or another individual.

  • Serious Public Health or Safety Threat: To lessen or prevent a public health emergency.

  • Required by Law: Mandated by court order, subpoena, or specific legislation.

  • Law Enforcement: For police investigations or legal proceedings.

  • Locating a Missing Person: In rare instances, to assist in finding a missing person.

6. Cross-Border Data Disclosure

Our practice uses cloud-based systems that may store or process your data on overseas servers. We take reasonable steps to ensure any overseas recipient adheres to privacy protections substantially similar to, or stronger than, the Australian Privacy Principles. This involves selecting providers with robust security and establishing strong contractual agreements.

7. Data Quality and Security (Reasonable Steps)

We prioritize maintaining the integrity and security of your information. We implement comprehensive reasonable steps, including technical and organisational measures, to ensure your data is accurate, current, complete, relevant, and protected from misuse, loss, or unauthorized access/disclosure. Our measures include:

  • Secure Physical Records: Stored in locked cabinets with restricted access.

  • Encrypted Electronic Systems: Password-protected and encrypted software, regularly updated.

  • Robust Cybersecurity Protocols: Advanced measures like firewalls, anti-malware, and intrusion detection.

  • Restricted Access: Limited to authorized staff on a “need-to-know” basis.

  • Regular Staff Training: Comprehensive training on privacy obligations and secure handling.

  • Confidentiality Agreements: All staff legally bound to protect your information.

  • Secure Data Destruction: Information no longer legally required is securely destroyed or de-identified.

8. Your Rights Regarding Your Information

Under Australian privacy law, you have significant rights over your data:

  • Access & Correction: You can request access to or correction of your records in writing. We respond within a reasonable timeframe (typically 30 days). A reasonable administrative fee may apply. If refused, we provide written reasons.

  • Statutory Tort for Serious Invasion of Privacy: The POLA Act grants a direct legal right to seek redress through courts for serious privacy invasions (intrusion upon seclusion or misuse of private information).

9. Anonymity and Pseudonymity

While we offer anonymity where lawful and practicable, comprehensive physiotherapy often requires knowing your true identity for:

  • Clinical Safety: Accurate diagnosis and treatment.

  • Continuity of Care: Consistent record keeping.

  • Billing and Claims: Legal requirement for processing.

  • Communication: Effective interaction with you and other providers.

Therefore, identifiable information is generally necessary for effective physiotherapy services.

10. Automated Decision Making

We use automated processes for administrative efficiency (e.g., appointment reminders). However, we do not use automated decision-making for clinical care or processes significantly impacting your rights. All clinical decisions are made by a qualified physiotherapist.

11. Data Breaches

In the unlikely event of an eligible data breach (unauthorised access, disclosure, or loss likely to cause serious harm), we are legally obligated to act swiftly:

  • Prompt Notification: We will notify you and the OAIC as soon as practicable, detailing the breach and our response.

  • Data Breach Response Plan: We have a comprehensive plan for containment, assessment, mitigation, and review to prevent future occurrences.

12. Privacy Complaints

If you have privacy concerns, please contact our Privacy Officer in writing first. We conduct fair internal investigations, responding within a reasonable timeframe (typically 30 days). If unresolved, you may lodge a formal complaint with the Office of the Australian Information Commissioner (OAIC):

Office of the Australian Information Commissioner (OAIC) GPO Box 5218 Sydney NSW 2001 Phone: 1300 363 992 Email: enquiries@oaic.gov.au Website: www.oaic.gov.au

13. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in practices, services, or legal requirements. The most current version will always be available on our website and at our practice reception.