Move & Grow Physiotherapy is committed to protecting the privacy and confidentiality of information it collects, and the way in which it is used, stored and disclosed.
We understand that information entrusted to us by our patients is private and confidential. Any personal information collected by Move & Grow Physiotherapy is treated as confidential and, as an allied health provider who holds health information, we are bound by the Privacy Act 1998 (“Privacy Act”) and are guided by the Australian Privacy Principles (APP) issued by the Australian Information Commissioner
This legislation imposes additional obligations on the collection, use and disclosure of such information and have a higher level of privacy protection than other personal information. The requirements of Move & Grow Physiotherapy’s Confidentiality Policy apply in equal measure to the personal and health information of our patients.
- how and what personal information we collect;
- the purpose for which it is collected, used, stored and disclosed;
- accessing and/or correcting personal and health information we hold in relation to our patients;
- storage of personal information;
- right to withdraw consent; and
- complaints in relation to how we have handled a patient’s personal and health information.
What is Personal Information
Personal information means information, or an opinion, that could identify an individual, and includes both sensitive information and health information.
Personal information includes:
- an individual’s name, signature, address, phone number or date of birth; and
- employee record information; and
Sensitive information includes personal information that includes information or opinion about an individual’s:
- racial or ethnic origin
- political opinions or associations
- religious or philosophical beliefs
- trade union membership or associations
- sexual orientation or practices
- criminal record
- health or genetic information
Health information is any personal information about a patient’s health or disability, and includes information or opinion about one’s illness, injury or disability, including but not limited to:
- notes of a patient’s symptoms or diagnosis
- information about a health service the patient has had or will receive
- specialist reports and test results
- prescriptions and other pharmaceutical purchases
- genetic information
- wishes about future health services
- appointment and billing details
- any other personal information about the patient
How Do We Collect Personal Information?
Move & Grow Physiotherapy collect personal information about our patients in a number of ways, including in person, in writing, by telephone and email, generally when:
- a potential new patient contacts us to seek treatment
- a patient completes a New Patient Information or an Initial Interview form
- a patient has interactions with us where we record notes, including treatment sessions
- a patient provides feedback or lodges a complaint
We may also receive personal information indirectly or from third parties where it is reasonably expected the patient would have consented to the personal information being shared, including but not limited to:
- from a patient’s legal guardian or responsible person;
- from other involved health care providers when we receive a medical report or other referral; and
- third parties responsible for the management and payment of a patient’s services at Move & Grow Physiotherapy.
What Personal Information We May Collect & Hold
At Move & Grow Physiotherapy, we only collect personal information that is reasonably necessary for us to carry out our work. Personal information we collect may include, but is not limited to, the following information:
- Telephone Number
- Date of birth
- Marital status
- Email address
- Medicare card number
- NDIS number
- Credit Card number
- Health Information
- General practitioner
- Referring doctor
- Transaction details associated with services we have provided to a patient
- Any additional information provided to us by the patient
- recorded material (including audio and/or video format)
For What Purpose Do We Collect, Store, Use & Disclose Personal Information?
We collect, store, use and disclose a patient’s personal information only for the reasons it was collected and in order to provide our patients with the agreed therapeutic supports and as part of the therapeutic relationship, including:
- assessing patient’s suitability for intake with Move & Grow Physiotherapy and/or other health services;
- managing our ongoing relationship with the patient, including:
- service planning and monitoring patient progress
- providing treatment and care
- assisting other health care professionals in their treatment and care
- providing information about treatment and care, if required and with consent
- answering queries patients have in relation to the services provided;
- the preparation of referrals and/or reports to other medical or allied health professionals;
- gathering feedback and quality assurance reviews to improve our services;
We may also collect, store, use and disclose personal information in order to:
- train employees or people otherwise engaged by Move & Grow Physiotherapy;
- resolve any legal and/or commercial complaints or issues;
- meet any legislative requirements as they apply to Move & Grow Physiotherapy as a health care provider; and
- perform any of our functions and activities relating to our business, including to meet our internal administrative requirements, in the processing of accounts for payment, the communication of important information and/or marketing.
Move & Grow Physiotherapy will not use or disclose a patient’s personal information for any other reason than those outlined above or secondary purpose unless an exception applies, including:
- where a patient has consented to Move & Grow Physiotherapy using or disclosing personal information for a secondary purpose;
- a secondary purpose that is required or authorised under an Australia law, or court or tribunal order.
Move & Grow Physiotherapy do engage and/or interact with third parties in the performance of our business functions and activities, including professional service organisations and government agencies. Personal information may be provided to these third parties to enable them to provide their agreed services (for example, billing patients, etc). All third parties engaged by Move & Grow Physiotherapy are required to sign a confidentiality declaration.
Move & Grow Physiotherapy seek consent at the time of patient intake for the use of photographs and digital imagery for use in:
- assessment and record of baseline skills;
- development of therapy programs; and
- applications for equipment funding and/or manufacture.
Any recorded material will be used, stored and disclosed, only for the purpose it is collected, or with the explicit or express consent of the patient to use for another purpose.
Storage of Personal Information
Move & Grow Physiotherapy stores personal information in both hard and electronic copy.
We take all reasonable steps to ensure that personal information is securely stored and to protect it from misuse, loss, unauthorised access, modification, interference or disclosure, however we cannot guarantee that unauthorised access to personal information will not occur.
Move & Grow Physiotherapy utilise Cliniko as their practice software, which meets stringent privacy, security and confidentiality standards. Cliniko stores and processes data in Australia, with infrastructure and communication partners in the US, UK and EU who are accredited and certified. Move & Grow Physiotherapy utilise Western Digital’s My Cloud External Hard Drive for their electronic storage. This hard drive is securely located at the practice and has encryption and password protection.
Move & Grow Physiotherapy also adopt the following electronic and physical security measures:
- locked storage of personal records;
- use of document shredding;
- authentication and password controls for electronic records
- screensavers for when devices are not in use
Regular risk assessments are conducted to ensure the appropriate availability, integrity and confidentiality of personal information managed through our systems and programs.
We do not disclose personal information for any purpose to anyone outside of Australia, except with the express consent of our patients. Cliniko stores and processes data in Australia, with infrastructure and communication partners in the US, UK and EU who are accredited and certified.
A patient may withdraw consent at any time, and can be done so verbally or in writing, in relation to the use, storage and disclosure of any personal or health information previously provided.
Any queries or concerns about the way Move & Grow Physiotherapy have handled a patient’s personal information may be directed to Move & Grow Physiotherapy management at any time.
Formal complaints about the way we have handled personal information are to be lodged in accordance with our Complaints Management Policy.
Should Move & Grow Physiotherapy fail to respond within the notified time frame, or a patient remains unhappy with our response, a formal complaint can be lodged with the Office of the Australian Information Commissioner (phone 1300 363 992 or visit www.oaic.gov.au for further information).
Accessing & Correcting Personal Information
It is important that we maintain accurate, complete and up-to-date personal information and we regularly request that our patient’s check and update personal information held by Move & Grow Physiotherapy to ensure it remains current. All patients are asked to let us know there are any errors or changes in the personal information held by the practice.
It is also important that the health information we hold about patients is accurate, complete, up-to-date, relevant and not misleading. Patients have a right to request access to the health information we hold about them and, if a patient thinks any information we hold about them is incorrect, may request a correction.
Requesting Access or Correction to Personal and/or Health Information
A patient, or their legal guardian or authorised representative, may request access to, or correction of, personal and/or health information we hold.
Management are responsible for considering all requests to access and/or correct personal and/or health information and responding to the patient.
In order to satisfy ourselves that the request comes from a patient, requests for access and/or correction must be in writing and signed by the patient (or their legal guardian or authorised representative), addressed to Move & Grow Physiotherapy management, and include the following:
- patients name, address and date of birth; and
- the personal and/or health information requested; and
- how access to the personal and/or health information is preferred (e.g. by email, paper copies or to view); and
- if another person or organisation is authorised to access the personal and/or health information on the patient’s behalf or if the patient would like their record transferred in full to a new provider.
Requests can be emailed to Move & Grow Physiotherapy at firstname.lastname@example.org. Patients are not required to provide a reason for requesting access.
Responding to a Personal and/or Health Information Request
Generally, we will provide the requested information within 30 days of receiving the request.
In certain limited circumstances, we may refuse to provide access, such as if:
- it may threaten the patient or someone else’s life, health or safety;
- it may impact someone else’s privacy; or
- giving access would be unlawful.
If giving certain information would impact someone else’s privacy, we may provide redacted information. If it is not possible to provide information directly to the patient because of a concern for their health or safety, it may be provided through an agreed third party.
If a patient requests access in a way that is unreasonable or not practical, we will endeavour to provide it in another satisfactory way.
Where we refuse to provide requested access and/or to provide information in the requested way, we will provide the patient with written notice outlining reasons for refusal and/or why we were unable to provide information in the requested way, and the patient’s rights, and how, to complain about the refusal.
Responding to a Personal and/or Health Information Correction Request
Generally, we will respond to a request to correct any personal and/or health information within 30 days of receiving the request.
Upon receiving a request to correct any personal and/or health information held by Move & Grow Physiotherapy, we will consider the reasons for holding such information and review the patient’s health information to determine if it is correct.
We will take reasonable steps to respond to the request and will add, change or delete personal information, including sensitive or health information, where appropriate.
It is important to recognise that our opinion may differ from that of our patients and their families, carers or other representatives but this does not mean it is inaccurate.
We may refuse to correct personal information, including any sensitive or health information, where doing so would be unreasonable, for example where we have a legal obligation to hold particular information about a patient for a certain period or where we believe the health information we hold is accurate.
Where we refuse a request to correct a patient’s personal or health information, we will provide the patient with written notice outlining:
- the reasons for refusing to correct the personal or health information;
- the patient’s right to request that a) a statement be associated with their personal information (i.e. a statement that the patient thinks their personal information is inaccurate, out of date, irrelevant or misleading, that we must take reasonable steps to associate the statement with the patient’s personal information so that the statement is apparent to users of the personal information); and/or b) a statement be associated with their health information (i.e. a statement that the patient thinks the health information is inaccurate, out of date, irrelevant or misleading, that we must take reasonable steps to attach the statement to their health information so that other health service providers will know the patient disagrees with the information, including but not limited to printing a statement to attach to a physical record or linking the statement to a digital record); and
- the patient’s rights, and how, to complain about the refusal.
Requesting personal and/or health information held by Move & Grow Physiotherapy is free, however we reserve the right to charge an administrative fee for the giving of access to cover the cost of deciding, searching for, locating and retrieving the information and the providing of the personal and/or health information. The fee will be discussed at the time of receiving a request to provide personal and/or health information and will be based on the extent of the individual request.
Requesting a correction to personal and/or health information held by Move & Grow Physiotherapy does not incur a charge.