top of page

Privacy Policy

Effective: November 2024
 

1. Introduction

Mildura Health Private Hospital (MHPH) is committed to ensuring the privacy and confidentiality of personal and health information in accordance with the requirements of the Privacy Act 1988 (Cth), the Privacy Amendment (Enhancing Privacy Protection) Act 2012, the Privacy Amendment (Notifiable Data Breaches) Act 2017, and the Health Records Act 2001. This policy outlines how we collect, use, disclose, and manage personal information while complying with the Australian Privacy Principles (APPs) and Health Privacy Principles (HPPs).

 

2. Personal Information

“Personal Information” as it is defined in the Privacy Act 1988 is “information or an opinion about an identified individual, or an individual who is reasonably identifiable”, whether the information/opinion is true or not and whether the information/opinion is recorded in a material form or not.

Personal information may include the following:

  • Name

  • Address

  • Sex

  • Age

  • Financial details

  • Marital status

  • Education

  • Employment history.

 

Personal information also includes ‘sensitive information’ which may include:

  • Ethnic origin

  • Religious beliefs

  • Sexual preferences

  • Criminal records


3. Health Information

As it is defined in the Privacy Act it is a particular subset of “personal information” and refers to the information or an opinion about the health or disability (at any time) of an individual; or an individual’s expressed wishes about the future provision of health services; or a health service provided or to be provided to an individual, that is also personal information.

 

Typically for health service providers this may include, but is not limited to:

  • Symptoms

  • Examination and test results

  • Diagnosis

  • Treatment and care information

  • Admission and registration information.

 

4. Collection of Information

MHPH collects information from patients/consumers that is necessary to provide health care services. Information will be collected by fair and lawful means.

 

Often this may include collecting information regarding health history, family medical and/or family social history, ethnic background, current lifestyle, and financial details.

 

Only information which is believed to be required to provide a comprehensive service will be collected and will occur only after certain criteria are met:

  • The patient consents (willingly providing information is usually sufficient to imply consent to collection of information); or

  • The collection is required, authorised, or permitted by law or law enforcement purposes; or

  • The information is received through an appropriate disclosure by another health service provider with the patient’s consent; or

  • The collection is necessary to prevent or lessen a serious threat to life, health, or safety of the individual or public.

 

MHPH collects personal information from other individuals, such as employees, contractors, students, job applicants and service providers to enable the Hospital to assess, work with, or transact with them. The personal information that may be collected for those individuals in those circumstances include name, contact details, qualifications, education, financial details, and employment history.

 

If you attend the Mildura Health Private Consulting Clinic, the doctor may maintain and keep their own separate medical record about you.

 

5. Quality of Information

MHPH will take reasonable steps to ensure that patient/consumer personal information which may be collected or disclosed is accurate, complete, and current.

 

6. Impact when Health Information is not Provided

When health information is inaccurate, incomplete, or withheld, the Hospital may be unable to provide the patient with the services that they are seeking, provide an appropriate level of service, and clinical care may be compromised.

​

7. Use and Disclosure of Information

7.1 Use among health professionals to provide treatment

Modern health care practices rely on treatment being provided by a team of health professionals working collaboratively. These may include (but are not limited to):

  • Medical Consultants, including a patient’s local General Practitioner

  • Radiology and Pathology providers (inclusive of contracted services)

  • Allied Health professionals (inclusive of contracted services)

  • Hospital employees

  • Manufacturer and suppliers of medical equipment/supplies

  • Other health service providers.

 

Health professionals will share health information as part of the process of providing treatment, and will only do this while maintaining confidentiality of all of this information and protecting patient privacy in accordance with the law.

 

Health information is only disclosed to those health care workers involved in patient treatment.

 

7.2 Primary and directly related secondary purposes

Along with the provision of patient care, MHPH may collect and disclose personal information in accordance with the Australian Privacy Principles for other directly related purposes. For example:

  • To liaise with Medicare, nominated health fund and/or the Department of Veteran’s Affairs, and where required provide information to these entities to verify treatment as applicable and as necessary

  • In an emergency where life is at risk and the patient cannot consent

  • To provide necessary follow up treatment or ongoing care

  • For internal administrative requirements, including invoicing, billing, and account management

  • To assist in undertaking risk management, funding, service monitoring, complaints handling, evaluation, quality assurance, accreditation, and staff training/education activities

  • To address liability indemnity arrangements with insurers, medical defence organisations and lawyers

  • For defence of anticipated or existing legal proceedings

  • For other purposes required or permitted by law.

 

Information that is de-identified, ensuring that an individual’s identity cannot be ascertained, is not covered by the Health Records Act 2001 and may be used and disclosed without consent.

 

7.3 Unrelated secondary purposes

Health information will not be used for unrelated secondary purposes, unless with the consent of the patient.

 

These may include:

  • to advertise promotional offers and special events

  • fundraising

  • marketing (either to market the Hospital or the product of someone else)

  • research and development

  • in relation to direct marketing and fundraising, if the consent cannot practically be obtained, marketing may still occur provided that:

    1. the patient/consumer is advised they can be taken off the mailing list at any time

    2. the patient/consumer has not previously asked to be taken off the mailing list

    3. the health care service clearly displays their contact details in each marketing publication

    4. any patient/consumer can be removed from the mailing list by contacting the Privacy Officer on (03) 5022 2611.

 

7.4 CCTV

MHPH does use camera surveillance systems for the purpose of maintaining the safety and security of its staff, patients, visitors and other attendees to the Hospital. The Hospital will comply with the Australian Privacy Principles in respect of any personal information collected via this mechanism.

 

7.5 Website

MHPH only collects personal information through our website if patients / consumers voluntarily provide it, for example, if information is submitted via a web page or sent by email. Any personal information provided in this way will be handled in accordance with the principles described within the relevant sections of this Privacy Policy.

 

MHPH cannot ensure that any information transmitted over the internet is secure and is transmitted at patient / consumer own risk. However, once received, MHPH will take all reasonable steps to ensure the information is secure.

 

When patients / consumers access the website, the Hospital will keep a record of the visit. The Hospital may collect the following information that does not identify the patient / consumer in relation to the use of the website: computer address, date and time of visit, type of browser used, pages visited, information requested. This information is collected for statistical purposes and used to monitor and improve the website and services.

 

8. Disclosure of Health Information

The disclosure of health information may only be undertaken with the consent of the patient. In general, use or disclosure is permitted for the purpose for which the health information was collected or, otherwise, with the consent of the person to whom it relates.

 

8.1 Authorised Representative

In the event that a patient is unable to give consent due to incapacity, an authorised representative of the patient may. An authorised representative is defined as:

  1. Immediate family -

  • Parent/child/sibling

  • Spouse/domestic partner 

  • Member of individual’s household who is a relative

  • Person nominated to a health provider by the individual as a person to whom health information may be disclosed (inclusive of a person exercising a power of attorney under an enduring power of attorney).

    1. Parent in relation to a child -

  • Step-parent

  • Adoptive parent

  • Foster parent

  • Guardian

  • Person who has custody/daily care and control of the child.

 

8.2 Disclosure to Authorised Representative

The Hospital may disclose health information about an individual to an immediate family member of the patient if:

  1. Either -  

  • The disclosure is necessary to provide appropriate health services to or care of the individual, or

  • The disclosure is made for compassionate reasons; and

  • The disclosure is limited to the extent reasonable and necessary for the purposes mentioned in point a), and

    1. The individual is incapable of giving consent to the disclosure, and

    2. The disclosure is not contrary to any wish –

  • Expressed by the individual before the individual became incapable of giving consent and not changed or withdrawn by the individual before then, and

  • Of which the Hospital is aware or could be made aware by taking reasonable steps, and

  • In the case of an immediate family member who is under the age of 18 years, considering the circumstances of the disclosure, the immediate family member has sufficient maturity to receive the information.

 

9. Security of Information

Health information may be stored in hard copy and/or electronically. All reasonable measures are taken to protect personal health information within MHPH. Medical records and computer systems have controlled access (securely stored and password protected).

 

Health information is retained and disposed of in accordance with the guidelines from the Public Records Office of Victoria.
 

9.1 Security considerations

  1. Misuse – personal information is misused if it is used for a purpose that is not permitted by the Privacy Act.

  2. Interference – occurs when there is an attack on personal information that the Hospital holds that interferes with the personal information but does not necessarily modify its content.

  3. Loss – covers the accidental or inadvertent loss of personal information held by the Hospital. This includes the physical loss of personal information (including hard copy documents, computer equipment or portable storage devices containing personal information). Loss may also occur as a result of theft following unauthorised access or modification of personal information or as result of natural disasters (flood, fire or power outrages).

  4. Unauthorised access – occurs when personal information is accessed by someone who is not permitted to do so. This includes unauthorised access by an employee or independent contractor or unauthorised access by an external third party (e.g. hacking).

  5. Unauthorised modification – occurs when personal information is altered by someone who is not permitted to do so or is altered in a way that is not permitted under the Privacy Act.

  6. Unauthorised disclosure –occurs when personal information is made accessible or visible to others outside of the organisation or information is released from Hospital control in a way that is not permitted by the Privacy Act.

 

10. Access to Information

Patients have a right to access health information which is held in their health record.

 

An individual may also make a request for some, or all, of their health information to be made available to another health service provider. The individual may also authorise the other health service provider to make this request on their behalf.

Access can be gained by contacting the Privacy Officer on (03) 5022 2611 and/or accessing a “Privacy Information Request Form” form, available from the MHPH Document Index of the Q:drive.

All efforts will be taken to respond to this request within thirty (30) days.

Where reasonable and practicable, the Hospital will provide the patient/consumer with the information in the manner it was requested.
 

10.1 Transfer outside Victoria

If the health information is required to be sent outside Victoria, including overseas, the patient/consumer’s written consent will first be attempted to be obtained.

If obtaining this consent is not practicable, the information may still be transferred if, as part of the agreement for transfer of that information, the other organisation agrees to comply with MHPH’s privacy obligations to the patient/consumer.

 

​10.2 Withholding Access

Access to health information may be withheld in the following circumstances:

  1. Providing access would pose a serious threat and imminent threat to the life or health of the person, or

  2. Providing access would have an unreasonable impact on the privacy of others, or

  3. the information is subject to confidentiality where the person who provided the information to MHPH did so on the condition that it remains confidential, or

  4. The request is vexatious or frivolous, or

  5. The information relates to legal proceedings between MHPH, and the information would not be required to be disclosed to a court, or

  6. MHPH is in commercial negotiations with the patient/consumer and the information would reveal our intentions, or

  7. Providing access would be unlawful or we are required by law to withhold access, or

  8. Providing access could prejudice the investigation or detection by our organisation or by a government body of an unlawful activity or some serious or improper conduct.

Where health information is withheld a summary of that information will be considered in place of full access.

 

​10.3 Written Response

If health information is withheld, a written explanation for the reasons will be provided.

 

10.4 Third Party Intermediary

If health information is withheld, it will be considered whether the provision of access to an independent third party will meet both the needs of the patient/consumer and MHPH.

 

11. Correction of Information

Patients may request an amendment to their health record should they believe, and are able to establish, that the information is inaccurate, incomplete, misleading or not up-to-date.

MHPH will allow access to, or make the requested changes, unless there is a reason under the Privacy Act or other relevant law to refuse such access or make the requested changes.

To do so patients/consumers may make arrangements to alter/update the record by contacting the Privacy Officer on (03) 50222611.

 

If MHPH is unable to accommodate the patient/consumer’s request to correct the personal information, then it will provide the individual with a written notice outlining a) the reasons for the refusal and b) the mechanisms available to complain about the refusal.

 

12. Openness

All patients are provided with information on how to contact the Privacy Officer(s), at the first point of contact with the Hospital.

 

13. Identifiers and Anonymity

A numeric identifier is allocated to each patient that attends MHPH to enable ongoing care and treatment to be provided.

 

In general, it is impracticable for MHPH to provide healthcare to individuals anonymously.

 

14. Modifications to the Privacy Policy of MHPH

MHPH reserves the right to modify this Policy at any time with reference to constitutional law. These modifications will be made available as they occur.

 

15. Information relating to Students (Nursing, Medical and Work Experience)

All students who come into contact with, or have access to, confidential information have a responsibility to maintain the privacy, confidentiality and security of that information.

 

Confidential information may include information relating to:

  • Patients and/or family members – such as medical records, conversations and financial information

  • Employees, contractors, volunteers, students – such as salaries, employment records, disciplinary actions

  • Business information – such as financial records, reports, memos, contracts, computer programs, technology

  • Third Parties – such as vendor contracts, computer programs, technology

  • Operations improvement, quality improvement, risk management, peer review – such as reports, presentations, survey results.

 

16. Scope of Policy

The information included in this Policy is relevant to all personnel involved in patient care / Hospital-related business.

 

The following are examples only. They do not include all possible breaches of privacy, confidentiality or security covered by this Policy.

​

16.1 Accessing information that you do not need to know to perform your role

  1. Unauthorised reading of a patient’s medical record or an employee or student file.

  2. Random searching of WebPas iSoft for familiar names and details, such as phone numbers.

  3. Accessing information on self, family, friends, co-workers/colleagues/classmates.

​

16.2 Divulging personal information without the individual’s consent

  1. Discussing or gossiping about patient details in situations unrelated to direct patient care.

  2. Telling a relative or friend about a patient, student or staff member you have seen.

  3. Discussing confidential information in a public area such as a waiting room, public corridor or dining room.

 

16.3 Sharing, copying or changing information without proper authorisation

  1. Making unauthorised changes to a patient’s medical record.

  2. Making unauthorised changes to an employee or student file.

  3. Copying and forwarding patient, student or staff information to a third party without having verbal or written consent.
     

16.4 Disclosing patient information without following MHPH guidelines

  1. Faxing without including an appropriate fax cover sheet that includes a disclaimer.

  2. Sending unsecured emails.

  3. Sending information to home computers via email

 

17. Notifiable Data Breach

The National Data Breach (NDB) Scheme introduced an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. Examples of harm include:

  • Financial fraud including unauthorised credit card transactions or credit fraud

  • Identity theft causing financial loss or emotional and physiological harm

  • Family violence

  • Physical harm or intimidation.

 

The primary purpose of the NDB scheme is to ensure individuals are notified if their personal information is involved in a data breach that is likely to result in serious harm.

 

This notification must include recommendations about the steps individuals should take in response to the breach. The Office of the Australian Information Commissioner (OAIC) must also be notified of eligible data breaches.

 

A data breach occurs when personal information that MHPH holds is subject to unauthorised access or disclosure or is lost. A breach may be caused by malicious action (by an external or insider party), human error, or a failure in information handling or security systems. Examples may include:

  • Loss or theft of physical devices or paper records that contain personal information

  • Unauthorised access to personal information by an employee

  • Inadvertent disclosure of personal information due to human error e.g. email sent to wrong person

  • Disclosure of an individual’s personal information to a scammer, as a result of inadequate identity verification procedures.

 

An eligible data breach occurs when the following criteria are met:

  • There is unauthorised access to, or disclosure of, personal information held by MHPH;

  • This is likely to result in serious harm to any of the individuals to whom the information relates; and

  • MHPH has been unable to prevent the likely risk of serious harm with remedial action.

 

Any MHPH NDB response will be in accordance with the OAIC flowchart (link below – current as Nov24):

https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/preventing-preparing-for-and-responding-to-data-breaches/data-breach-preparation-and-response/purpose-and-structure-of-this-guide#section-the-data-breach-response-flowchart

 

Notification of an NDB to the Commissioner is lodged through the Notifiable Data Breach statement form (link below - (current at Nov24):

https://webform.oaic.gov.au/prod?entitytype=DBN&layoutcode=DataBreachWF

 

Consideration should also be given to other mandatory or voluntary reporting schemes including:

  • Financial service providers

  • Police or law enforcement bodies

  • Australian Securities and Investments Securities (ASIC)

  • Australian Prudential Regulation Authority (APRA)

  • Australian Taxation Office (ATO)

  • Australian Transaction Reports and Analysis Centre (AUSTRAC)

  • Australian Cyber Security Centre (ACSC)

  • Australian Digital Health Agency (ADHA)

  • Department of Health

  • Professional associations and regulatory bodies

  • Insurance providers.

 

18. Privacy Complaints

All patients are given information on how to contact the Privacy Officer(s), at the first point of contact with the Hospital.

 

Staff receiving a verbal complaint should contact the area Manager who will directly address the complaint and notify the Privacy Officer. Depending on the severity of the complaint it may be prudent to notify the Privacy Officer to deal with the complaint when first received.

 

The Director of Clinical Services (DCS) should be informed of the privacy breach as soon as possible after it has occurred.

 

Written complaints in relation to privacy are forwarded directly to the Privacy Officer.

 

The Privacy Officer will conduct a full investigation of the complaint which will include feedback to the complainant. Relevant documentation of the investigation and outcomes are registered in the Hospital’s RiskMan Feedback module and maintained by the DCS in collaboration with the Quality Coordinator.

 

A summary of complaints is included in the Safety and Quality Report which is available to hospital staff and circulated to the Safety and Quality Management Committee, Private Hospital Committee, Medical Advisory Committee and Board of Directors.

 

Complaints about interferences with privacy (breaches of Part 5 of the Act or an HPP) are handled by the Health Complaints Commissioner

 

Whilst MHPH recognises that all patients have the right to make a complaint to the Commissioner, it is anticipated that every effort will be made to resolve any issues at a local level, prior to this action..

 

Contact details for the Health Complaints Commissioner, including Complaint Forms, are available from the Privacy Officer, upon request.

bottom of page