Privacy Policy

Purpose

To ensure patients and their guardians who receive services from ChildD are comfortable
in entrusting their health information to the staff at ChildD. This policy provides
information to patients and their guardians as to how their personal information (which
includes their health information) is collected and used within the practice, and the
circumstances in which we may disclose it to third parties.

Background and rationale

The Australian Privacy Principles (APP) provide a privacy protection framework that
supports the rights and obligations of collecting, holding, using, accessing and correcting
personal information. The APP consists of 13 principle-based laws and applies equally to
paper-based and digital environments.

This policy will guide ChildD staff in meeting these legal obligations. It also details to
patients/guardians how the practice uses their personal information. The policy must be
made available to patients upon request.

Practice procedure

ChildD will:
• Provide a copy of this policy upon request
• Ensure staff comply with the APP and deal appropriately with inquiries or
concerns
• Take such steps as are reasonable in the circumstances to implement practices,
procedures and systems to ensure compliance with the APP and deal with
inquiries or complaints
• Collect personal information for the primary purpose of managing a patient’s
healthcare and for financial claims and payments
Staff responsibility
ChildD’s staff will take reasonable steps to ensure patients/guardians understand:
• What information has been and is being collected
• Why the information is being collected, and whether this is due to a legal
requirement

• How the information will be used or disclosed
• Why and when their consent is necessary
• ChildD’s procedures for access and correction of information, and responding to
complaints of information breaches, including by providing this policy

Patient consent

ChildD will only interpret and apply a patient’s consent for the primary purpose for which
it was provided. ChildD staff must seek additional consent from the patient/guardian if
the personal information collected may be used for any other purpose.

Collection of information

ChildD staff will need to collect personal information as a provision of clinical services to
a patient at the practice. Collected personal information will include patients’ and or
guardians’:
• Names, date of birth, addresses and contact details
• Medicare number (where available) (for identification and claiming purposes)
• Healthcare identifiers
• Medical information including medical history, medications, allergies, adverse
events, social history, family history and risk factors

A patient’s personal information may be held at the practice in various forms:
• As paper records
• As electronic records

The procedure for collecting personal information is set out below.

1. ChildD staff collects patients’ personal and demographic information via
registration when patients call to make an appointment.
2. During the course of providing dietetic services, the ChildD dietitians will
consequently collect further personal information.
3. Personal information may also be collected from the patient’s guardian or
responsible person or from any other healthcare specialists.

The practice holds all personal information securely, whether in electronic format, in
protected information systems or in hard copy in a secured environment.

Use and disclosure of information

Personal information will only be used for the purpose of providing dietetic services and
for claims and payments, unless otherwise consented to.

The Practice will not disclose personal information to any third party other than in the
course of providing dietetic services, without full disclosure to the patient or the
recipient, the reason for the information transfer and full consent from the patient or
guardian.

ChildD will take reasonable steps to safeguard patient information when sending
information to parents/carers, health professionals, teachers, insurers or other third
parties by email as with other types of communication. ChildD staff will verify the email
address of recipients prior to use. Email communication without the use of passwords or
encryption creates a risk that if the email is intercepted in transit, it can easily be read.
ChildD uses Kalix, a modern cloud-based practice management software to store and
manage medical records, to make appointments and to issue bills. Kalix uses Microsoft
Azure servers located in the United States of America. As a result, the following applies:
• Any personal, sensitive or health information relating to your child (protected
information) may not be subject to the same privacy obligations, principles or
standards as in Australia or any other country; and
• You will not be able to seek redress under the Privacy Act 1988 (Cth) or any other
act relating to sensitive or health information in Australia (or a State or Territory
of Australia);
• You may not be able to seek redress in the USA;
• Server operators in the USA could be subject to laws (such as the PATRIOT Act)
that compel disclosure of protected information.
Exceptions to disclose without patient/guardian consent are where the information is:
• Required by law
• Necessary to lessen or prevent a serious threat to a patient’s life, health or safety
or public health or safety, or it is impractical to obtain the patient and/or
guardians consent
• To assist in locating a missing person
• To establish, exercise or defend an equitable claim
• For the purpose of a confidential dispute resolution process

Access, corrections and privacy concerns

ChildD acknowledges patients/guardians may request access to their health records.
Patients/guardians are encouraged to make this request in writing, and ChildD will
respond within a reasonable time.

ChildD will take reasonable steps to correct personal information where it is satisfied
they are not accurate or up to date. From time to time, ChildD will ask patients/guardians
to verify the personal information held by the practice is correct and up to date.
Patients/guardians may also request the practice corrects or updates their information,
and patients should make such requests in writing.

ChildD takes complaints and concerns about the privacy of patients’ personal
information seriously. Patients should express any privacy concerns in writing. ChildD will
then attempt to resolve it in accordance with its complaint resolution procedure.

This policy will be reviewed regularly and any amendments will be incorporated into the
updated policy.