Management of Patient Health and Information Policy

Current as of: May 2026

Purpose

This policy outlines how Elanora Heights Medical Practice collects, uses, stores, accesses, discloses, and protects patient health information in accordance with:

  • Privacy Act 1988 (Cth)
  • Australian Privacy Principles (APPs)
  • Health Records and Information Privacy Act 2002 (NSW)
  • RACGP Standards for General Practices (5th Edition)
  • Relevant Medicare and My Health Record requirements

The practice is committed to maintaining the confidentiality, integrity, security, and accuracy of all patient health information.

Policy Statement

Elanora Heights Medical Practice recognises that patient health information is sensitive information and will ensure it is managed lawfully, securely, and respectfully.

The practice will:

  • Collect only information necessary for patient care and business operations
  • Protect patient privacy and confidentiality
  • Ensure health information is accurate and up to date
  • Restrict access to authorised personnel only
  • Securely store and dispose of records
  • Respond appropriately to privacy breaches and patient requests

 

Scope

This policy applies to:

  • General practitioners
  • Nurses
  • Allied health practitioners
  • Reception and administration staff
  • Contractors, students, and temporary staff

It applies to:

  • Electronic medical records
  • Paper records
  • Emails and SMS communications
  • Audio or visual recordings
  • Scanned documents
  • Billing and administrative records

 

Collection of Health Information

The practice collects health information necessary to:

  • Provide medical treatment and healthcare services
  • Manage appointments and billing
  • Communicate with patients and other healthcare providers
  • Meet legal and regulatory obligations

Information collected may include:

  • Personal identification details
  • Medical history
  • Medications and allergies
  • Investigation results
  • Medicare and health fund information
  • Emergency contact details

Health information is generally collected directly from the patient or authorised representative.

Where appropriate, information may also be collected from:

  • Hospitals
  • Specialists
  • Pathology or imaging providers
  • My Health Record
  • Other treating healthcare providers

 

Consent

Patient consent is obtained:

  • During registration and intake
  • Prior to disclosure where required
  • Before releasing records to third parties unless authorised by law

Consent may be:

  • Express
  • Implied
  • Written where required

Patients may withdraw consent, subject to legal and clinical limitations.

 

Use and Disclosure of Health Information

Health information may be used or disclosed for:

  • Ongoing patient care
  • Referrals and specialist consultations
  • Prescriptions and investigations
  • Billing and Medicare claims
  • Accreditation and quality improvement activities
  • Legal or mandatory reporting obligations

The practice will not disclose patient information to third parties without consent unless:

  • Required by law
  • Necessary to prevent serious threat to life, health, or safety
  • Permitted under privacy legislation

 

Access to Patient Health Information

Patients may request access to their health information in accordance with applicable legislation.

Requests:

  • Must preferably be made in writing
  • Will be responded to within a reasonable timeframe
  • May incur an administrative fee where permitted

Access may be refused in limited circumstances permitted by law, including where access:

  • Poses a serious threat to health or safety
  • Unreasonably impacts another person’s privacy
  • Is unlawful

Where access is refused, the patient will be informed of the reason and complaint options where appropriate.

 

Correction of Health Information

Patients may request correction of inaccurate, incomplete, or outdated information.

The practice will:

  • Take reasonable steps to correct information where appropriate
  • Document any disputed information where correction is not made

Clinical opinions made in good faith are generally not removed from records.

 

Storage and Security of Health Information

Electronic Records

The practice maintains secure electronic medical records using password-protected systems.

Security measures include:

  • Individual user logins
  • Access controls
  • Antivirus and firewall protection
  • Secure backups
  • Audit trails
  • Multi-factor authentication where available

Paper Records

Paper records are:

  • Stored securely
  • Accessible only to authorised staff
  • Protected from unauthorised access, loss, or damage

Remote Access

Remote access to practice systems is permitted only through secure authorised systems and in accordance with practice IT security procedures.

 

Retention of Health Records

Health records are retained in accordance with NSW legal requirements.

Generally:

  • Adult records are retained for at least 7 years from the last patient contact
  • Records for patients under 18 are retained until the patient reaches age 25

Records are securely destroyed when no longer required.

 

Disposal of Health Information

Health information is disposed of securely through:

  • Confidential shredding of paper records
  • Secure deletion or destruction of electronic data

The practice ensures patient information cannot be reconstructed or retrieved after disposal.

Use of Artificial Intelligence (AI) Assisted Systems

The practice may use approved artificial intelligence (AI) assisted technologies to support administrative and clinical workflows, including document management, transcription, correspondence handling, data extraction, communication support, and health record administration.

AI-assisted systems are used only as support tools and do not replace professional clinical judgement or staff decision-making. All clinically relevant information and document allocation processes are reviewed by appropriately authorised practice staff.

Where AI-enabled systems are used, the practice will take reasonable steps to ensure:

  • Patient confidentiality and privacy are maintained
  • Access to information is restricted to authorised users
  • Systems comply with applicable Australian privacy and security requirements
  • Information is managed in accordance with the Privacy Act 1988 (Cth), Australian Privacy Principles, and Health Records and Information Privacy Act 2002 (NSW)
  • Third-party providers implement appropriate cybersecurity and data protection measures
  • Staff receive training in the safe and appropriate use of AI-assisted technologies

The practice will not knowingly use AI systems in a manner that compromises patient privacy, data security, or safe clinical care.

 

Data Breaches and Privacy Incidents

The practice takes privacy breaches seriously.

Examples include:

  • Unauthorised access
  • Lost or stolen devices
  • Incorrect disclosure of information
  • Cybersecurity incidents
  • Unauthorised disclosure or processing by third-party software or AI-enabled systems

All staff must report suspected breaches immediately to the Practice Manager or Practice Owner.

 

The practice will:

  • Investigate breaches promptly
  • Contain and mitigate risks
  • Notify affected individuals and authorities where required under the Notifiable Data Breaches scheme

 

My Health Record

The practice participates in the My Health Record system where applicable.

Access is:

  • Limited to authorised healthcare providers
  • Used only for providing healthcare
  • Managed in accordance with My Health Record legislation and system requirements

Patients may control their My Health Record participation independently.

 

Confidentiality Obligations

All staff must:

  • Sign confidentiality agreements
  • Maintain patient privacy at all times
  • Access information only as required for their role
  • Avoid discussing patient information in public areas

Confidentiality obligations continue after employment ends.

 

Staff Training

Staff receive training on:

  • Privacy legislation
  • Confidentiality
  • Cybersecurity awareness
  • Secure handling of health information
  • Data breach procedures
  • Safe and appropriate use of AI-assisted systems

Training occurs:

  • During induction
  • Periodically thereafter
  • Following major legislative or system changes

 

Patient Privacy Information

The practice provides patients with access to:

  • The practice Privacy Policy
  • Information about how health information is managed
  • Complaint and feedback processes

This information is available:

  • At reception
  • On the practice website
  • Upon request

 

Complaints

Patients may make privacy complaints directly to the practice.

Complaints will be:

  • Managed confidentially
  • Investigated promptly
  • Responded to respectfully and fairly

Patients may also contact:

NSW Privacy Commissioner

NSW Privacy Commissioner

Office of the Australian Information Commissioner (OAIC)

OAIC Privacy Complaints

 

Monitoring and Review

This policy will be reviewed:

  • Annually, or
  • Earlier if legislation, RACGP standards, or practice systems changes