Privacy Policy

01.12.01 Privacy and Maintenance of Medical Records – Privacy and Security of Personal Health Information

 This practice is bound by, and complies with, the relevant privacy and health information legislation including (but not limited to): 

  • Privacy Act 1988 (including Privacy Amendment Act 2012)and associated Australian Privacy Principles
  • Health Records and Information Privacy Act 2002
  • Children and Young Persons (Care and Protection) Act 1998

This policy and the underpinning legislation applies to all recorded information about any individual held by the practice, including the formal medical record whether written or electronic and information held or recorded on any other medium e.g. letter, fax, electronically or information conveyed verbally.  

Our practices have a designated person (practice principal) with primary responsibility for the practice’s electronic systems, computer security and adherence to protocols as outlined in our Computer Information Security policy. This responsibility is documented in the Position Description. Tasks may be delegated to others and this person works in consultation with the privacy officer. Our Security policies and procedures regarding the confidentiality of patient health records and information are documented and our practice team are informed about these at induction and when updates or changes occur. The practice team can describe how we correctly identify our patients using 3 patient identifiers, name, and date of birth, address or gender to ascertain we have the correct patient record before entering or actioning anything from that record.

For each patient we have an individual patient health record containing all clinical information held by our practice relating to that patient. The Practice ensures the protection of all information contained therein. Our patient health records can be accessed by an appropriate team member when required. 

Doctors, allied health practitioners and all other staff and contractors associated with this Practice have a responsibility to maintain the privacy of personal health information and related financial information. The privacy of this information is every patient’s right.

The maintenance of privacy requires that any information regarding individual patients, including staff members who may be patients, may not be disclosed either verbally, in writing, in electronic form, by copying either at the Practice or outside it, during or outside work hours, except for strictly authorised use within the patient care context at the Practice or as legally directed. There are no degrees of privacy.  All patient information must be considered private and confidential, even that which is seen or heard and therefore is not to be disclosed to family, friends, staff or others without the patient’s approval.  Sometimes details about a person’s medical history or other contextual information such as details of an appointment can identify them, even if no name is attached to that information. This is still considered health information and as such it must be protected under the Privacy Act 1988.

Any information given to unauthorised personnel will result in disciplinary action and possible dismissal. Each staff member is bound by his/her privacy clause contained with the employment agreement which is signed upon commencement of employment at this Practice.

Personal health information should be kept where staff supervision is easily provided and kept out of view and access by the public e.g. not left exposed on the reception desk, in waiting room or other public areas; or left unattended in consulting or treatment rooms.

Practice computers and servers comply with the RACGP computer security checklist and we have a sound back up system and a contingency plan to protect the practice from loss of data.

Care should be taken that the general public cannot see or access computer screens that display information about other individuals. To minimise this risk automated screen savers should be engaged.

Members of the practice team have different levels of access to patient health information. To protect the security of health information, GPs and other practice staff do not give their computer passwords to others in the team.

Reception and other Practice staff should be aware that conversations in the main reception area can often be overheard in the waiting room and as such staff should avoid discussing confidential and sensitive patient information in this area.

Whenever sensitive documentation is discarded the practice uses an appropriate method of destruction (e.g. shredding/confidential waste service for paper records or compliant electronic data destruction for electronic records).


Electronic information is transmitted over the public network in an encrypted format using secure messaging software. Where medical information is sent by post the use of secure postage or a courier service is determined on a case by case basis.

Items for collection or postage are left in a secure area not in view of the public.

Incoming correspondence is managed in line withe the practice’s Incoming Correspondence Process.



Facsimile, printers and other electronic communication devices in the practice are located in areas that are only accessible to the general practitioners and other authorised staff. Faxing is point to point and will therefore usually only be transmitted to one location

All faxes containing confidential information are sent to fax numbers after ensuring the recipient is the designated receiver. Faxes received are managed according to incoming correspondence procedures

The practice uses a fax disclaimer notice on outgoing faxes that affiliates with the practice:

PRIVATE & CONFIDENTIAL The information contained in this e-mail and their attached files, including replies and forwarded copies, are confidential and intended solely for the addressee(s) and may be legally privileged or prohibited
from disclosure and unauthorised use. If you are not the intended recipient any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication or any action taken or omitted to be taken in
reliance upon this message or its attachments is prohibited. All liability for viruses is excluded to the fullest extent permitted by law.


Emails are sent via various nodes and are at risk of being intercepted. Patient information may only be sent via email if it is securely encrypted according to industry and best practice standards or after consent to send information via non-encrypted email has been provided by the patient and documented in the patients notes.  

Patient Consultations

Patient privacy and security of information is maximised during consultations by closing consulting room doors. All examination couches, including those in the treatment room, have curtains or privacy screens.

When, consulting, treatment room or administration office doors are closed prior to entering staff should either knock and wait for a response or alternatively contact the relevant person by internal phone or email.

Where locks are present on individual rooms these should not be engaged except when the room is not in use

It is the doctor’s/health care professional’s responsibility to ensure that prescription paper, sample medications, medical records and related personal patient information is kept secure, if they leave the room during a consultation or whenever they are not in attendance in their consulting/treatment room.

Medical Records

The physical medical records and related information created and maintained for the continuing management of each patient are the property of the Practice.  This information is deemed a personal health record and while the patient does not have ownership of the record, he/she has the right to access under the provisions of the Commonwealth Privacy and State Health Records Acts. Requests for access to the medical record will be acted upon only if received in written format.

Our patient health records can be accessed by an appropriate team member when required.

The protection of computerised records occurs with password protected computers, screen savers, and staff logging off programs when they move away from a computer. Passwords are changed regularly and are not disclosed to others. Patients are not left unattended in the Dr’s rooms without the screen being locked. Protection of all information contained in medical records is ensured by restricting access to certain staff members and secure passwords. Access to medical records is available by remote access from offsite when required (e.g. from aged care facilities), however offsite access is restricted to Doctors, Clinical Support and Management staff groups. Both active and inactive patient health records are kept and stored securely. 

Computerised Records  

Our practice is considered paperless and has systems in place to protect the privacy, security, quality and integrity of the personal health information held electronically.  Appropriate staff members are trained in computer security policies and procedures.