Purpose

This privacy policy has been developed to ensure Corporate Health Management (CHM) meets its state and federal legislative requirements and remains compliant with the requirements of the Australian Privacy Principles (APPs) and is governed by the Health Records Act (Victoria) 2001 and the Privacy and Data Protection Act 2014.

This privacy policy is to provide information to our patients, on how their personal information (which includes health information) is collected and used within CHM, and the circumstances in which we may share it with third parties.

Why and when consent is necessary

When an employee registers as a participant (patient) within a CHM Occupational Medicine Service(s), they provide consent for our Doctors, Psychologists, Counsellors, Allied Health, and administrative staff to access and use their personal information so CHM can provide patients with the best possible healthcare. Only staff and subcontractors who need to access to personal information will have access to it. If we need to use a patient’s information for anything else, we will seek additional consent from the patient to do this.

When opting into a CHM Occupational Medicine Service(s) the patient may be asked to complete pre-appointment (personal medical history) paperwork, inclusive of consent.

Why do we collect, use, hold and share your personal information?

CHM, in delivering Occupational Medicine Services may need to collect personal information of clients and customers to provide healthcare services. Our main purpose for collecting, using, holding, and sharing personal information is to manage the health of our clients and customers. We also use it for directly related business activities, such as financial claims and payments, practice audits and accreditation, and business processes (e.g. staff training).

It is a mandatory requirement for all vaccinations administered to be recorded to the Australian Immunisation Registry (AIR). This change in regulation came into effect on 1 March 2021. Details such as a patient's Medicare card number will be requested as this is one of the requirements used by AIR to identify and ensure data is matched to the right person. A person’s sex with Medicare is also mandated by AIR where currently only Male/Female are the input fields accepted by AIR. This is not related to, nor a reflection on gender identity

What personal information does CHM collect?

The information CHM may collect about patients, when executing company funded Occupational Health Services includes:

• Names, date of birth, addresses, contact details

• Medical information including medical history, symptoms, medications, allergies, adverse events, immunisations, social history, family history and risk factors

Dealing with CHM anonymously

As per The Privacy Act inclusive of Australian Privacy Principle 2, patients, customers, and clients have the right to deal with CHM anonymously or under a pseudonym unless it is impracticable for us to do so or unless we are required or authorised by law to only deal with identified individuals.

How does CHM collect personal information?

CHM will collect your personal information:

1. When a patient makes their first appointment, they will be provided access to CHM’s required patient history forms.

2. During the course of providing Occupational Medical Services, CHM may collect further personal information via means inclusive of; Electronic Transfer of Prescriptions (eTP) and/or CHM’s IT infrastructure.

3. CHM may also collect a patient’s personal information should they; visit our website, send us an email or SMS, telephone us, engage in Live Chat make an online appointment or communicate with us using social media.

4. In some circumstances, personal information may also be collected from other sources. Often this is because it is not practical or reasonable to collect it from the patient directly. This may include information from:

• Other involved healthcare providers, such as specialists, external allied health professionals, hospitals, community health services and pathology and diagnostic imaging services

• Patient’s health fund or Medicare

• CHM approved sub-contractors

How does CHM collect, share, store personal information for vaccination checks?

• CHM will only use your personal details for the purposes of getting vaccination information to meet legislative, government policy, mandate, or employer policy requirements. We can only see this information when we complete our validations, we cannot see any other medical history or information when using your Medicare details.

• CHM will not share any personal information with employers outside of specified vaccination history for purpose (based on the consent of the employee).

• Data is stored securely by CHM (as per the state and federal legislative requirements and remains compliant with the requirements of the Australian Privacy Principles (APPs) and is governed by the Health Records Act (Victoria) 2001 and the Privacy and Data Protection Act 2014 and will not be used for any other purpose.

• If a vaccination certificate only is provided, only the vaccination status is provided to employers, not the certificate.

Who do we share personal information with?

We sometimes share patient’s personal information:

• With third parties (CHM approved sub-contractors) who work with our practice for business purposes, such as accreditation agencies or information technology providers – these third parties are required to comply with Australian Privacy Principles (APPs) and this policy

• With other, CHM approved healthcare providers

• When it is required or authorised by law (e.g. court subpoenas)

• When it is necessary to lessen or prevent a serious threat to a patient’s life, health or safety or public health or safety, or it is impractical to obtain the patient’s consent

• To assist in locating a missing person

• To establish, exercise or defend an equitable claim

• For the purpose of confidential dispute resolution process

• When there is a statutory requirement to share certain personal information (e.g. some diseases require mandatory notification)

• During the course of providing Occupational Medicine Services, through Electronic Transfer of Prescriptions (eTP), CHM’s Patient Record Management System

Only people that need to access your information will be able to do so. Other than in the course of providing Occupational Medicine Services or as otherwise described in this policy, CHM will not share personal information with any third party without patient consent.

CHM will not share patient’s personal information with anyone outside Australia (unless under exceptional circumstances that are permitted by law) without your consent.

Our practice will not use patient’s personal information for marketing any of our goods or services directly to you without expressed consent. If a patient does consent, they may opt-out of direct marketing at any time by notifying our practice in writing.

How do we store and protect information?

Personal information may be stored at our practice in various forms, these include:

• Paper records

• Electronic records

• visual records (X-rays, CT scans, videos and photos)

Our practice stores all personal information securely. To ensure the security of patient information, CHM maintains patient information in the following manners.

Paper and Visual Records: In a secured environment consisting of a CHM operated medical facility, within a locked filing cabinet(s).

Electronic Records: Electronic records are stored utilising CHM’s protected information system which delivers the following in relation to data storage and security:

• Compliant with Australian healthcare storage protocol

• HL7 compliant. HL7 refers to a set of international standards for transfer of clinical and administrative data between software applications

• Ensures all medical records are stored on servers (including backups) within Australia.

• Data transfer is encrypted by using 256 bit SSL connection

• All databases uses local encryption.

Visual Records: Visual records are stored via a combination of paper and electronic record storage methods.

How can I access and correct personal information held by CHM?

You have the right to request access to, and correction of, their personal information. CHM acknowledges you may request access to your medical records. We require this request in writing addressed to “The Quality Manager” at, enquiries@chm.com.au and CHM will respond within 5 business days.

CHM will take reasonable steps to correct personal information where the information is not accurate or up to date. From time-to-time, we will ask for verification or clarification of personal information held by us to ensure it is correct and up-to- date. You may also request that we correct or update your information.

How can I lodge a privacy related complaint, and how will the complaint be handled?

CHM take complaints and concerns regarding privacy seriously. Patients should express any privacy concerns they may have in writing. CHM will then attempt to resolve the complaint in accordance with our resolution procedure. All complaints made in writing will be responded to within seven (7) days.

Complaints to be addressed to: Corporate Health Management Attn. The Quality Manager

Email: enquiries@chm.com.au

Postal Address: 521 Toorak Road, Toorak, 3142, Victoria Contact Number: 03 8584 1900

CHM may also contact the Office of the Australian Information Commissioner (OAIC). Generally, the OAIC will require people to give them time to respond before they will investigate. For further information visit www.oaic.gov.au or call the OAIC on 1300 336 002.

Policy review statement

This privacy policy will be reviewed regularly to ensure it is in accordance with any changes that may occur.