PRIVACY POLICY

Privacy & Health Records Governance Policy

Version 3.2 (April 2026)
Owner: Emma Newton, Director
Review Frequency: Annually or sooner when improvement identfied

1. Purpose and Scope

This policy outlines how Autonomic Health Pty Ltd collects, uses, stores, protects, shares and retains personal and health information in accordance with:

Privacy Act 1988 (Cth)
Australian Privacy Principles (APPs)
Relevant State/Territory health records legislation
My Health Record legislation (where applicable)

This policy applies to all personal information collected through:

Clinical services (telehealth)
Website and digital platforms
Social media interactions
Administrative and direct communications

This policy supports both internal governance and transparent communication with patients regarding their privacy rights.

2. Healthcare Record System

Autonomic Health uses a secure electronic health record (EHR) system (Halaxy) that:

Is ISO 27001:2022 compliant and PCI DSS aligned
Is cloud-based, encrypted, and securely backed up
Supports accurate clinical documentation and audit trails
Enables secure communication and patient access

3. Types of Information Collected

The service collects personal and sensitive information including:

Identifying information (name, date of birth, address, contact details)
Emergency contact / next of kin details
Clinical history, assessment findings and care plans
Medication and treatment history
Outcome measures
Correspondence with other providers
Payment and billing information

Only information reasonably necessary for care delivery and service operations is collected.

4. Collection of Information

Information is collected:

Directly from patients via intake forms, telehealth consultations and the secure patient portal (multi-factor authentication)
From other healthcare providers with patient consent via secure messaging (HealthLink, ReferralNet) or eFax

Collection is undertaken by lawful and fair means.

5. Patient Identification

At each consultation, three identifiers are confirmed:

Full name
Date of birth
Residential address

This supports safe, accurate identification and documentation.

6. Consent

Autonomic Health recognises that valid consent is central to ethical and lawful handling of personal information.

6.1 When Consent is Required

Consent is obtained when:

Collecting sensitive health information
Sharing information with other providers (unless authorised by law)
Uploading to My Health Record
Recording consultations (if applicable)

6.2 Elements of Valid Consent

Consent is valid only where it is:

Informed – the individual understands what is collected, why, and how it will be used
Voluntary – given freely without coercion
Current and specific – applies to a defined purpose
Given with capacity – the individual can understand and communicate their decision

6.3 Documentation of Consent

Consent is documented in the clinical record
Intake forms include privacy and consent acknowledgement
Verbal consent is recorded where appropriate

7. Purpose of Use

Personal information is collected and used to:

Provide safe and effective healthcare services
Communicate with patients regarding their care
Coordinate care with other providers
Process billing, payments and third-party claims
Respond to enquiries, feedback or complaints
Support administration and service delivery

8. Use and Disclosure

Information is used and disclosed only:

For the primary purpose of care delivery
For directly related secondary purposes reasonably expected by the patient
With patient consent
Where required or authorised by law

This may include:

Referrals and clinical handover
Mandatory reporting (e.g. child safety, risk of harm)
Legal or regulatory obligations
Business transfer (where applicable and lawful)

All disclosures are documented and conducted via secure systems.

9. Communication and Sharing

Health information is shared via secure channels including:

Secure messaging systems (HealthLink, ReferralNet)
eFax via the EHR

Structured templates are used for GP letters, referrals and clinical summaries.

10. Anonymity and Pseudonymity

Due to the nature of healthcare, it is generally not practicable to provide services anonymously or under a pseudonym, as identification is required for safe and continuous care.

11. Direct Marketing

Autonomic Health does not use personal or health information for direct marketing. Patients may opt out of any non-clinical communications.

12. Overseas Disclosure

None.

13. Data Quality and De-identified Data

Reasonable steps are taken to ensure information is accurate, up to date, complete and relevant through:

Clinical documentation standards
Routine verification of patient details
Annual audits

De-identified data may be used for:

Quality improvement
Service evaluation
Business operations

14. Security of Information

Security measures include:

Multi-factor authentication
Encryption
Password-protected systems
Automatic device locking
Restricted access (Director only)
Secure messaging systems
Audit trails

Information is protected from misuse, loss, unauthorised access, modification or disclosure.

15. Storage and Retention

Records are:

Stored securely in encrypted cloud systems
Retained in accordance with legislative requirements
Destroyed or de-identified when no longer required, where lawful

16. Access to Information

Patients may request access to their personal information:

Requests are responded to within a reasonable timeframe
Access is provided in a suitable format where practicable
Identity verification may be required
A reasonable fee may apply

Access may be refused where permitted by law, with written reasons provided.

17. Correction of Information

Patients may request correction of inaccurate or incomplete information:

Corrections are made where appropriate
If correction is refused, a statement may be attached to the record

18. Unsolicited Information

If unsolicited personal information is received:

It is assessed for relevance
If not required, it is securely destroyed or de-identified where lawful

19. Notification of Collection

Patients are informed at or before collection of:

Identity and contact details of the service
Purpose of collection
Use and disclosure practices
Consequences of not providing information
Access and correction rights
Complaint mechanisms
Overseas disclosure

20. Management of Patient Reports

The service:

Receives and reviews external reports
Acts on clinically relevant findings
Communicates with patients
Documents actions taken

Urgent reports are prioritised.

21. My Health Record

The service:

Uses national healthcare identifiers
Read-only access via National Provider Portal
Complies with legislative requirements
Maintains annual staff training
Transition to compliant software to enable uploads is being considered under the Quality Improvement Plan

22. Data Breach Response

In the event of a data breach:

Contain the breach
Assess risk
Notify affected individuals (if required)
Notify the OAIC (if eligible breach)
Document the incident
Review and improve systems

23. Telehealth Privacy

Consultations are conducted in private environments
Secure platforms are used
Patients are encouraged to attend from private locations
Recording only occurs with consent

24. Audit and Quality Improvement

Annual documentation audit includes:

Use of identifiers
Documentation completeness
Consent documentation
Care planning and escalation

Findings inform the Quality Improvement Plan.

25. Complaints

Privacy complaints may be made via:
Email: info@autonomichealth.com.au

Complaints are:

Acknowledged promptly
Investigated
Responded to within a reasonable timeframe

If unresolved, complaints may be made to the Office of the Australian Information Commissioner (OAIC).

26. External Links

Autonomic Health is not responsible for the privacy practices of external websites or services linked through our platforms.