Privacy Policy | Helios Medical Rooms

1. Purpose

This policy explains how we collect, use, store and share your personal information, and the limited circumstances in which we may need to disclose it to others involved in your care.

1.1 Definition – Patient Health Record

A patient health record means all health information we hold about you in any form (electronic or paper), including clinical notes, history, medications, allergies, immunisations, referrals, correspondence from other providers, investigation requests/results, images, care plans, prescriptions, consents, communications (phone/SMS/email logs relevant to care), and Medicare/DVA claiming details kept by our practice.

2. Contact Information

Who can I contact about this policy?

Email: [email protected]
Phone: (02) 4288 2524
Post: Privacy Officer, Helios Medical Rooms, PO Box 44 Unanderra NSW 2526

3. Consent Requirements

3.1 When and why is your consent necessary?

When you register as a patient you give consent for our GPs and staff to access and use your personal information to deliver healthcare.

If we ever wish to use your information for a non-healthcare purpose (e.g. direct marketing) we will first obtain your additional, explicit consent.

4. Information Collection and Use

4.1 Why do we collect, use, store and share your personal information?

• To provide safe, effective healthcare and maintain accurate medical records
• Billing, Medicare/DVA claiming and reconciliation
• Internal quality-improvement, practice accreditation and staff training
• Mandatory disease notifications and other legal requirements

4.2 What personal information is collected?

• Name, date of birth, address, phone, email
• Medical history, medications, allergies, immunisations, family & social history
• Medicare number, Individual Healthcare Identifier, health-fund details

4.3 Can you deal with us anonymously?

Yes, where practical and lawful. For most clinical services we must confirm your identity to meet safety and Medicare requirements.

4.4 How is personal information collected?

• New-patient registration (paper or HotDoc online form)
• Phone calls, SMS, email, social media messages
• Referrals and reports from other providers (via HealthLink secure messaging)
• My Health Record uploads/downloads (we participate, but use is not mandatory)
• Electronic prescribing
• CCTV footage in common areas, entry and exit points (retained ~30 days)

Note: We do not permit clinical photos to be taken on personal devices.

Anonymity & Pseudonymity

Where lawful and practicable, you may interact with us anonymously or using a pseudonym (e.g., general enquiries). Identification is required where mandated by law (e.g., prescriptions, Medicare claiming) or where anonymity is impracticable for safe clinical care.

5. Information Sharing

5.1 When, why and with whom do we share your personal information?

For your ongoing care, we rely on implied consent to share relevant information with other treating providers (you can tell us not to share; we'll record and respect that unless required or authorised by law).

We may share information:

Purpose	Typical recipient
Ongoing care	Other GPs, specialists, pathology & imaging providers
Business services	Accreditation bodies; IT vendors (bound by confidentiality and the Australian Privacy Principles)
Legal obligations	Court orders/subpoenas; mandatory disease notifications
Serious threat	To prevent or lessen a serious threat to life, health or safety
De-identified quality data	Primary Health Network (population-health reporting; de-identified only)

5.2 Overseas Recipients

We do not disclose identifiable patient information to overseas recipients. Our clinical software, secure messaging, hosting and backups are located in Australia, and our vendor contracts prohibit offshore access to identifiable patient data. If you ask us to send records to an overseas provider, we will obtain your explicit consent and handle it under APP 8. If this position changes, we will update this policy and, where practicable, list the relevant countries.

6. Marketing and Communications

6.1 Will your information be used for marketing purposes?

With your consent we may send targeted health-promotion messages (e.g. flu-clinic reminders) by SMS/email. You can opt out at any time. We do not sell or rent patient lists to third parties.

6.2 How is your information used to improve services?

De-identified data are periodically supplied to the PHN and used internally for audit, research and staff education. Patients who do not wish their data to be included can advise reception.

7. Technology and Automation

7.1 Document Automation Technologies

We generate referrals, health-summaries and certificates through Best Practice (clinical software) and HealthLink secure messaging. Access is restricted by individual log-ins and role-based permissions.

7.2 Artificial Intelligence (AI) Scribes

We use Heidi AI to assist doctors with note-taking.

• Servers located: Australia only
• Audio files: deleted immediately after transcription

Patients may request that Heidi AI not be used during their consultation.

8. Data Security and Storage

8.1 How is your personal information stored and protected?

• Electronic records: Microsoft Azure data centres in Australia, protected by encryption, firewalls and multi-factor authentication
• Daily encrypted cloud backups (Australia only)
• Paper documents: locked filing cabinets in staff-only areas
• CCTV footage: stored on secure DVR, auto-overwritten after ~30 days
• All staff and contractors sign confidentiality agreements

9. Patient Rights

9.1 Access and Correction

Submit a written request (email or letter) to [email protected] or mail to PO Box 44 Unanderra NSW 2526.

We will respond within 30 days. There is no fee for access or correction, though a reasonable charge may apply for large record compilations or transfers. Proof of identity (3 identifiers) is required.

How to request records:

• Email: [email protected] with subject "Request for Medical Records"
• In person: Complete request form at reception
• Mail: Written request to PO Box 44 Unanderra NSW 2526

See Requests for Medical Information policy for full process, fees, and timeframes.

9.2 Privacy Complaints

Write to the Privacy Officer using the contact details in Section 2. We aim to resolve all complaints within 30 days.

If you are not satisfied, you may contact:

• Office of the Australian Information Commissioner – www.oaic.gov.au | 1300 363 992

If you are in NSW and believe your health information privacy has been breached, you may also complain to the NSW Information and Privacy Commission (IPC) under the Health Records and Information Privacy Act 2002. Time limits and process are explained by the IPC: https://www.ipc.nsw.gov.au/resources/fact-sheet-privacy-related-complaints-under-hrip-act

10. Record Retention

10.1 Retention Periods

• Active patients: Records retained indefinitely
• Inactive patients (no contact for 7+ years):
- Adults: Minimum 7 years from last entry
- Pediatric: Until age 25 or 7 years from last entry (whichever longer)
- Deceased: Minimum 7 years from death
• Inactive patient review: Annual review; letter sent to advise of pending archival
• Destruction: Secure destruction only; certificates retained

See Health Information Management policy for full retention procedures.

11. Website Privacy

Our public website does not collect personal information via contact forms. We use Google Analytics cookies to collect aggregated, anonymous usage statistics.

12. Policy Review

This policy is reviewed at least annually or whenever we change how we operate or when legislation changes. The latest version is always available on our website; significant changes will be communicated directly to patients.

Next review date: 20/09/2026

Version Control

• 12 June 2025 – Initial draft
• 30 June 2025 – Add Heidi AI
• 18 September 2025 – Clarify implied consent, add APP 6/8 carve-outs