This practice is bound by the Commonwealth Privacy Act – Privacy Amendment (Private Sector) Act 2000 and also complies with the Victorian Health Records Act 2001 and related 10 National (NPPs) and 11 Health (HPPs) Privacy Principles.

The maintenance of privacy requires that any information regarding individual patients, including staff members who may be patients, may not be disclosed either verbally, in writing, in electronic form, by copying either at the Practice or outside it, during or outside work hours, except for strictly authorised use within the patient care context at the Practice or as legally directed.

There are no degrees of privacy.  All patient information must be considered private and confidential, even that which is seen or heard and therefore is not to be disclosed to family, friends, staff or others without the patient’s approval.  Any information given to unauthorised personnel will result in disciplinary action and possible dismissal.

Each staff member is bound by his/her privacy agreement which is signed upon commencement of employment at this Practice.

Security policies and procedures for patient information are documented (e.g. in policy and procedure manual or other official documents).

All information received in the course of a consultation between a doctor and the patient is considered personal health information.  This information includes medical details, family information, address, employment and other demographic and accounts data obtained via reception.  Medical information can include past medical & social history, current health issues and future medical care. It includes the formal medical record whether written or electronic and information held or recorded on any other medium e.g. letter, fax, or electronically.

Doctors, allied health practitioners and all other staff in this Practice have a responsibility to maintain the privacy of personal health information and related financial information. The privacy of this information is every patient’s right.

The physical medical records (paper or electronic) and related information created and maintained for the continuing management of each patient are the property of this Practice.  The Practice must ensure the protection of all information contained therein.  This information is deemed a personal health record and while the patient does not have ownership of the record he/she has the right to access under the provisions of the Commonwealth Privacy and State Health Records Acts.

Requests for access are to be noted in the patient’s medical record, Patient Request for Personal Health Information Form and Register.


Health records should be kept where constant staff supervision is easily provided. Personal health information is to be kept out of view and not for access by the public e.g. not left on reception desk, in waiting room or other public areas; not left in consulting or treatment rooms unless in possession of a doctor or health care professional or authorised Practice staff; not left unattended in staff room. The presence of an additional person in the practice may reduce the risk of unauthorised access to patient health information.

Care should be taken that individuals cannot see computer screens that show information about other individuals. Screen savers should be engaged.

Reception and other Practice staff in the main reception area must remember that the waiting room is adjacent and as such staff should maintain low noise levels and not discuss patients, thereby avoiding patient information inadvertently being heard by patients or visitors.

Access to computerised patient information is strictly controlled with personal logins/passwords.  Staff do not disclose passwords to unauthorised persons.  Screens are cleared when information is not being used.  Terminals are logged off when the computer is left unattended.

Patient reports, letters, x-rays are to be received by staff in person at reception and placed in the doctor’s /staff pigeon hole or tray as designated behind reception.

Electronically downloaded pathology and other reports go directly to the referring doctor’s computer for action.

Items for the courier or other pick up are to be left at the reception desk behind the counter, not on top in public view.

When patients are being seen by the doctor/other health care practitioner in a consulting room the door is to be closed for privacy.  Patients also have a curtain within each consulting/treatment room for additional personal privacy if required for undressing/dressing.

Whenever a door to any office, consulting or treatment room is closed staff should knock and wait for a response prior to opening the door and seeking entry or telephone the doctor or staff member.

Doors to consulting/treatment rooms are not to be locked except when the Doctor or other treating health professional is not in and conducting sessions.

The use of privacy locks readily released from within the consulting room is acceptable.

It is the doctor’s/health care professional’s responsibility to keep scripts, medications, medical records and related personal patient information locked, whilst they are not in attendance in their consulting/treatment room.

Staff will notify the practice principal about requests for medical records from any solicitors or government agency.

Requested records are reviewed by the medical practitioner prior to their release to a third party. Where a report or medical record is documented for release to a third party, having satisfied criteria for release, (including appropriate written authorization from the doctor and the patients written consent if appropriate), then the patient’s doctor may specify a charge to be incurred by the patient or third party, to meet the cost of time spent preparing the report or photocopying the record.  Refer to doctor for charges to be raised.

Staff keep a record of when a medical record is photocopied and to whom it is sent.

An appropriate method of patient information destruction is in place with the use of a shredder.

 Subpoena, Court Order, Search Warrant, Coroner

Information required to be released- Inform the patient’s doctor and Practice Manager.  Note date of court case and date request received in the medical record.  Retrieve the record from the filing area.  Replace with tracer card.  Make a copy of the record.  Retain the copy in file and mark as a duplicate on the cover with reason for the copy noted inside.

Sometimes a staff member is required to take the medical record to court.  Telephone the relevant solicitor or Clerk of courts and try to arrange a confidential courier to transport the record in. If the original is to be transported, ensure you keep a copy in case of loss of the original during transport.

Telephone closer to the day requested, if a staff member must take the record physically to court, to ensure the date is correct and the case is still on.  Return the record to the Practice after the review by the court unless otherwise instructed by the court.


No information is to be released unless the request is made in writing and provides evidence of their authority to act on the patient’s behalf.

A patient may authorise another person to be given access if they have the legal right and a signed authority.

Separate records are advised for all family members but especially for children whose parents have separated and care must be taken that sensitive demographic information about either partner is not recorded on the demographic sheet.

 Outside Doctors, Health Care Institutions

Direct query to patient’s doctor.


Police and lawyers must obtain a signed patient consent (or subpoena, court order or search warrant) for release of information.  The request is directed to the doctor.  Where only a signed patient request is obtained the doctor is not legally obliged to release information.

The practice principal should be notified about requests for medical records from any solicitors.

 Insurance Company, Social Welfare Agency

No information to be given.  All enquiries directed to the patient’s doctor.

Release of information is an issue between the patient and the doctor. The patient may seek access under privacy law.


If the patient has signed a consent to release information for a pre-employment questionnaire or similar report then direct the request to the doctor who will respond with the required information.  Otherwise no information is to be released.  When in doubt always refer the request to the doctor.  Patient may seek access via privacy law.

 Dept. Veterans Affairs/Health Insurance Fund

Information must be given out as required, for recovery of payment.


The practice must maintain privacy of patient’s financial accounts.  Accounts are not stored or left visible in areas where members of the public have unrestricted access.

The doctor is asked to review the medical records and billing history of any accounts prior to release for debt collection and ensure they do not contain clinical information and that there has been an adequate period of time between the initial account and pursuing aggressive collection.

The doctor is asked to review accounts released to a third party to ensure they contain only the clinical information required for that purpose e.g. insurance claims, debt collector, TAC.

All complaints regarding account disputes are managed by the practice principal or suitable delegate.


Patients may not wish to have their personal health information used for educational purposes.  This practice respects its patient’s right to privacy and where possible will use de-identified data for case studies.  We will always inform patients of impending students participating in practice activities and ask patients to consent to this.

 Researchers/Quality Program

Where it is desired to publish material related to clinical work or for Practice continuous quality improvement (CQI) activities, the anonymity of patients is to be preserved.

The patient must consent to any specific data collection for research purposes. The practice must have a record of the release of health information by the medical college Quality Assurance and Continuing Professional Development (QA & CPD).  Research requests are to be approved by the Practice Principal and must have approval from a Human research ethics committee (HREC) constituted under the NH&MRC guidelines.

The reviewing of medical records for accreditation purposes is deemed as a “secondary purpose” by the Office of the Federal Privacy Commissioner Australia.  Patients should be advised of the ways in which their health information may be used (including for accreditation purposes) via a sign in the waiting room and the practice information brochure.

 Registrar of Births, Deaths & Marriages

Particularly pertaining to deaths, Medical information may be supplied.  Direct the request to the treating doctor.


Enquiries are to be made with the Practice Supervisor / Manager.  Do not give out any information unless authorised by the Practice Manager.  No information is to be released without the patient’s consent.


If the patient’s consent is given then information can be sent overseas.  Note provisions of NPP9.  Also there is no obligation to supply an original or a copy of the medical record or other patient information upon receipt of a subpoena.

 Disease Registers (For Public Health Purposes)

For cervical screening, CARDIAB, breast screen and other disease specific registers consent is required from the patient to use their personal health information for this purpose.  The patient is given the opportunity to decline inclusion in these types of registers.

 Telephone Calls

Requests for patient information are to be treated with care and no information is to be given out without adherence to the following procedure:

  • Take the telephone number, name and address of the person calling and pass this onto the doctor, if the information requested is of a clinical nature.
  • If the data requested is of a non-clinical nature and an acceptable request (as per Practice policy) then the caller, following confirmation that he/she is legitimate, is called back with the required information.


The following procedure is to be strictly adhered to, due to the medico-legal nature of our patient information, the patients privacy must be protected if sending medical information to multi-user facsimile machines.

Facsimile, printers and other electronic communication devices in the practice are located in areas that are only accessible to the general practitioners and other authorised staff.

  • When faxing patient information, the fax number and identification of the recipient must be confirmed before transmitting. Ask the person requesting the fax to ensure that someone authorised is standing by to receive the fax at that fax machine.
  • Write, “Confidential” on the fax coversheet
  • Check the number dialled before pressing ‘SEND’
  • Keep transmission report produced by the fax as evidence that the fax was sent. Also confirm the correct fax number on the report.


Patient information is only sent via email if it is securely encrypted according to industry and best practice standards.  Refer to computer user manual for more details.  Refer to the GPCG IT Security Guidelines for General Practice.