Privacy Policy
· Overview
We respect your privacy and are committed to protecting the confidentiality of your personal information. We are also committed to practicing good privacy governance and to ensuring our information handling and collection practices comply with the Privacy Act 1988 (Cth) (Privacy Act), the Australian Privacy Principles constituted under the Privacy Act (APP’s) and the Health Records and Information Privacy Act 2002 (NSW) (Health Records Act).
This Privacy Policy outlines how Marulan Medical Centre (Marulan Medical Centre, we, us or our) collects, stores, uses and discloses personal information (including sensitive information). This Privacy Policy also provides information on how you can access and correct the information we hold about you and our complaints process.
Please read this statement carefully and contact us if you have any questions.
Definition of Patient Health Record
A patient Health Record is a comprehensive collection of clinical information regarding a patient’s physical and mental health, compiled from various sources. It includes detail such as medical history, chief complaints, diagnostic and therapeutic procedures performed and the current status of the patient. The terms medical record, health record and medical chart are often used interchangeably to describe this systemic documentation of a patient’s medical history and care over a period of time.
· The types of personal information we collect
· Personal information
· Personal information is information or an opinion about you or from which you can be reasonably identified.
· The types of personal information we collect includes:
· private information, such as your name, signature, home address, email address, telephone number, country of birth, date of birth, your family history and lifestyle factors;
· information about your working practices, such as your employment details and job title.
· Sensitive information
· We also collect sensitive information. Sensitive information is a form of personal information, and is information or an opinion of a sensitive nature.
· In providing you our services, we may collect the following types of sensitive information:
· information about your health or mental health (including notes about the symptoms you describe or your doctor's observations, opinions of your health, prescription information, contact and billing details, test results and reports and your Medicare number);
· your ethnicity;
· your sexuality; or
· your religion.
· How do we collect your personal information?
· We generally collect personal information directly from you when you:
· make an enquiry;
· book an appointment;
· attend our practice;
· access our website
· We may also collect your personal information from third parties including service providers.
· In some circumstances, personal information may also be collected from other sources, including:
· Your guardian or responsible person.
· Other involved healthcare providers, such as specialists, allied health professionals, hospitals, community health services, and pathology and diagnostic imaging services.
· Your health fund, Medicare, or the Department of Veterans’ Affairs (if relevant).
· While providing medical services, further personal information may be collected via:
· Electronic prescribing
· My Health Record
· Online appointments
· Cookies
Our website https://www.marulanmedical.com.au/may use “cookies”; technology to store data on your computer using the functionality of your browser. Many websites do this because cookies allow the website publisher to do useful things like find out whether the computer has visited the site before.
You can modify your browser to prevent cookie use – but if you do this our service (and our website) may not work properly. The information stored in the cookie is used to identify you. This enables us to operate an efficient service and to track the patterns of behaviour of visitors to the website.
In the course of serving advertisements to the website (if any), third-party advertisers or ad servers may place or recognise a unique cookie on your browser. The use of cookies by such third party advertisers or ad servers is not subject to this Privacy Policy, but is subject to their own respective privacy policies
· What happens if you don’t provide us with your personal information?
You can choose not to provide us with your personal information. However, this may prevent us from providing you the assistance or services you require or from otherwise interacting with you.
· Can you use our services anonymously or pseudonymously?
You can deal with us anonymously or under a pseudonym unless it is impracticable for us to do so or unless we are required or authorised by law to only deal with identified individuals.
· How we hold your personal information
· How we hold and protect your personal information and Health Information
· We hold your personal information in your medical record, in both hardcopy and encrypted electronic forms in secure databases that we own and operate or that are owned and operated by our service providers.
· We have implemented security measures to protect personal information we hold about you from misuse, loss, unauthorised access, modification or disclosure. These measures include securing information both in physical and electronic form, having internal procedures and measures limiting access to information only to those who need access for their legitimate purposes and protecting our systems with appropriate security measures.
· Your treating doctor may hold their own separate medical record about you.
· Marulan Medical centre does not record telehealth consultation, or audio-visual consultations.
When and why is your consent necessary?
When you register as a patient of this practice, you provide consent for the GPs and practice staff to access and use your personal information to facilitate the delivery of healthcare. Access to your personal information is restricted to practice team members who require it for your care. If we ever use your personal information for purposes other than outlined in this document, we will obtain additional consent from you.
It is important to us that as our patient, you understand why we collect and use your personal information.
By acknowledging this Privacy Policy you consent to us collecting, holding, using, retaining and disclosing your personal information in the manners described below.
· Consent
· Consent is obtained via the registration form signed when registering with Marulan Medical Centre.
· Verbal consent is obtained when a phone consult is conducted with a Doctor or Nurse
· Consent for transfer of medical records is signed by a patient to obtain medical records from another Medical Practice; a record of this request is kept on file.
· A signed consent form is required before medical records will be released from Marulan Medical Centre to another Medical Practice, a record of this request is kept on file.
· Verbal consent is always required before release of any information to a third party.
· Why we collect and use your personal information?
· We collect and use your personal information through lawful and fair means so we can perform our business activities and functions.
· We may use your personal information for purposes other than the primary purpose but only if we are required or permitted by law to do so.
· We will only collect your sensitive Information if:
· that information is reasonably necessary for us to carry out our functions or activities; and
· you have consented to us doingso.
· Some ways we use your personal information are:
· to provide you with health care services;
· to communicate with you;
· to communicate with Medicare and other government agencies;
· to communicate with your insurer;
· to perform accounting, billing and other administrative and operational functions; and
· to comply with any legal requirements.
·
· Disclosure of your personal information - To whom do we disclose your personal information?
· We only disclose your personal information for the primary purpose for which it was collected. We may disclose your personal information for purposes other than the primary purpose but only if we are required or permitted by law to do so.
· We do not share your personal information with anyone outside Australia (unless under exceptional circumstances that are permitted by law) without your consent.
· Some third parties to whom we disclose your personal information include:
· with third parties for business purposes, such as accreditation agencies or information technology providers – these third parties are required to comply with APPs and this policy
· with other healthcare providers (e.g. In referral letters)
· when it is required or authorised by law (e.g. court subpoenas)
· when it is necessary to lessen or prevent a serious threat to a patient’s life, health or safety or public health or safety, or it is impractical to obtain the patient’s consent
· to assist in locating a missing person
· to establish, exercise or defend an equitable claim
· for the purpose of confidential dispute resolution process
· When it is a statutory requirement to share certain personal information (e.g. some diseases require mandatory notification)
· When it is provision of medical services, through electronic prescribing, My Health Record (e.g. via Shared Health Summary, Event Summary).
· Do we disclose your personal information to interstate or overseas recipients?
We generally will not disclose your personal information to third parties located outside of Australia. If we need to disclose your personal to overseas recipients, we will ensure any such disclosure is made in accordance with the APPs and Health Records Act.
· How is your information used to improve services?
The practice may use your personal information to improve the quality of the services offered to patients through research, analysis of patient data for quality improvement and for training activities with the practice team
We may provide de-identified data to other organisations to improve population health outcomes. If we provide this information to other organisations patients cannot be identified from the information we share, the information is secure and is stored within Australia. You can let reception staff know if you do not want your de-identified information included.
At times, general practices are approached by research teams to recruit eligible patients into specific studies which require access to identifiable information. You may be approached by a member of our practice team to participate in research. Researchers will not approach you directly without your express consent having been provided to the practice. If you provide consent, you would then receive specific information on the research project and how your personal health information will be used, at which point you can decide to participate or not participate in the research project.
· Direct marketing
· Direct marketing means using your personal information to contact you via the phone, SMS or email to promote our services.
· You acknowledge that by providing us with your personal information we may contact you to promote and market our services.
· We will never use or disclose your sensitive information, including your health information, for direct marketing purposes unless we have received your explicit permission to do so.
· You can opt-out at any time from being contacted by us for direct marketing by emailing “unsubscribe” to reception@marulanmedicalcentre.com.au
· How are document automation technologies used?
Document automation is where systems use existing data to generate electronic documents relating to medical conditions and healthcare.
The practice uses document automation technologies to create documents such as referrals, which are sent to other healthcare providers. These documents contain only your relevant medical information.
These document automation technologies are used through secure medical software; Best Practice.
All users of the medical software have their own unique user credentials and password and can only access information that is relevant to their role in the practice team.
The practice complies with the Australian privacy legislation and APPs to protect your information.
All data, both electronic and paper are stored and managed in accordance with the Royal Australian College of General Practitioners Privacy and managing health information guidance.
· Access and correction of your personal information
· Accessing your personal information
· You can make a request for access to your personal information in writing.
· We will endeavour to give you access to your personal information in the way you request. However, we may give you access to your personal information in a different way if the way you want to access your personal information is unreasonable or impractical.
· In certain circumstances, we may not be able to give you access to your personal information. In these circumstances, we will write to you to explain why we cannot comply with your request.
· We will try to respond to your request for access within 30 days of receiving your request.
· While we will try to give you access to your personal information for free, we may charge you a reasonable fee to cover costs associated with:
· searching for, location and retrieving your personal information; and
· reproducing and sending you your personal information.
· Correcting your personal information
· We try to ensure any personal information we hold about you is accurate, up-to-date, complete and relevant. From time to time, we may contact you to verify whether the information we hold about you is accurate, up-to-date, complete and relevant.
· If you believe the personal information we hold about you is inaccurate, out-of-date, incomplete, irrelevant or incorrect, please contact us in writing using the details below and we will take reasonable steps to ensure it is corrected.
· We will try to respond to your request for correction within 30 days of receiving your request.
· Complaints
· We take complaints about privacy seriously.
· If you believe your privacy has been breached or you have a complaint about our handling of your personal information, please contact us in writing using the details provided below.
· If you make a complaint, we will respond within a reasonable time to advise you of the person responsible for managing your complaint. We will try to resolve your complaint within 30 days. When this is not reasonably possible, we will contact you within that time to let you know how long we will take to resolve your complaint.
· We will investigate your complaint and, where necessary, consult with third parties about your complaint. We will decide about how to address your complaint and write to you to explain our decision.
· If you are not satisfied with our decision, you can refer your complaint to the Office of the Australian Privacy Commissioner and/or to the Office of the Information and Privacy Commissioner. Details about how to file a complaint can be found at www.oaic.gov.au or www.ipc.nsw.gov.au.
· Changes to this policy
· This Privacy Policy forms part of the agreement between you and us (either in your capacity as a patient/prospective patient or a third party service provider).
· We may, from time to time, amend this Privacy Policy, in whole or part, in our sole discretion.
· Any changes to this Privacy Policy will be effective immediately upon the posting of the revised Privacy Policy on our website. Depending on the nature of the change, we may announce the change on our website home page or by email (if we have your email address).
· However, in any event, by continuing to use the website and/or our service following any changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Privacy Policy, as amended from time to time, in whole or part, you must terminate your use of the website and inform us immediately prior to any further receipt of our services.
· Contact us
All questions or queries about this Policy and complaints should be directed to the Marulan Medical Centre Privacy Officer, whose details are:
Contact: Practice Manager
Email: reception@marulanmedicalcentre.com.au
For further information on your privacy rights, go to: www.privacy.gov.au
For further information on the Health Records Act, go to: http://www.ipc.nsw.gov.au/hrip-act
Reviewed on 11/11/2025 by practice manager F.Irwin
For review in November 2026
At Marulan Medical Centre, we understand that mental health is just as important as physical health. If you or someone you know is struggling with anxiety, depression, or other mental health issues, a variety of resources are available to help:
1. **Beyond Blue**: Offers support for anxiety and depression through their website. You can find helpful information and access their services at [Beyond Blue](https://www.beyondblue.org.au/).
2. **MindSpot**: Provides free internet-delivered psychological assessment and treatment for stress, anxiety, worry, depression, low mood, OCD, and trauma (PTSD). Learn more at [MindSpot](https://mindspot.org.au/).
3. **Phoenix Australia**: Specializes in resources for Post-Traumatic Stress Disorder (PTSD). You can find comprehensive information at [Phoenix Australia](https://www.phoenixaustralia.org/).
4. **Black Dog Institute**: Provides a wealth of information and resources for mental health support, including chat and telephone support options. Visit [Black Dog Institute](https://www.blackdoginstitute.org.au/) for more details.
5. **Moodgym**: An interactive self-help program designed to help you learn and practice skills that can prevent and manage symptoms of depression and anxiety. Check it out at [Moodgym](https://moodgym.com.au/).
Remember, seeking help is a sign of strength. If you're facing challenges with your mental health, don't hesitate to reach out to these valuable resources.
Our Home Visits policy outlines the procedures for providing home visits in accordance with the 5th edition of the Royal Australian College of General Practitioners (RACGP) standards. Home visits are available for patients within a 15km radius of the clinic who require home-based consultations due to incapacity, postoperative immobility, mobility issues, or severe chronic illnesses. A preliminary telephonic assessment by a GP determines eligibility. Fees include a standard charge for home visits, with additional costs for after-hours or emergency visits. Patients can request home visits via phone during 9am-5pm, and our GPs will conduct comprehensive consultations in the patient's home, ensuring quality care and confidentiality. We encourage patient feedback and regularly review our policy to meet evolving healthcare needs.
reviewed January 2026 by practice manager
MY HEALTH SECURITY AND ACCESS POLICY
My Health Record Security and Access Policy
This Policy is for Marulan Medical Centrereferred to throughout this policy as “the organisation”
Version No. version 1
Date: 10/02/2026
Purpose
· To provide guidance for staff and contractors on access to, and use of, the My Health Record system.
· To provide guidance in the use of information technology in the organisation as it relates to the My Health Record system.
· To outline the roles and responsibilities of the Responsible Officer (RO) and the Organisation Maintenance Officer (OMO) in relation to the My Health Record system.
Scope of Policy
This policy applies to all staff (including its employees and any healthcare provider to whom the organisation supplies services under contract) with access to the My Health Record system.
This policy should be reviewed at least annually, with any material new or changed risks to be identified in accordance with the review considerations outline in Rule 42 (6) of the My Health Records Rule 2016.
Related Documents and Links
This policy is to be read in conjunction with the documents listed below, each of which can be accessed via the Australian Government Federal Register for Legislation.
My Health Records Act 2012 (Cth)
My Health Records Rule 2016
My Health Records Regulation 2012
My Health Records (Assisted Registration) Rule 2015
Healthcare Identifiers Act 2010 (Cth)
Privacy Act 1988
Definitions
Access Flag
An information technology mechanism made available by the System Operator to define access to a consumer’s My Health Record.
Healthcare Identifiers (HI) Service
‘Healthcare Identifiers Service’, a national system for uniquely identifying healthcare providers, organisations and individuals receiving care. The HI Service is a foundation component of all national digital health products and services, including My Health Record. Healthcare identifiers are used to help ensure individuals and healthcare providers have confidence that the right information is associated with the right individual at a particular point of care.
Information Commissioner
The Office of the Australian Information Commissioner (OAIC) is the independent national regulator for privacy and freedom of information. They oversee the privacy aspects of the My Health Record system.
Network
Network of healthcare provider organisations created and managed in accordance with subsections 9A(3) to (6) of the Healthcare Identifiers Act 2010.
Network organisation
The healthcare provider organisation which is part of a Network and is subordinate to a Seed Organisation; it can be used to represent different departments, sections or divisions within an organisation or can be separate legal entities from the Seed Organisation. A network organisation within a network has the meaning given by subsection 9A(6) of the Healthcare Identifiers Act.
Organisation maintenance officer (OMO)
An OMO for a healthcare provider organisation has the meaning given by subsection 9A(8) of the Healthcare Identifiers Act.
For the OMO full roles and responsibilities see section 5 below.
Provider portal
A read-only portal provided by the System Operator that allows identified healthcare providers from participating healthcare provider organisations to access the My Health Record system without having to use a conformant clinical information system.
Responsible officer (RO)
An RO for a healthcare provider organisation has the meaning given by subsection 9A(7) of the Healthcare Identifiers Act.
For the OMO full roles and responsibilities see section 5 below.
Seed organisation
The healthcare provider organisation which provides or controls the delivery of healthcare services; in a Network, the Seed Organisation is the principal entity in the Network. A seed organisation for a network has the meaning given by subsection 9A(5) of the Healthcare Identifiers Act.
My Health Record System Operator
Established under the My Health Record Act, the entity responsible for operating the My Health Record system. The System Operator is the Australian Digital Health Agency.
Organisation Structure, Roles and Responsibilities
Organisation Structure
To participate in the My Health Record system all healthcare providers and organisations must first be registered with the HI Service. Healthcare provider organisations will usually participate in the My Health Record system as a ‘Seed Organisation’ only. However, in large or complex organisations, there may be a network made up of a Seed Organisation and one or more ‘Network Organisations’ that is part of or subordinate to the Seed Organisation.
The organisation is registered in the HI Service as at 1/02/2024
My Health Record System Roles
The My Health Record system requires people to be assigned to key roles, which authorises them to carry out certain actions in relation to the organisation’s access to, and use of, the system. These roles are set out below:
Role
HI Service
My Health Record System
RO
· Register a Seed Organisation
· Maintain the HPI-O details with the HI Service
· Maintain their own RO details with the HI Service (add or remove RO)
· Maintain OMO details with the HI Service (add or remove OMO) for seed and network levels
· Retire, deactivate and reactivate the HPI-O
Maintain links between the Seed Organisation (and any Network Organisation/s) and any Contracted Service Provider.
See section 9A(7) of the Healthcare Identifiers Act for the full list of RO responsibilities in relation to the HI Service.
· Authorise the addition/removal of HPI-Os
· Adjust the My Health Record system Access Flags for participating organisations within their hierarchy (OMO at seed level can also do this)
· Set HPI-O/HPI-I authorisation links (OMO can also do this).
OMO
· Maintain their own OMO details
· Request PKI certificate(s) (or link existing one) for organisation(s) they are linked to (note: only OMO's can request a NASH via HPOS)
· Register a network HPI-O for network levels below
· Register OMO details for network levels below
· Validate, link or remove linked HPI-Is to HPI-O(s) they are linked to
· Publish HPI-O details in the Healthcare Provider Directory (HPD) for HPI-Os they are linked to
· If required, maintain a list of authorised employees within the organisation who access the HI Service.
See section 9A(8) of the Healthcare Identifiers Act for the full list of OMO responsibilities in relation to the HI Service.
· Set and maintain Access Flags according to the organisational network hierarchy, in accordance with meeting the principles outlined in the My Health Record Rules
· Act on behalf of the Seed and Network organisation(s) (that they are linked to) according to the hierarchy
· Maintain accurate and up-to-date records of the linkages between organisations within their network hierarchy.
Responsible Officer Details
The RO: Dr Imran Syed
The OMO: Fiona Irwin
Please note you can assign multiple OMO’s, simply add any additional OMO names above.
Keeping OrganisationInformation Up-To-Date
If the organisation becomes aware that information held by the HI Service in relation to the organisation is not accurate, up-to-date and complete, the RO or OMO must provide an update to the HI Service in writing of the correct information. This shall be provided within 20 days of the organisation becoming aware that the information held is not accurate, up-to-date and complete.
If the organisation undergoes a material change, the RO or OMO must give the System Operator, in writing, details of the material change within two business days.
A material change may be:
· a change in the financial administration status of the organisation;
· a change in the organisation’s legal name;
· a change in the organisation’s legal structure; or
· the organisation is involved in a merger or acquisition.
Access and Use of the My Health Record System
Authorising Access to the My Health Record System
Practice staff access to the My Health Record system is required as part of your role and responsibility.
All staff members required to access the My Health Record system will be provided with a unique user account with individual login name.
The organisation will maintain records linking user accounts to individual staff so that these can be matched in the case of an audit or investigation by the System Operator.
The organisation will maintain records (for example staff rostering records) to allow it to determine which user accessed the My Health Record system on a particular day. These records must be maintained to allow audits to be conducted by the System Operator.
· A user account must only be used by the individual to whom it was assigned. It is the responsibility of the OMO to:
Provide a unique user account with individual login name for each authorised user; and
· Immediately suspend or deactivate individual user accounts in cases where a user:
· leaves the organisation
· has the security of their account compromised
· has a change of duties so that they no longer require access to the My Health Record system
· is no longer authorised to access the My Health Record system.
Staff Passwords/Logging Out
Staff will ensure that they assign a secure password to their user account and keep their password secret. Staff must review and change their password every 30 days.
All staff who have access to the My Health Record system will ensure that they log out of the system when they are not using it to prevent unauthorised access.
In some instances, clinical software will be used to assign and record unique internal staff member identification codes. This unique identification code will be recorded by the clinical software against any My Health Record system access.
Identifying Staff Who Access the My Health Record System
Provider Portal
Where a healthcare provider in the organisation accesses the My Health Record system on behalf of the organisation via the National Provider Portal, the OMO will establish and maintain accurate and up-to-date authorisation links via HPOS (Health Professional Online Services) to ensure only those healthcare providers who are authorised can access the Provider Portal. If an individual healthcare provider is no longer authorised to access the provider portal on behalf of the organisation, the OMO will need to ensure the System Operator is informed and the individual is removed as an authorised user.
Conformant Software
Where healthcare providers in the organisation access the My Health Record system on behalf of the organisation via conformant clinical software, the OMO will maintain a record of authorised Healthcare Provider Identifier – Individual (HPI-I) numbers in the clinical software and in the organisation’s internal records.
As mentioned above, clinical software will be used to assign and record unique internal staff member identification codes. This unique identification code will be recorded by the clinical software against any My Health Record system access.
Staff Training
The organisation has a formal training program where all staff with authorisation to access the My Health Record system on behalf of the organisation are required to undertake regular and ongoing privacy and My Health Record system training. Access to the My Health Record system will not be authorised to staff members until this training program is completed. Where any ongoing training requirements are not met, staff members authorisation will be revoked until training is completed.
The organisation requires staff to complete re-training or refresher training on the My Health Record every 12 months the organisation, and as required.
Enter any content that you want to repeat, including other content controls. You can also insert this control around table rows in order to repeat parts of a table.
The organisation keeps a central register of staff training. This register captures: what the training was about, who received the training, when it was provided, and who or how the training was provided.
Staff training will be provided with training around how to access the My Health Record system accurately and responsibly. Staff training will consist of training materials made available by the System Operator or other materials that the organisation deems relevant, and training specific to the clinical software used by the organisation. Training will also cover the legal obligations on healthcare provider organisations and individuals using the My Health Record system and the consequences of breaching these obligations.
The OMO will oversee a register of staff training as it relates to the My Health Record system, including the names or those who have completed training and the date on which training was completed.
Security and Privacy Procedures
Mitigation Strategies
To ensure that My Health Record system related security risks can be promptly identified, acted upon and reported to the organisation, the organisation will:
· Regularly review its security and procedures for accessing the My Health Record system, and report the findings to management and revise procedures, accordingly;
· Establish a risk reporting procedure to allow staff to inform management regarding any suspected security issue or breach of the system; and
· Consider, and where appropriate, conduct a risk assessment into its ICT systems that examine privacy and security risks, and to conduct this assessment on a regular basis.
Reporting Data Breaches
Under section 73 of the My Health Record Act and Privacy Act 1988, the RO or OMO is required to report a data breach to the System Operator (ph. 1800 723 471) and the Information Commissioner (ph. 1300 363 992) as soon as practicable after becoming aware that the following has, or may have, occurred:
· a person has, or may have, contravened this Act in a manner involving an unauthorised collection, use or disclosure of health information included in a healthcare recipient’s My Health Record; or
· an event has, or may have, occurred (whether or not involving a contravention of this Act) that compromises, may compromise, has compromised or may have compromised, the security or integrity of the My Health Record system; or
· circumstances have, or may have, arisen (whether or not involving a contravention of this Act) that compromise, may compromise, have compromised or may have compromised, the security or integrity of the My Health Record system; and
· the contravention, event or circumstances directly involved, may have involved or may involve the entity.
If any staff member becomes aware of a data breach, including where their user account has been compromised or that someone has used their computer to gain unauthorised access to the My Health Record system, they are immediately to inform their manager, who in turn is required to inform the RO or OMO. If only the OMO is informed, it is the OMO’s responsibility to ensure that the RO is made aware of the issue.
The RO or OMO will create a log entry of the breach including details of the date and time of the breach, the user account that was involved in the unauthorised access, and which patient’s information was accessed (where known).
The OMO will also undertake appropriate mitigation strategies, including, but not limited to:
· Suspending/deactivating the user account
· Changing the password information for the account
Patient Document and Record Codes
Patients have the ability to set a number of privacy controls on their My Health Record. A patient can set a code that restricts access to providers for certain documents contained within their record, they can also set a different code that restricts access to providers to their entire record.
Where a patient of the organisation provides a My Health Record document or record code to unlock their record, the code must not be retained or recorded in the local patient record by staff, and must be disposed of (if for example it is written on paper) securely, and you must ensure the practice’s IT system does not retain a copy of the record or document code.
Responding to Patient Complaints
The organisation will make patients aware of the process for raising issues or complaints and will log any issues of which they are made aware.
If a patient raises an issue in relation to unauthorised access to their My Health Record, the organisation shall take steps to investigate the issue. Unauthorised access should be managed through the organisation’s existing privacy complaint management processes and privacy policy.
Where a patient asks the organisation to remove or amend a clinical document, and the treating medical practitioner agrees, the medical practitioner or his/her delegate shall take steps to amend or remove the document as soon as possible.
In cases where there is disagreement between the treating medical practitioner and the patient about amendments to a clinical document, and the treating medical practitioner does not consider an amendment to be appropriate, then the medical practitioner may choose to remove the document. If the medical practitioner does not consider the removal of the document to be appropriate, then the medical practitioner should discuss this with the patient and where relevant direct the consumer to exercise their personal controls over the document.
Note: Where a patient requests for their information not be uploaded to their My Health Record, the healthcare provider organisation is legally required to comply.
Policy Implementation and Maintenance
Maintaining this Policy
The implementation and maintenance of this policy is the responsibility of the RO, including that:
· the policy has a version number;
· each time the policy is updated, the new version contains a unique version number and the date when that iteration came into effect;
· a copy of each version of the policy is retained;
· this policy will be reviewed when material is updated, changed, or risks are identified and at least annually; this review will include identification of new risks and consideration of anything that may result in unauthorised access, misuse or unauthorised disclosure of information or accidental disclosure of information, and of any changes to the My Health Record system or relevant legislative framework since the last review; and
· a copy of this policy is made available to the System Operator within 7 days of receiving a request from the System Operator for a copy of the policy, and the copy provided is the version of the organisation’s policy that was in force on the day requested by the System Operator.
Policy Manager
(person nominated to implement and maintain the policy)
Name: Fiona Irwin
Tel: 02/4841 1223
Email: m.nurse@marulanmedicalcentre.com.au
Approval Authority
(person responsible for content and updates as set out in the ‘Policy Implementation and Maintenance’ section above)
Name: Dr Imran Syed
Tel: 02/4841 1223
Email: isyed@marulanmedicalcentre.com.au
Next Review Date
Februaly 2027 (must be within 12 months from date of approval)
Document Version History
Document version #
Approved/amended/rescinded
Date
Approved by
1
10/02/2026
10/02/2026
Dr Syed
Our Communication Response Policy outlines the expectations and standards for responding to patient phone calls and emails in a timely, consistent, and professional manner, ensuring safe, high-quality care and clear communication. It applies to all staff involved in patient communications and includes the following key points:
1. **General Principles**: All communications are treated with respect and confidentiality. Urgent matters are escalated promptly, and significant interactions are documented.
2. **Phone Call Response Standards**: Incoming calls are answered quickly during business hours. Voicemails are checked regularly, and responses are provided on the same business day whenever possible. Clinical callbacks occur within 24-48 hours, with urgent concerns escalated immediately.
3. **Email Response Standards**: General administrative emails are acknowledged within 1-2 business days, while clinical inquiries are triaged and answered within 2 business days. Urgent emails prompt immediate phone contact with the patient.
4. **Safety and Limitations**: Email is not suitable for urgent issues, and patients are encouraged to seek in-person appointments for sensitive matters.
5. **Documentation**: Significant advice or decisions via phone or email are documented in the patient’s medical record on the same day.
6. **Review and Quality Improvement**: The policy is reviewed annually to ensure compliance and improvement.
reviewed February 2026 Practice Manager
for review February 2027