Arubah Health Privacy Policy

As a Health Service provider, we are required to comply with Australian Privacy Laws in accordance with the Privacy Act 1988 (Cth).

In order for us to provide you with our Health Services, we are permitted to ask for your Personal and Health Information, which upon your expressed or implied consent, may be collected, held and used. All Personal and Health Information under the Privacy Act 1988 (Cth) is collected from you for the primary purpose of providing our Health Service. All Personal and Health Information must be handled under the Privacy Act 1988 (Cth) with strict requirements and Health Information must be treated as sensitive information for the purposes of the Privacy Act 1988 (Cth). 

The purpose of this Policy is to ensure that when you receive Health Services from our practice, your Personal and Health Information will be handled with care by our practice. This Policy provides information to you as to:

  • what information is collected; 
  • how your Personal and Health Information is collected, held and used within the practice;
  • the circumstances in which the Personal and Health Information may be disclosed;
  • the security of your Personal and Health Information; and
  • your rights to your Personal and Health Information. 

The director and staff of Arubah Health are committed to protecting the privacy of our patients within our practice. The information that we collect from our patients, clients and/or customers is kept strictly confidential and, is considered Personal and Health Information for the primary purpose of providing a Health Service for our patients.

Arubah Health recognises that the information we collect is often of a sensitive nature and as an organisation, we have adopted the privacy compliance standards relevant to Arubah Health to ensure Personal and Health Information is protected. 

Personal Information includes a broad range of information, or an opinion, that could identify an individual. What is personal information will vary, depending on whether a person can be identified or is reasonably identifiable in the circumstances. Personal Information includes names, postal and residential addresses, email addresses, mobile numbers, landline numbers, and other contact details;

Health Information is sensitive information collected for the purpose of providing a Health Service to our patients. A patient’s Health Information includes the following:

  • Medical and health information including the information of opinion about the patient’s:
    • overall physical health, including any illnesses, disabilities, or injuries; and
    • medical history, including any prescription medications, allergies, genetic information, adverse events (including adverse drug reactions), immunisations, health test results (including blood tests), social history, family history and risk factors; 
  • Medicare number for identification and claiming purposes;
  • Healthcare identifiers; 
  • Appointment and billing details; or
  • Any other personal information (such as information about an individual’s date of birth, gender, race, sexuality, or religion), collected for the purpose of providing our Health Services. 

A patient’s Personal and Health Information may be held at the practice in various forms, including:

  • paper records; 
  • electronic records;
  • visuals, for example, Blood tests, videos and photos; or
  • audio recordings.

If you do not provide our clinic with your Health Information, then we cannot assist with your health enquiry and we will not be able to provide you with our high standard of Health Services. 

1. How We Collect Personal and Health Information:

We collect Personal and Health Information from you by the methods set out below.

Practice staff will collect the patient’s personal and demographic information via registration when patients present to the clinic for the first time. Patients are encouraged to pay attention to the collection statement that they complete as a new patient.

While providing our Health Services, the practice’s healthcare practitioners will consequently collect further Personal and Health Information.

Health Information and possibly Personal Information may also be collected from the patient’s guardian or Responsible Person (where practicable and necessary) or from other involved healthcare specialists.

We may also collect your Personal and Health Information without your consent where: 

  • it is part of your family, social or medical history, and that history is necessary to provide a health service to you;

Examples may include:

  • aspects of the medical history of your family members, such as inheritable conditions;
  • information about non-family members, such as a household member with a contagious illness; or
  • information about the health of a primary carer of a disabled patient, where the patient advises that the carer is struggling with some aspects of the patient’s care due to severe arthritis.
  • the information is necessary to provide you with a Health Service and either:
  • the collection is required or authorised by or under an Australian law; or
  • it is collected in accordance with rules established by competent health and medical bodies that deal with obligations of professional confidentiality which are binding onto our clinic. 

If you are a patient that is a child or lacks physical and/or mental capacity, then Health Information about the patient can, in certain circumstances, be collected from or disclosed to a ‘Responsible Person’. A ‘Responsible Person’ for a patient includes:

  • The parent of the patient;
  • A child or sibling of the patient (who is at least 18 years old); 
  • The spouse or de facto partner of the patient;
  • The patient’s relative (if the relative is over 18 years old and part of the patient’s household); 
  • The patient’s legal guardian; 
  • A person exercising an enduring power of attorney granted by the patient that is exercisable in relation to decisions about the patient’s health; 
  • A person who has an intimate personal relationship with the patient; or
  • A person nominated by the patient to be contacted in the case of emergency.

A Responsible Person may also include step relationships, in-laws, adopted relationships, foster relationships, and half-brothers and sisters. 

If we collect your Health Information, we must notify you of the collection of your Health Information before or at the time of collection by issuing a Privacy Notice. The Privacy Notice will briefly explain what Health Information is collected, why the Health Information was collected, and how the Health Information will be handled. 

2. The Purposes for which we Collect, Hold, Use and Disclose Personal and Health Information:

We collect, hold, use or disclose your Personal and Health Information for the primary purpose of providing our Health Services and advising you in respect of your health enquiries.

Upon your expressed or implied consent, we may also collect, hold, use or disclose your Personal and Health Information for the following secondary purposes:

  • referring you onto other health specialists within the health system (where necessary);
  • administration, billing or recovery of debt for our Health Services within our clinic (in which case, disclosure of Personal and Health Information may be done between our clinic’s staff, where necessary);
  • disclosure between practitioners, or within the treating team to ensure quality and continuity of patient care within our clinic; 
  • management, funding, complaint-handling, planning, evaluation and accreditation activities, and quality assurance, incident monitoring or clinical audit activities (if you do not nominate for the de-identification of your Personal and Health Information);
  • disclosure to a medical expert (for a medico-legal opinion), insurer, medical defence organisation or lawyer, for the purpose of addressing liability indemnity arrangements (such as reporting an adverse incident), legal proceedings or for the provision of legal advice; or
  • providing direct marketing for the promotion of our clinic’s goods or services.

However, use or disclosure of your Health Information may not require your consent if:

  • it is required or authorised by an Australian law, or by an Australian court or tribunal order; 
  • it is unreasonable or impracticable to obtain consent, and we reasonably believe the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of an individual, or to the public health or safety;
  • it is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety, provided a number of conditions are met.
  • it is necessary to do so to prevent a serious threat to the life, health or safety of a genetic relative, provided a number of conditions are met; 
  • you are a patient that lacks capacity, and you have a Responsible Person acting on your behalf, then disclosure or use to your Responsible Person will be permitted;
  • the use or disclosure of the Personal and Health Information is reasonably necessary for enforcement related activities of Australian Commonwealth, State or Territory bodies for the use or assistance in criminal and policing investigations, offences, detection, prosecution, prevention or intelligence gathering and monitoring activities. If we use or disclose the Personal and Health Information, we must prepare a written note to you to inform you that use and disclosure was made;
  • we must take appropriate action in respect of a suspected unlawful activity or serious misconduct;
  • it is for the purpose of locating a person reported as missing;
  • it is reasonably necessary for establishing, exercising or defending a legal or equitable claim; or
  • it is reasonably necessary for a confidential alternative dispute resolution process. 

We are permitted to use or disclose your Government Related Identifier (such as your Medicare Number) without your consent where use or disclosure is required where:

  • it is reasonably necessary for us to verify your identity for your activities;
  • it is reasonably necessary for us to fulfil our obligations to an agency, or a State or Territory authority;
  • it is required or authorised by or under an Australian law or a court or tribunal order;
  • in our reasonable belief, it is reasonably necessary to lessen or prevent a serious threat to the life, health or safety of an individual, or to public health or safety; or
  • in our reasonable belief, it is reasonably necessary for enforcement related activities conducted by, or on behalf of, an enforcement body.

3. Disclosure of Personal and Health Information outside of Australia

Your Health Information may be disclosed to an overseas recipient. If our clinic discloses Personal and Health Information to an overseas recipient, we must take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles in respect of the Personal and Health Information. Our clinic will assume responsibility for any conduct of the overseas recipient that is in breach of the Australian Privacy Principles for the Health Information disclosed to the overseas recipient. 

However, our clinic will not be held accountable for the above if:

  • we inform you that the above will not apply if you provide express consent to the disclosure of your Personal and Health Information to the overseas recipient, and you then expressly consent to the disclosure of your Personal and Health Information to the overseas recipient; 
  • we reasonably believe that the overseas recipient is subject to a law or a binding scheme that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information, and there are mechanisms that you can access to take action to enforce the protection of the law or binding scheme;
  • the disclosure of the Personal and Health Information is required or authorised by or under an Australian law or a court or tribunal order; or
  • any other exception applies that is stated in Australian Privacy Principle 8, found in Schedule 1 of the Privacy Act 1988 (Cth). 

The practice holds all Personal and Health Information securely, whether in electronic format, in protected information systems or in hard copy in a secured environment. 

4. Your Right to Access, Correct or Update Your Personal and Health Information

The following will apply regarding accessing Personal and Health Information by an individual:

  • You have the right to request access to your own Personal and Health Information and request a copy or part of the whole record;
  • You have the right to obtain your Personal and Health Information in accordance with the Privacy Act 1988 (Cth) from 20 December 2001 onwards;
  • Requests must be made in writing and an acknowledgement letter will be sent to you within 14 days to confirm the request and detail whether the request can be complied with, and an indication of any costs associated with providing the information. Time spent and photocopying costs when processing a request can be passed on to the requesting patient. We will endeavour to provide you with the Personal and Health Information within 30 days of receiving the request;
  • Upon request by the patient, the information held by this clinic will be made available to another health provider.

Personal and Health Information belonging to the patient (if the patient is a child) can be requested by the patient’s parents or legal guardian. However, if the child patient has capacity to make the access request on his or her own behalf, then we may advise the child patient’s parents or legal guardian that we believe the child patient has the capacity to make that request, and thus, should be the one to make the request. 

Personal and Health Information requests can also be made by the Responsible Person on behalf of an adult patient who does not have capacity, or by a third party (i.e. an insurance company or a law practice) on behalf of the patient if the patient consents to the requested access of Personal and Health Information. However, we may refuse access to the patient’s Personal and Health Information upon reasonable belief that any of the suitable exceptions or reasons for refusing access to the patient’s Personal and Health Information as stipulated in the Privacy Act apply to that circumstance. 

All due care and reasonable steps will be taken to ensure the protection of patient privacy during the transfer, storage and use of Personal and Health Information. Retention of medical records is for a minimum of 7 years from the date of last entry into the patient record unless the patient is a child in which case the record must be kept until the patient attains the age of 25 years of age.

If the Personal and Health Information and medical records are no longer required for any purpose, the Personal and Health Information  or medical records are not contained in any Commonwealth record, and we are not required by an Australian law or court or tribunal order to retain the Personal and Health Information  or medical records, then we may take reasonable steps in destroying the Personal and Health Information  or medical records, or to ensure that the Personal and Health Information  is de-identified.  

We must ensure that the Personal and Health Information collected from the patient is accurate, up-to-date, complete and relevant.

The Director and staff of Arubah Health understands the importance of confidentiality and discretion with the way we manage and maintain the Personal and Health Information of our patients. The Practice takes complaints and concerns about the privacy of a patient’s Personal and Health Information seriously. Patients should express any privacy concerns in writing. The Practice will then attempt to resolve it in accordance with its complaint resolution process. 


All employees of Arubah Health are required to observe the obligations of confidentiality in the course of their employment and are required to sign Confidentiality Agreements.

5. Your Right to Anonymity and Pseudonymity of Your Personal and Health Information 

You have the right to de-identify yourself, or to identify yourself under a pseudonym for the purposes of using, collecting, holding or disclosing your Personal and Health Information. The option for patients to remain anonymous or to operate under a pseudonym will only be considered in situations where our health services can be offered anonymously or pseudonymously and patients are aware of the possibility to do so. 

It will not be possible for patients to be anonymous or to use a pseudonym for our Health Services if:

  • our clinic is required or authorised under an Australian law, or a court/tribunal order, to deal with patients who have identified themselves; or
  • it is not practical for our clinic to deal with unidentified patients or those using a pseudonym. 

6. Unsolicited Personal and Health Information   

Unsolicited Personal and Health Information is information which our clinic may come across by accident, or receive but have not requested. 

If we receive Unsolicited Personal and Health Information, our clinic will, within a reasonable period of time, determine whether the Privacy Act 1988 (Cth) would have allowed our clinic to collect the information. Our clinic must handle the Unsolicited Personal and Health Information under the requirements of the Privacy Act 1988 (Cth). 

If our clinic could not have collected the Unsolicited Personal and Health Information, then our clinic must destroy or de-identify the Unsolicited Personal and Health Information as soon as practicable, if it is lawful and reasonable to do so. 

7. Direct Marketing

Upon your expressed or implied consent, we are permitted to use your Personal and Health Information for the purposes of directly marketing our goods or services to you. Your Personal and Health Information includes name and contact details. 

If you do not consent to the use of your Personal and Health Information for the purposes of direct marketing, or you choose to opt out of the direct marketing, then please contact our clinic. 

8. Contact

In the instance where you are dissatisfied with the level of service provided within our clinic, we encourage you to discuss any concerns relating to the privacy of your Personal and Health Information with your practitioner. 

If you have any questions regarding our Privacy Policy, our Health Services, or any questions regarding your Personal and Health Information, you can contact our clinic by:

(i)            Email; [email protected]

(ii)           Phone; (02) 4081 1828

(iii)          Visiting our clinic; 3/63 Denison St, Hamilton East NSW 2303