Privacy Policy

Australian Privacy Principles (APP)

Riverina Orthopaedics (“the Company”) is committed to protecting the privacy of its patients and meeting any privacy obligation set out in the Privacy Act 1988 and the Australian Privacy Principles (APP).  

Both the APPs and APP guidelines outline the mandatory requirements of the APPs and apply to any organisations or agency the Privacy Act covers. All organisations that provide a health service and hold health information (other than in an employee record) are covered by the Privacy Act, whether or not they are a small business.

The purpose of this policy is to explain how the Company collects, handles, and uses personal information from patients. Within our practice information collected is kept confidential and used only for the medical and health care of patients.
This Policy applies to all workers including employees, contractors, and volunteers. The Company may unilaterally introduce, vary, remove or replace this policy at any time.
The APPs are the core principles which guide Australian organisations in the management of information. This is not a word-for-word transcription of the APPs. In this policy, we have edited the APPs to make them easy to read and understand. This may affect their interpretation in particular situations. If in doubt, it is best to speak with your manager seeking clarification prior to any action.
The Australian Privacy Principles are:
1.     Australian Privacy Principle 1 – open and transparent management of personal information.
2.     Australian Privacy Principle 2 – anonymity and pseudonymity.
3.     Australian Privacy Principle 3 – collection of solicited personal information.
4.     Australian Privacy Principle 4 – dealing with unsolicited personal information.
5.     Australian Privacy Principle 5 – notification of the collection of personal information.
6.     Australian Privacy Principle 6 – use or disclosure of personal information.
7.     Australian Privacy Principle 7 – direct marketing.
8.     Australian Privacy Principle 8 – cross-border disclosure of personal information.
9.     Australian Privacy Principle 9 – adoption, use or disclosure of government related identifiers.
10.  Australian Privacy Principle 10 – quality of personal information.
11.  Australian Privacy Principle 11 – security of personal information.
12.  Australian Privacy Principle 12 – access to personal information.
13.  Australian Privacy Principle 13 – correction of personal information.
Australian Privacy Principle 1 – open and transparent management of personal information

The Company must have an up-to-date policy (the APP Privacy policy) about the management of personal information. The Company must take steps as are reasonable in the circumstances to make the APP privacy policy available:
Free of charge.
In such form as is appropriate.

If a person or body requests a copy of the APP privacy policy in a particular form, the Company must take such steps as are reasonable in the circumstances to give the person or body a copy in that form.

The Company will:
Provide a copy of this policy upon request.
The APP privacy policy will be available on the Company website.

Australian Privacy Principle 2 – anonymity and pseudonymity
Individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with the Company. This does not apply if:
The Company are required or authorised by law, or court order, to deal with individuals who have identified themselves; or
It is impracticable for the Company to deal with individuals who have not identified themselves or who have used a pseudonym.
Considering the Companies need to interact with Medicare, keep accurate records, follow up with reports, provide medical reports and ensure reliable payment. It is ‘impracticable’ for the Company to deal with a patient on an anonymous basis. If patients wish to be known generally or addressed by a pseudonym, doctors shall respect this as a general right, but the Company needs to deal with patients under which they are known to Medicare.
Australian Privacy Principle 3 – collection of solicited personal information
This principle relates to information that we asked for, ‘solicited’ information.
This means we only collect such personal information (such as name, address) and sensitive information (such as health information) as is necessary to perform our functions in relation to the patient. When a doctor collects information directly from the patient during a consultation, consent is implied.
Solicited information will include:
Name, address and contact details.
Medicare and Healthcare identifiers
Medical information including medical history, medications, allergies, adverse events, social history, family history and risk factors.

Australian Privacy Principle 4 – dealing with unsolicited personal information
This principle is about personal information we did not ask for, ‘unsolicited’ information.
If the Company receives personal information and we did not solicit the information, the Company must, determine whether the Company would have been permitted to collect the information under Australian Privacy Principle 3 (collection). If so, APPs 5 to 13 will apply to that information, as if the Company had collected it under APP 3. The Company may use or disclose the personal information for the purposes of making that determination. For example, type of information the Company could have collected, a patient’s medical record transferred to our practice.
If the information could not have been collected under APP 3, the Company should first contact the person who sent it and arrange to return it. If that is not possible or practicable, the Company can destroy it. It is prudent to keep a record of what you destroy and how it came to be in the Company’s possession.  For example, if a patient sends an original copy of their mother’s will, the Company will determine that this is not the type of information we would be able to collect.
The Companies management team evaluates all unsolicited information it receives to decide if it should be kept, acted upon, or destroyed.

Australian Privacy Principle 5 – notification of the collection of personal information
A patient’s personal information may be held at the practice in various forms:
As paper records
As electronic records
As visuals i.e., x-rays, scans, videos, and photos
As audio recordings


The Company’s procedures for collecting personal information are:

The Company’s employees collect personal information via registration and consent paperwork which includes a collection, disclosure, and consent statement.
As a result of providing medical services, surgeons and clinical staff may collect additional personal information.
Personal information may also be collected from the patient’s guardian or responsible person (where practicable and necessary) or from other involved healthcare providers.

Any personal information that occurs through the website and the use of website analytics, cookies, etc. remains confidential and is not passed onto third parties.

Australian Privacy Principle 6 – use or disclosure of personal information

Personal information collected by the Company may be used or disclosed in the following instances:
For medical defense purposes or upon presentation of a subpoena to produce.
As required by law in instances of mandatory reporting.
Necessary to lessen or prevent a serious threat to a patient’s life, health or safety or public health or safety, or it is impracticable to obtain patient’s consent.
To assist in locating a missing person.
For the purpose the patient was advised during consult with the treating surgeon.
As required during the normal operation of services provided i.e. for referral to a health service provider or request for admission.
For the purpose of a confidential dispute resolution process.
Some disclosure may occur to third parties engaged by or for the Company for business purposes such as for the provision of information technology or transcription services. These third parties are required to comply with this policy and by the APPs.
The Company will not disclose personal information to any third party other than for the provisions of medical services, without full disclosure to the patient or the recipient, the reason for the information transfer and full consent from the patient, any such consent will be documented as part of the patient file.
The Company will employ all reasonable endeavours to ensure that a patient’s personal information is not disclosed without their prior consent.
Australian Privacy Principle 7 – direct marketing
Direct marketing is a form of advertising that involves directly communicating a marketing message to a potential customer, usually through mail, email etc.
The Company does not use direct marketing and no information would be disclosed for the purpose of direct marketing.
Australian Privacy Principle 8 – cross-border disclosure of personal information
This may apply where a patient is moving overseas or going overseas for medical treatment and requests the Company transfer their health record to an overseas entity. In this instance the patient should complete a ‘Request for Copy or Transfer of Medical Records’ indicating new practice location, email etc.
If the patient has indicated email delivery is preferred, the medical record will be:
password protected with patient’s full date of birth, and
saved in a PDF format

Forms completed and submitted via our website are generated using JotForm (USA company), who are governed by Health Insurance Portability and Accountability Act (HIPPA).  HIPPA complies with similar standards to that of the APPs. For further information visit  JotFrom HIPAA Compliance.pdf (


Australian Privacy Principle 9 – adoption, use or disclosure of government related identifiers
The Company must not adopt, use, or disclose Commonwealth government identifiers, such as a Medicare or Veterans Affairs number, except for the purposes for which it has specifically be assigned.
This means that we shouldn’t use a patients Medicare number or Veteran Affairs number as a means to identify the patient in our practice. The Company can however use or disclose a patients Medicare number to verify their identity with organisations such as Medicare.
Australian Privacy Principle 10 – quality of personal information

The Company will take all necessary and reasonable steps to ensure that the personal information we have collected is accurate, up-to-date, and complete.
The Company will be proactive in updating data by:
3-point identification process as part of check in e.g., date of birth, confirm address, confirm contact details.
Confirming with patients their usual general practitioner information.
Updating patient details when we are informed of changes.
If it is greater than two years since last appointment, requesting a patient confirm/update information via our registration and consent form.

Australian Privacy Principle 11 – security of personal information
All due care will be taken to ensure the protection of patient privacy during the transfer, storage, and use of personal information.

Retention of medical records is for a minimum of seven (07) years from the date of last entry into the patient record unless the patient is a child in which case the record must be kept until the patient attains the age of 25 years.

Any notes or document containing identifiable health or personal information are safely disposed of daily into security shredding bins accessed only by the Company employees.

De-identifying data APP 11 also allows for ‘de-identification’ of data held by the Company. Occasionally we may be required, or consider it beneficial, to provide certain data to agencies such as government agencies or research organisations. This is usually for research or statistical purposes.

What is de-identification? Personal information is ‘de-identified’ if the information is no longer about an identifiable individual. For example, the Company may provide information on the number of female and male patients we have, but without providing the details of any individual. In this simple example no personal information or sensitive information is disclosed. No privacy law is breached.

De-identification involves removing or altering information that identifies an individual or is reasonably likely to identify an individual.  The Company will not provide any information for research or statistical purposes that could be used to identify a patient. If personal or sensitive information is required as part of research, the Company will seek individual patient consent to participate, and this will be recorded within the patients’ medical record.

Australian Privacy Principle 12 – access to personal information

The Company provides the following guideline for accessing personal and private medical information by an individual:
An individual has the right to request access to their own personal information and request a full or partial copy of the record.
Individuals have the right to obtain their personal information through our “Patient Request for Copy or Transfer of Medical Records” form. Our practice will respond within 14 days confirming the request and detailing whether the request can be complied with. An invoice for any costs associated with providing a copy, transferring a copy, or accessing your records will be issued. Information can be expected to be provided following payment of the provision invoice; the full process can be expected to take up to 30 days.
Whist the individual is not required to give a reason for obtaining the information, a patient may be asked to clarify the scope of the request.
In some instances, the request to obtain information may be denied, in these instances the patient will be advised.
Upon request by the patient, the information held by this practice will be made available to another health provider.

The Company, wherever practicable, will provide access to medical information in the form it has been asked for. This means as we are a paperless practice if the patient does not have computer access, then the file will have to be printed.

To protect the rights of a child’s privacy, access to a child’s medical information may at times be restricted for parents and guardians. Required documentation for such a request is detailed in our practice “Patient Request for Copy or Transfer of Medical Records” form. Release of information may be referred to the treating Surgeon where their professional judgement and the law will be applied.

Australian Privacy Principle 13 – correction of personal information
The Company must ensure that information it holds on record is correct. Patients can request it to be corrected. If the Company refuse, it will provide the reasons why via formal letter, and allow the patient to ‘associate’ – or add to their record a statement that the information is incorrect.
Patients should make such requests in writing to the Chief Operations Officer (COO).

The management of Riverina Orthopaedics recognises the importance of confidentiality and discretion with the way we manage and maintain the personal information of our patients. The Company takes complaints and concerns about the privacy of patient’s personal information seriously. Patients should convey any privacy concerns in writing.

[email protected]
ATT: Management Team

A response will be given within 30 days of receipt of email.
Riverina Orthopaedics
ATT: Management Team
PO Box 6008

A response will be given in within 30 days of receiving written correspondence.
All employees of Riverina Orthopaedics are required to observe the obligations of confidentiality in the course of their employment and are required to sign Confidentiality Agreements.

If your complaint or concern has not been resolved to your level of satisfaction, there are alternative options available to direct your complaint to:
Office of the Australian Information Commissioner (OAIC), for further information visit or call the OAIC 1300 363 992
The Medical Registration Board (AHPRA), for further information visit
Australian Medical Association, for further information visit
Health Care Complaints Commission, for further information visit