[cu]health’s Privacy Policy

Version 1.1
 

This Privacy Policy defines our approach to the collection and use of your personal and sensitive information, collectively referred to herein as Personal Information, and outlines your options for interaction with us.

[cu]health (CUH) has specific obligations under the Privacy Act 1988 (Cth), various State and Territory privacy and data protection legislation in Australia (to the extent applicable) regulating the manner in which Personal Information is handled throughout its life cycle, from collection to use and disclosure, storage, accessibility and disposal. 

By providing your Personal Information to CUH you consent to CUH collecting, using, disclosing and otherwise handing that information in accordance with this Privacy Policy.

Privacy Statement

This policy aligns with current best practice and the Privacy Act 1988 incorporating 13 Australian Privacy Principles (APPs), and the relevant health records legislation. CUH strives to adhere to current best practice for delivering primary health care digitally, including Privacy and managing health information in general practice by RACGP

Personal Information 

Personal information in Australia is information or an opinion, in any form and whether true or not, about an identified (or reasonably identifiable) individual. Personal information might include an individual’s name, telephone number, postal or email address. Where applicable, special provisions apply to the collection of personal information which is sensitive, including health information. Sensitive information is a type of personal information and includes information or an opinion about an individual’s race, political opinion, religious beliefs, sexual orientation, criminal record, membership of a trade union or health information.  Health information is a type of sensitive information and includes information or an opinion about the health or disability of an individual, an individual’s wishes about the future provision of health services to him or her and the health services provided to an individual. 

CUH deals with health and sensitive information in accordance with CUH’s general obligations [add RACGP Guidelines] to protect personal information under this Privacy Statement.  personal information and health information herein collectively, as Personal Information. 

Scope

This statement applies to how CUH collects, holds, uses, discloses and otherwise processes the Personal Information of the following groups of individuals:

  • Businesses, employers, including directors and officers who are customers or potential customers of CUH’s products and services (Clients).

  • Employees of CUH Clients who are provided a membership to receive CUH’s products and services by our Clients and are also current or potential patients of CUH and customers of CUH’s products and services in their own right (Members).

  • Current or potential Practice Partners who are customers of CUH’s products and services including, but not limited to, in order to connect with their medical practitioner or medical clinic including individuals who are directors, officers, employees or otherwise engaged by entities that participate in CUH’s Practice Partner program (Practice Partners); 

  • Other individuals who do not fit into any of the previous categories (Other individuals). 

 

Collection 

Generally, CUH collects different types of personal information from individuals, depending on which category (or categories) to which the individual belongs. For each category, this privacy statement describes in detail how CUH collects personal information, the purposes for which CUH collects personal information and the usual recipients of disclosure by CUH of personal information. Please note that it is possible that an individual may fit within more than one of the categories addressed in this privacy statement; if this is your situation, then you should carefully read all of the sections that apply to you.

CUH may collect personal information from you (in your capacity as a Member) in a variety of ways. CUH generally only collects personal information directly from the individual (unless otherwise noted in this privacy statement). We only collect Personal Information that is reasonably necessary for the purposes of providing healthcare, and take steps to ensure the information we collect is relevant to these purposes and is not excessive or unreasonably intrudes on your personal affairs.

Prior to the commencement of services, Clients ordinarily provide CUH with the following basic personal details in strict confidence and only for the purpose of generating a welcome email for you:

  • your full name, and;

  • work email. 

 

During the CUH onboarding process you may reassign all future email communications from CUH to an alternative or personal email address to your account. Should you engage with the CUH’s product and services further, you will be asked by CUH to voluntarily provide CUH with further personal information during onboarding and in setting up your profile. Under applicable laws, where it is lawful and reasonable to do so, you have the right to deal with CUH on an anonymous or pseudonymous basis. Subject to the following, CUH will give individuals the option of not identifying themselves when dealing with CUH, or of using a pseudonym when dealing with CUH. However, if you choose to interact with CUH in an anonymous or pseudonymous fashion, or you do not provide CUH with personal information when requested, then CUH may be unable to provide you with the products or services that you request.

 

CUH generally collects personal information only when CUH specifically requests the information or when CUH takes active steps to collect that information. However, from time to time, personal information may be volunteered to CUH without CUH specifically requesting the information or without CUH taking active steps to collect the information. Further, CUH may receive unsolicited personal information when CUH requests that certain information is provided and the individual provides more information than requested. Where CUH receives unsolicited personal information, CUH will determine whether it could lawfully have collected the information had CUH sought the information. If CUH determines that it could not lawfully have collected the information, unless CUH is authorised or required by law to retain the information, then CUH will take reasonable steps to destroy or to de-identify that information.

CUH takes reasonable steps to make sure that the personal information CUH collects, uses and/or discloses is accurate, complete and up-to-date. However, the accuracy, completeness and the currency of the information CUH holds largely depends on the accuracy of the information supplied to CUH. If at any time you discover that any information held about you is inaccurate, incomplete, outdated, irrelevant or misleading, you may contact CUH’s Privacy Officers to rectify it, or as a Member modify it in your member profile. 

 

As a healthcare provider and during the consultations it is reasonable that your personal information will be collected including in addition, so to may the following:

  • medical history, race, sexuality, or religion

  • health goals and lifestyle factors current prescription medication and order history

  • appointment history including details of the services we have provided to you

  • notes of your symptoms, diagnoses and treatments given to you

  • names of other healthcare professionals involved with your ongoing healthcare. 

  • records and reports of any specialist appointments and diagnostic tests.

  • MyHealthRecord, including shared health summaries, discharge summaries, imaging or pathology tests, medication history. These records may also contain personal or health-related information uploaded by other healthcare providers and may include details about your family medical history, and information about your relatives.

 

We collect and store personal information so we can:

  • provide you with collaborative healthcare and build a medical history to better inform clinical decisions improve your health outcomes

  • measure improvements in your health over time 

  • provide you with reminders and support in connection with your healthcare 

  • provide you with convenient access to electronic pharmacy scripts, specialist referrals or diagnostic services without the need for an appointment, and so we can follow-up test results

  • provide you with personalised care plans and relevant educational materials

  • to comply with our legal obligations

 

CUH collects, uses and discloses personal information where it is reasonably necessary for CUH to carry out its functions and activities. In particular, CUH only collects personal information from you (in your capacity as a Client) for any one or more of the following scenarios: 

 

  • When you, on behalf of your organisation, express an interest in becoming a partner of CUH.

  • When CUH and you discuss arrangements in respect of you or your organisation becoming a partner of CUH.

  • In the course of pursuing the arrangements made between CUH and you or your organisation.

  • When you complete and submit your personalised response to a survey (including an online survey) conducted by or on behalf of CUH.

  • When you participate in a promotional offer or in a competition conducted by CUH.

  • When you subscribe to our newsletter or mailing list in relation to any of the products and/or services offered by CUH.

  • When you contact CUH in order to submit an inquiry or to request that CUH provides support or other services related to any product or service supplied by CUH, or when you wish to complain or dispute an invoice submitted by CUH to you or to your organisation.

  • From time to time, CUH may collect personal information from you when you interact with CUH through a third party social media service and/or when you access and interact with CUH website. Please see below the section in this privacy statement dealing with cookies for further information.

  • If you use our website and patient portal we may collect device information assigned to your computer such as which pages you visit, the time and date of your visit. This information is used for our internal purposes only and always in a de-identified demographic information such as age, gender, location, occupation, or interests, which is not personal information. 

 

CUH collects, uses and discloses personal information where it is reasonably necessary for CUH to carry out its functions and activities. In particular, CUH only collects personal information from you (in your capacity as a Partner Partner member) for any one or more of the following purposes: 

  • To enable CUH to provide you or your organisation with our products and services or to arrange for your or your organisation’s participation in CUH’s bridging program to connect you with your members who happen to be pre-existing patients of you or your organisation; 

  • To facilitate the creation of an account with CUH in order to enable you or your organisation in order to take advantage of your or your organisation’s participation in CUH’s Practice Partner Program;

  • To process transactions and to administer accounts (including by processing of invoices, bills, statements of accounts and related financial matters necessary to enable CUH to provide products and/or services to you or to your organisation or which must be paid by you or your organisation to continue your or your organisation’s participation with CUH);

  • To send invoices or statements to you or to your organisation, and to collect payments from you or your organisation;

  • To address your queries and to resolve your complaints;

  • To send you information updates, marketing materials and newsletters (unless you have notified CUH that you no longer wish to receive such marketing materials);

  • For quality assurance purposes, including to improve the quality of the products and services provided to you or to your organisation;

  • To undertake statistical collation and analysis in relation to your use of the products or services you or your organisation acquire from CUH;

Where does CUH store your personal information? 

CUH complies with all national privacy and security regulations in particular the Australian Privacy Principles in the Privacy Act 1988 (Cth) and My Health Records Act and the My Health Records Rule 2016 (as amended from time to time). 

CUH’s personal and sensitive information is securely stored in Amazon Web Services Australian data centres. CUH’s patient medical records are stored on the server of an Australian owned, market leading clinical management software in accordance with Australian Privacy Law. 

CUH has, and continues to, invest in systems and processes to ensure our privacy policies are effective and relevant with statutory obligations over time and any product or service updates. 

 

How long will CUH store your personal information for? 

Australian law requires us to retain healthcare information including your medical records for seven years. CUH will continue to store and hold your personal information indefinitely, until such time as CUH no longer needs the information for any purpose for which the information may be used or disclosed under this Privacy Statement or for any other lawful purpose under applicable privacy or data protection laws or (if earlier, and subject to the next paragraph) a reasonable time after you ask CUH to delete it.

 

CUH uses secure methods to destroy or to permanently de-identify personal information within a reasonable time after the end of the period mentioned in the previous paragraph (unless we are required to retain by any applicable privacy or data protection laws) or if CUH determines that the personal information received is required to be destroyed or permanently de-identified in accordance with any applicable privacy or data protection laws.

Who does CUH disclose your personal information to? 

CUH only permits personal information to be accessed by authorised personnel, and CUH employees, agents and contractors are required to comply with CUH’s privacy policies and respect the confidentiality of any personal information held by CUH.

In this instance, any agent or contractor who has access to personal information CUH holds is required to protect this information in a manner that is consistent with our policy by, for example, not using the information for any purpose other than to carry out the service they are performing for CUH. CUH takes reasonable steps to develop and implement appropriate measures to safeguard the personal information CUH holds against unauthorised use or disclosure.

CUH requires all employees, any agent or contractor engaged by CUH signs an agreement, as a precondition to their engagement, to uphold privacy laws and the values which CUH aspires to. 

As a healthcare provider we take these obligations very seriously and provide privacy training to all staff during their onboarding and periodically when new laws, regulations, policies are introduced. 

You should be aware that, when using CUH’s products and services, no data transmission over the Internet can be guaranteed as completely secure. CUH does not warrant the security of any information you transmit to CUH over the internet and you do so at your own risk.

Your medical records are strictly confidential. The circumstances where we may disclose this information is:

  • to add records to your My Health Record from time to time. 

  • as required, authorised or permitted by law

  • under a coroner’s direction or order

  • in connection with a particular dispute, following a legal request to do so.  

 

Website Cookies 

CUH may use cookies and web logs on its website to improve its functionality. Cookies are a small text file that our websites may place on your computer, and collect information such as your Internet Protocol address, your computer’s operating system, browser type and traffic patterns, and your username or email address. You may adjust your Internet browser to disable cookies, or inform you when one is being used. If you choose to disable cookies, you may be unable to access certain areas of our website.

Sometimes CUH’s website contains links to other websites for your convenience and information. When you access a website other than CUH’s website, you acknowledge and agree that CUH is not responsible for the privacy practices of that site. CUH does not provide any of your personal information to these sites nor does any such information automatically pass to them with the linkage. Before you disclose any personal information for that other site you should read the terms of use and privacy policy for that site. You should also be aware that the Internet is not a secure environment, and transmission of personal information over the Internet is at your own risk.

Can I access my personal information?

You have certain rights of access to, and correction of, your personal information under applicable laws, you may in some instances be able to access the information CUH holds about you. If you would like to access your personal information, please contact a Privacy Officer, who will explain how CUH will handle your access request, and whether there will be any associated fee. CUH will assume (unless you tell us otherwise) that your request for access relates to our current records about you.

A fee will not apply to making a request for access or to update your personal information. A fee may apply and be charged for providing the information to you. The fee covers the cost CUH incurs in collating, copying and providing certain information to you. CUH will only charge this fee where it is lawful for us to do so.

In some circumstances, CUH may not permit access to your personal information, or may refuse to correct your personal information, including, but not limited to, where:

  • giving access would have an unreasonable impact on the privacy of others;

  • the information relates to existing or anticipated legal proceedings and the information would not be discoverable in those proceedings;

  • giving access would be unlawful;

  • denying access is otherwise required or authorised by law; or

  • the request for access is frivolous or vexatious.

 

If CUH refuses to provide you with access to or correct your personal information, we will provide you with reasons for this decision in writing. In some circumstances where we correct a record, we may still require the retention of the original record.

Please note that, since CUH does not wish to interfere with the privacy of individuals, CUH reserves the right to verify your identity prior to releasing your personal information to you and/or correcting any personal information you assert is incomplete, inaccurate or outdated. Further, CUH reserves the right to redact the personal information of other individuals which may be collected and held by CUH and which would be otherwise subject to your access request.

What is a data breach?  

CUH takes reasonable steps to ensure the personal information CUH holds is secured from such risks as loss or unauthorised access, destruction, use, modification or disclosure. A data breaches can occur:

  • when personal information held by us is lost or subjected to unauthorised access.

  • events or circumstances that does or may compromise (or has compromised) the security or integrity of the CUH network including unauthorised access to our databases

  • un-authorised collection, use or disclosure of health information in an individual’s My Health Record or

  • through loss or theft of laptops, mobile devices, or removable storage devices

  • when discarded hard drives or digital storage media still contain information

  • through lost or stolen paper records.

  • intentional and inappropriate disclosure of information by our staff

  • when personal information is incorrectly disclose

How does CUH safeguard against data breach?  

  • CUH has an IT security team that monitors network traffic 24/7 to detect internal and external traffic and controls access to CUH network 

  • CUH security team conducts planned preventative maintenance on the network and interactive threat intelligence to produce actionable threat response to provide immediate response to protect against potential intrusions. 

  • routinely change passwords 

  • automatically log user out of session after 60 minutes of inactivity 

  • version control 

  • network access control systems and 2FA 

  • CUH computers are password protected and comply with CUH applicable security standards including anti-virus software 

  • routine training privacy practices for staff

  • if personal information is held on paper files, it is stored in locked files on secure premises. 

What does CUH do in the event of a suspected data breach? 

  • Record in a data breach register 

  • Privacy officer to conduct investigation to determine the causes, and take action to prevent or mitigate the effects of future data breaches. 

  • If we consider the breach or suspected breach is a data breach under the My Health Records Act 2012, Privacy officer to notify the data breach to the Office of the Australian Information Commissioner (OAIC) and the My Health Record system operator (Australian Digital Health Agency) as soon as practicable after becoming aware of the data breach (or suspected breach). 

What happens in the event of a data breach?

  • Record in a data breach register 

  • Privacy officer to conduct investigation to determine the causes, and take action to prevent or mitigate the effects of future data breaches. 

  • Privacy officer to notify individuals at risk of serious harm caused by the data breach including affected healthcare recipients in accordance with the Notifiable Data Breaches (NDB) scheme within The Privacy Amendment (Notifiable Data Breaches) Act 2017.

  • If we consider the breach or suspected breach is a data breach under the My Health Records Act 2012, Privacy officer to notify the data breach to the Office of the Australian Information Commissioner (OAIC) and the My Health Record system operator (Australian Digital Health Agency) as soon as practicable after becoming aware of the data breach (or suspected breach). 

 

Security Statement  

CUH has invested in IT security systems to safeguard personal and healthcare information. If not properly protected the risk of security incidents would increase and place strain on our IT security teams. 

  • CUH has an IT security team that monitors network traffic 24/7 to detect internal and external traffic and controls access to CUH network.

  • The potential security vulnerabilities from [cu]health’s workflows and processes have been addressed in CUH’s healthcare IT system and ongoing security maintenance protocols.

  • CUH has a multi-layered network architecture to specifically address high volume remote access points into the network, many of which will access CUH from personal/home networks and from devices with varying levels of security, which are outside of our control. 

  • CUH network is intentionally designed to increases the time to deploy defensive actions to block unauthorised action and increase the likelihood of defending the attack should bypass the extensive hardware and software solutions and security measures in place. 

  • CUH network is monitored 24/7 by expert IT professionals who remotely manage and update the system. Routine preventive maintenance is conducted to ensure antivirus and other protective software is up to date. 

  • Regular threat and risk assessments are conducted to detect security vulnerabilities and penetration testing is done prior to the implementation of new system functionality. 

  • CUH network runs a demilitarised zone (DMZ) with the hosted server acting as a neutral zone or protected space between internal networks and clinical software where sensitive personal information is stored.

  • Only SSL traffic is allowed for remote connections which distinguishes network activity  to detect malicious and unauthorised access.

  • CUH deploys and maintains effective and reliable network security perimeter controls including firewalls that monitor and control communications at the external boundary and at key internal boundaries within the network. These boundary devices employ rule sets, access control lists (ACL), and configurations to enforce the flow of information to specific information system services.

  • Multi-factor authentication is required prior to gaining access to sensitive information. 

  • Users must validate their security credentials onto the encrypted and private network which is hosted in an Amazon Web Service’s Australian data centre, and only accessible through an encrypted VPN remote network.

  • A users device must satisfy security requirements before the user is granted access to and. Security protocols must recognise whether the device used to login is familiar and if not it will generate an automatic email for the user to validate prior to granting access. Every registered user must assign their personal mobile device to their account for Two-Factor Authentication (2FA). 2FA is enabled for each new session on CUH’s hosted server. 

  • The user must authenticate themselves once again, with different security credentials, prior to being granted the clinical software, Best Practice. This is where all sensitive personal information is stored. 

CUH management meets with IT on a quarterly basis to review outcomes of testing to discuss additional protections required including any changes to the operating systems and CUH platform. 

Complaints and Concerns

If you have any questions or comments about this Privacy Statement, or if you wish to complain about how CUH has handled personal information about you, please contact the Privacy Officers using the details below

Privacy Officer

CU Health Pty Ltd

hello@cuhealth.com.au

Visit our website for other ways to contact us.

We ask that any complaint should be made in writing to us in the initial instance. We will then respond to your complaint in writing and in accordance with any timeframes required by law. We may request you to provide further information about your complaint to duly assess your complaint. If for any reason you do not wish to complain to us initially or if we are unable to resolve your complaint to your satisfaction, a complaint may also be made to the Office of the Australian Information Commissioner (http://www.oaic.gov.au),

Changes to this privacy policy

We review this policy from time to time to keep it up to date. Please review this policy periodically for changes. Any revised policy will be placed on our website. 

Effective: 17 July 2021